RFC 5280 section 7.2 and the associated IDNA RFC requires that Internationalized Domain Names are normalized before encoding to punycode.
Let’s Encrypt appears to have issued at least three certificates that have at least one dnsName without the proper Unicode normalization applied. https://crt.sh/?id=187634027&opt=cablint https://crt.sh/?id=187628042&opt=cablint https://crt.sh/?id=173493962&opt=cablint It’s also worth noting that RFC 3491 (referenced by RFC 5280 via RFC 3490) requires normalization form KC, but RFC 5891 which replaces RFC 3491 requires normalization form C. I believe that the BRs and/or RFC 5280 should be updated to reference RFC 5890 and by extension RFC 5891 instead. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy