AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

Fri, 25 Jan 2019 10:25:32 -0800 

Hello Jakob!

> -----Ursprüngliche Nachricht-----
> Von: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> Im 
> Auftrag von Jakob Bohm via dev-security-policy
> Gesendet: Freitag, 25. Januar 2019 18:47
> 
> Example, if the subscriber fills out the human readable order form like
> this:
>    www.example.com
>    chat.example.com
>    example.com
>    detteerenprøve.example.com
>    www.example.net
>    example.net
>    *.eXample.com
>    *.examPle.nEt
>    192.0.2.3
> the best choice is probably CN=*.example.com which is one of the SANs and is 
> a wildcard covering the first SAN (www.example.com).
> The BRs do not require a specific choice among the 9 SANs that would go in 
> the certificate (all of which must of cause be validated).
> The user entered U-label detteerenprøve.example.com must of cause be 
> converted to A-label xn--detteerenprve-lnb.example.com
> before checking and encoding.

If a CA receives such a list and creates the CSR for the customer (how does the 
CA this without access to the customers private key?), they have of course to 
perform an IDNA translation from U-label to A-label. And as we have learned the 
BRGs (indirectly) enforce the use of IDNA2003. But if the CA receives a filled 
in CSR they don't perform (not even indirectly) an IDNA translation and has no 
obligation to check if the entries are valid IDNA2003 A-label.

And - ceterum censeo - there is no way a CA can tell for sure if 
xn--gau-7ka.siemens.de is just a weird server name or the IDNA2008 translation 
of gauß.siemens.de .

With best regards,
Rufus Buschart

Siemens AG
Information Technology
Human Resources
PKI / Trustcenter
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany 
Tel.: +49 1522 2894134
mailto:rufus.busch...@siemens.com

www.siemens.com/ingenuityforlife

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann 
Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive 
Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, 
Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; 
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; 
WEEE-Reg.-No. DE 23691322

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to