Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

Thanks everyone for your input on this topic. As a result of this discussion, I have concluded that this is not a clear violation of Mozilla policy. I've closed the DFN bug as INVALID, and I am planning to propose a ballot to the CAB Forum to clarify this requirement. - Wayne On Wed, Jan 30,

AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

> Von: Ryan Sleevi >> On Fri, Jan 25, 2019 at 2:01 PM Buschart, Rufus >> wrote: >>> Von: Ryan Sleevi >>> >>> The CA can perform ToASCII(ToUnicode(label)) == label to validate. >> >> Sorry to be picky, but this check only proofs that

Re: AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On 25/01/2019 19:23, Buschart, Rufus wrote: Hello Jakob! -Ursprüngliche Nachricht- Von: dev-security-policy Im Auftrag von Jakob Bohm via dev-security-policy Gesendet: Freitag, 25. Januar 2019 18:47 Example, if the subscriber fills out the human readable order form like this:

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On Fri, Jan 25, 2019 at 2:01 PM Buschart, Rufus wrote: > > Von: Ryan Sleevi > > > > The CA can perform ToASCII(ToUnicode(label)) == label to validate. > > Sorry to be picky, but this check only proofs that a label is a valid IDNA > label but not that it is _not_ a weird server name. > Picky is

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On Fri, Jan 25, 2019 at 10:40 AM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I mean, it's using an ACE label. That's where Ballot 202 would have > clarified and required more explicit validation of the ACE labels to > address the SHOULD NOT from

AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

> Von: Ryan Sleevi > > The CA can perform ToASCII(ToUnicode(label)) == label to validate. Sorry to be picky, but this check only proofs that a label is a valid IDNA label but not that it is _not_ a weird server name. With best regards, Rufus Buschart

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On Fri, Jan 25, 2019 at 1:24 PM Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > If a CA receives such a list and creates the CSR for the customer (how > does the CA this without access to the customers private key?), they have > of course to perform an

AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

Hello Jakob! > -Ursprüngliche Nachricht- > Von: dev-security-policy Im > Auftrag von Jakob Bohm via dev-security-policy > Gesendet: Freitag, 25. Januar 2019 18:47 > > Example, if the subscriber fills out the human readable order form like > this: >www.example.com >

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On 25/01/2019 16:06, Tim Hollebeek wrote: > >> On 2019-01-24 20:19, Tim Hollebeek wrote: >>> I think the assertion that the commonName has anything to do with what >>> the user would type and expect to see is unsupported by any of the >>> relevant standards, and as Rob noted, having it be

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

Application Software > Suppliers (browsers). > > -Tim > > > -Original Message- > > From: dev-security-policy > > On Behalf Of Kurt Roeckx via dev-security-policy > > Sent: Thursday, January 24, 2019 4:04 AM > > To: mozilla-dev-security-pol...@l

RE: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

> On 2019-01-24 20:19, Tim Hollebeek wrote: > > I think the assertion that the commonName has anything to do with what > > the user would type and expect to see is unsupported by any of the > > relevant standards, and as Rob noted, having it be different from the > > SAN strings is not in

Re: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On Thu, 24 Jan 2019 10:04:00 +0100 Kurt Roeckx via dev-security-policy wrote: > Will you fill something in in the commonName? I think what is > expected in the commonName is what the user would type and expect to > see, I don't think the commonName should contain > xn--gau-7ka.siemens.de. If you

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On 2019-01-24 20:19, Tim Hollebeek wrote: I think the assertion that the commonName has anything to do with what the user would type and expect to see is unsupported by any of the relevant standards, and as Rob noted, having it be different from the SAN strings is not in compliance with the

Re: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On Thu, Jan 24, 2019 at 8:17 AM Peter Bowen via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I agree with Rufus. There are really two issues here: > > 1) The original reports to the CAs claimed an issue because RFC 5280 > references the original IDNA RFCs (now known as

RE: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

curity-policy > On Behalf Of Kurt Roeckx via dev-security-policy > Sent: Thursday, January 24, 2019 4:04 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded > international domain names > > On 2019-01-24

AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

Hi Kurt! > -Ursprüngliche Nachricht- > Von: dev-security-policy Im > Auftrag von Kurt Roeckx via dev-security-policy > I expect all fields in the subject to be things you can just read, so > U-labels. It does not make sense to show users an A-label, they do > not understand what that

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On Thu, Jan 24, 2019 at 7:36 AM Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2019-01-24 15:41, Rob Stradling wrote: > > > > Here's an example cert containing the A-label in the SAN:dNSName and the > > U-label in the CN. (It was issued by Sectigo, known

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On 2019-01-24 15:41, Rob Stradling wrote: Here's an example cert containing the A-label in the SAN:dNSName and the U-label in the CN. (It was issued by Sectigo, known back then as Comodo CA, before we switched to always putting the A-label in the CN):

Re: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On Thu, Jan 24, 2019 at 4:17 AM Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hello > > > -Ursprüngliche Nachricht- > > Von: Hanno Böck > > Gesendet: Donnerstag, 24. Januar 2019 12:36 > > > > On Thu, 24 Jan 2019 11:14:11 + Buschart, Rufus

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On 24/01/2019 14:09, Kurt Roeckx via dev-security-policy wrote: > On 2019-01-24 12:08, Rob Stradling wrote: >> >> Hi Kurt. >> >> BRs 7.1.4.2.2 says that the subject:commonName "MUST contain a single IP >> address or Fully-Qualified Domain Name that is one of the values >> contained in the

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On 2019-01-24 12:08, Rob Stradling wrote: Hi Kurt. BRs 7.1.4.2.2 says that the subject:commonName "MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension (see Section 7.1.4.2.1)." Fitting the U-label

AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

Hello > -Ursprüngliche Nachricht- > Von: Hanno Böck > Gesendet: Donnerstag, 24. Januar 2019 12:36 > > On Thu, 24 Jan 2019 11:14:11 + > "Buschart, Rufus via dev-security-policy" > wrote: > > > You are right, of course there are mandatory RFC to take into account. > > But there is -

Re: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On Thu, 24 Jan 2019 11:14:11 + "Buschart, Rufus via dev-security-policy" wrote: > You are right, of course there are mandatory RFC to take into > account. But there is - to my knowledge - no RFC that says, you MUST > NOT issue a certificate to a domain that could be interpreted as an >

AW: AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

1322 > > > >> -----Ursprüngliche Nachricht----- > >> Von: Dimitris Zacharopoulos > >> Gesendet: Donnerstag, 24. Januar 2019 11:16 > >> An: Buschart, Rufus (GS IT HR 7 4) ; > >> mozilla-dev-security-pol...@lists.mozilla.org > >> Betre

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On 24/01/2019 09:04, Kurt Roeckx via dev-security-policy wrote: > On 2019-01-24 9:47, Buschart, Rufus wrote: >> Good morning! >> >> I would like to sharpen my argument from below a little bit: If a CA >> gets a request to issue a certificate for the domain >> xn--gau-7ka.siemens.de, how can the

Re: AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

haropoulos Gesendet: Donnerstag, 24. Januar 2019 11:16 An: Buschart, Rufus (GS IT HR 7 4) ; mozilla-dev-security-pol...@lists.mozilla.org Betreff: Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names On 24/1/2019 10:47 π.μ., Buschart, Rufus via dev-security-policy wr

AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

, 24. Januar 2019 10:04 > An: mozilla-dev-security-pol...@lists.mozilla.org > Betreff: Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international > domain names > > On 2019-01-24 9:47, Buschart, Rufus wrote: > > Good morning! > > > > I would like to sharpen

AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

> -Ursprüngliche Nachricht- > Von: Dimitris Zacharopoulos > Gesendet: Donnerstag, 24. Januar 2019 11:16 > An: Buschart, Rufus (GS IT HR 7 4) ; > mozilla-dev-security-pol...@lists.mozilla.org > Betreff: Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international > domain names

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

policy Im Auftrag von Buschart, Rufus via dev-security-policy Gesendet: Mittwoch, 23. Januar 2019 20:24 An: mozilla-dev-security-pol...@lists.mozilla.org Betreff: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names Hello! Von: Servercert-wg <mailto:servercert-wg-boun...

Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

On 2019-01-24 9:47, Buschart, Rufus wrote: Good morning! I would like to sharpen my argument from below a little bit: If a CA gets a request to issue a certificate for the domain xn--gau-7ka.siemens.de, how can the CA tell, that xn--gau-7ka is a punycode string in IDNA2008 and not only a

AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

eser, Chairman, > President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus > Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. > Thomas; Registered offices: Berlin and Munich, Germany; Commercial > registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; &g

AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 > -Ursprüngliche Nachricht- > Von: dev-security-policy Im > Auftrag von Jürgen Brauckmann

Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

We received a report about non-idna2003 encoded international domain names. 4 certificates were affected and are revoked by now. Details can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1522080 Please also take note of the ongoing discussion regarding this topic in the CA/B