Hi Kurt! > -----Ursprüngliche Nachricht----- > Von: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> Im > Auftrag von Kurt Roeckx via dev-security-policy > I expect all fields in the subject to be things you can just read, so > U-labels. It does not make sense to show users an A-label, they do > not understand what that means.
Normally the content of a certificate is not shown to the end user at all. The end user sees the address bar of the browser. In the address bar of the browser the U-label is shown. Then the browser makes the translation from the U-label to the A-label, either using IDNA2003 or IDNA2008. We should check the behavior of SSH clients but how many SSH client users are there compared to browser users? > The fields in a subject allows writing things in Unicode, there is no reason > not to use it. Sure it allows it, but as long as the CA doesn't permits it, the CA doesn't have to do any conversion from U-label to A-label at all. > The A-label is > really just an technical thing related to DNS, and so only belongs in places > where for technical reasons you need to use it. Like the CN, as nobody non-technical ever sees the CN. > If you want > to show them rfc5280 says you "should" convert them to Unicode. For fields > where you can write Unicode, there really isn't a reason > to not put the Unicode in it directly. > > So in my opinion, the CN would be "gauß.siemens.de", and the SAN would be > "xn--gau-7ka.siemens.de". They might add some > alternatives like gauss.siemens.de to the SAN, and you can then also use that > as CN. (But I think they should stop using that ss for ß, > and really use gauß.) I agree, that if a CA issues a certificate with the CN "gauß.siemens.de" the CA has to perform a conversion acc. IDNA2003 for all checks, but if the CA only issues the CN "xn--gau-7ka.siemens.de" they don't have to care if this is IDNA2003 or IDNA2008. > > I think that if you want to force the use of A-labels in the CN field that > you should really update RFC5280 and X.520, so that IA5String is > the only option in CN. But that just doesn't make any sense. I don't want to force anybody not to use Unicode in the CN, but I want to make clear, that if a CA only allows CNs that follow RFC 1034, chapter 3.5, they don't have to care about compliance with IDNA2008 / IDNA2003. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy