Hello Jakob! > -----Ursprüngliche Nachricht----- > Von: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> Im > Auftrag von Jakob Bohm via dev-security-policy > Gesendet: Freitag, 25. Januar 2019 18:47 > > Example, if the subscriber fills out the human readable order form like > this: > www.example.com > chat.example.com > example.com > detteerenprøve.example.com > www.example.net > example.net > *.eXample.com > *.examPle.nEt > 192.0.2.3 > the best choice is probably CN=*.example.com which is one of the SANs and is > a wildcard covering the first SAN (www.example.com). > The BRs do not require a specific choice among the 9 SANs that would go in > the certificate (all of which must of cause be validated). > The user entered U-label detteerenprøve.example.com must of cause be > converted to A-label xn--detteerenprve-lnb.example.com > before checking and encoding.
If a CA receives such a list and creates the CSR for the customer (how does the CA this without access to the customers private key?), they have of course to perform an IDNA translation from U-label to A-label. And as we have learned the BRGs (indirectly) enforce the use of IDNA2003. But if the CA receives a filled in CSR they don't perform (not even indirectly) an IDNA translation and has no obligation to check if the entries are valid IDNA2003 A-label. And - ceterum censeo - there is no way a CA can tell for sure if xn--gau-7ka.siemens.de is just a weird server name or the IDNA2008 translation of gauß.siemens.de . With best regards, Rufus Buschart Siemens AG Information Technology Human Resources PKI / Trustcenter GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy