On Fri, Jan 25, 2019 at 1:24 PM Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> If a CA receives such a list and creates the CSR for the customer (how > does the CA this without access to the customers private key?), they have > of course to perform an IDNA translation from U-label to A-label. And as we > have learned the BRGs (indirectly) enforce the use of IDNA2003. But if the > CA receives a filled in CSR they don't perform (not even indirectly) an > IDNA translation and has no obligation to check if the entries are valid > IDNA2003 A-label. > > And - ceterum censeo - there is no way a CA can tell for sure if > xn--gau-7ka.siemens.de is just a weird server name or the IDNA2008 > translation of gauß.siemens.de <http://gauss.siemens.de> . > I mean, it's using an ACE label. That's where Ballot 202 would have clarified and required more explicit validation of the ACE labels to address the SHOULD NOT from https://tools.ietf.org/html/rfc3490#section-5 to a MUST NOT. The CA can perform ToASCII(ToUnicode(label)) == label to validate. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy