On Sunday, August 6, 2017 at 3:08:32 PM UTC-4, Nick Lamb wrote:
> On Sunday, 6 August 2017 14:10:36 UTC+1, alex....@gmail.com  wrote:
> > - Using non-IDNA encoded values in the CN, but (correctly!) IDNA encoding 
> > the SAN
> Note https://bugs.python.org/issue28414

I've followed up on this bug, but it seems like a red herring to me -- if the 
value is in the SAN (as it is required to be!) the value will simply be matched 
from there.

Further, a quick search of crt.sh's DB shows that quite a lot of certs are 
issued with IDNA-encoded CNs:

certwatch=> select count(*) from certificate_identity where name_type = 
'commonName' and lower(name_value) LIKE 'xn--%';

dev-security-policy mailing list

Reply via email to