On Sunday, August 6, 2017 at 3:08:32 PM UTC-4, Nick Lamb wrote: > On Sunday, 6 August 2017 14:10:36 UTC+1, alex....@gmail.com wrote: > > - Using non-IDNA encoded values in the CN, but (correctly!) IDNA encoding > > the SAN > > Note https://bugs.python.org/issue28414
I've followed up on this bug, but it seems like a red herring to me -- if the value is in the SAN (as it is required to be!) the value will simply be matched from there. Further, a quick search of crt.sh's DB shows that quite a lot of certs are issued with IDNA-encoded CNs: certwatch=> select count(*) from certificate_identity where name_type = 'commonName' and lower(name_value) LIKE 'xn--%'; count -------- 242943 Alex _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy