On Thu, Aug 10, 2017 at 5:31 PM, Jakob Bohm via dev-security-policy < [email protected]> wrote: > > This raises the question if CAs should be responsible for misissued > domain names, or if they should be allowed to issue certificates to > actually existing DNS names. >
No. It doesn't. That's been addressed several times in the CA/Browser Forum with other forms of 'invalid' (non-preferred name syntax) domain names, such as those with underscores. It's not permitted under RFC 5280, thus, CAs are responsible. Full stop. > I don't know if the bad punycode encodings are in the 2nd level names (a > registrar/registry responsibility, both were from 2012 or before) or in > the 3rd level names (locally created at an unknown date). > > An online utility based on the older RFC349x round trips all of these. > So if the issue is only compatibility with a newer RFC not referenced from > the current BRs, these would probably be OK under the current BRs and > certLint needs to accept them. > No, it's a newer RFC not referenced in RFC 5280, so it's not permitted under the current BRs. There's no retroactive immunity. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
