RFC 5280 section 7.2 and the associated IDNA RFC requires that
Internationalized Domain Names are normalized before encoding to punycode.
Let’s Encrypt appears to have issued at least three certificates that have at
least one dnsName without the proper Unicode normalization applied.
It’s also worth noting that RFC 3491 (referenced by RFC 5280 via RFC 3490)
requires normalization form KC, but RFC 5891 which replaces RFC 3491 requires
normalization form C. I believe that the BRs and/or RFC 5280 should be updated
to reference RFC 5890 and by extension RFC 5891 instead.
dev-security-policy mailing list