We are aware of this and are looking into it further.
On 08/10/2017 01:22 PM, Jonathan Rudenberg via dev-security-policy wrote: > RFC 5280 section 7.2 and the associated IDNA RFC requires that > Internationalized Domain Names are normalized before encoding to punycode. > > Let’s Encrypt appears to have issued at least three certificates that have at > least one dnsName without the proper Unicode normalization applied. > > https://crt.sh/?id=187634027&opt=cablint > https://crt.sh/?id=187628042&opt=cablint > https://crt.sh/?id=173493962&opt=cablint > > It’s also worth noting that RFC 3491 (referenced by RFC 5280 via RFC 3490) > requires normalization form KC, but RFC 5891 which replaces RFC 3491 requires > normalization form C. I believe that the BRs and/or RFC 5280 should be > updated to reference RFC 5890 and by extension RFC 5891 instead. > > Jonathan > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
