On Thu, Aug 10, 2017 at 5:31 PM, Jakob Bohm via dev-security-policy <
> This raises the question if CAs should be responsible for misissued
> domain names, or if they should be allowed to issue certificates to
> actually existing DNS names.
No. It doesn't. That's been addressed several times in the CA/Browser Forum
with other forms of 'invalid' (non-preferred name syntax) domain names,
such as those with underscores.
It's not permitted under RFC 5280, thus, CAs are responsible. Full stop.
> I don't know if the bad punycode encodings are in the 2nd level names (a
> registrar/registry responsibility, both were from 2012 or before) or in
> the 3rd level names (locally created at an unknown date).
> An online utility based on the older RFC349x round trips all of these.
> So if the issue is only compatibility with a newer RFC not referenced from
> the current BRs, these would probably be OK under the current BRs and
> certLint needs to accept them.
No, it's a newer RFC not referenced in RFC 5280, so it's not permitted
under the current BRs.
There's no retroactive immunity.
dev-security-policy mailing list