We are aware of this and are looking into it further.
On 08/10/2017 01:22 PM, Jonathan Rudenberg via dev-security-policy wrote:
> RFC 5280 section 7.2 and the associated IDNA RFC requires that
> Internationalized Domain Names are normalized before encoding to punycode.
> Let’s Encrypt appears to have issued at least three certificates that have at
> least one dnsName without the proper Unicode normalization applied.
> It’s also worth noting that RFC 3491 (referenced by RFC 5280 via RFC 3490)
> requires normalization form KC, but RFC 5891 which replaces RFC 3491 requires
> normalization form C. I believe that the BRs and/or RFC 5280 should be
> updated to reference RFC 5890 and by extension RFC 5891 instead.
> dev-security-policy mailing list
dev-security-policy mailing list