On 10/08/2017 22:22, Jonathan Rudenberg wrote:
RFC 5280 section 7.2 and the associated IDNA RFC requires that
Internationalized Domain Names are normalized before encoding to punycode.
Let’s Encrypt appears to have issued at least three certificates that have at
least one dnsName without the proper Unicode normalization applied.
It’s also worth noting that RFC 3491 (referenced by RFC 5280 via RFC 3490)
requires normalization form KC, but RFC 5891 which replaces RFC 3491 requires
normalization form C. I believe that the BRs and/or RFC 5280 should be updated
to reference RFC 5890 and by extension RFC 5891 instead.
All 3 dnsName values exist in the DNS and point to the same server (IP
address). Whois says that the two second level names are both registered
to OOO "JilfondService" .
This raises the question if CAs should be responsible for misissued
domain names, or if they should be allowed to issue certificates to
actually existing DNS names.
I don't know if the bad punycode encodings are in the 2nd level names (a
registrar/registry responsibility, both were from 2012 or before) or in
the 3rd level names (locally created at an unknown date).
An online utility based on the older RFC349x round trips all of these.
So if the issue is only compatibility with a newer RFC not referenced
from the current BRs, these would probably be OK under the current BRs
and certLint needs to accept them.
Note: The DNS names are:
Or broken down into DNS labels:
Second level domains, registrar is currently RUCENTER-RF
Third level domains, subscriber responsibility:
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list