On 2019-01-24 9:47, Buschart, Rufus wrote:
Good morning!
I would like to sharpen my argument from below a little bit: If a CA gets a
request to issue a certificate for the domain xn--gau-7ka.siemens.de, how can
the CA tell, that xn--gau-7ka is a punycode string in IDNA2008 and not only a
very strange server name? At least I don't have a glass bowl to read the mind
of my customers. Therefor I would say, it is perfectly okay to issue a
certificate for xn--gau-7ka.siemens.de as long as you perform a successful
domain validation for xn--gau-7ka.siemens.de.
Will you fill something in in the commonName? I think what is expected
in the commonName is what the user would type and expect to see, I don't
think the commonName should contain xn--gau-7ka.siemens.de. If you have
a commonName, I would expect that it contains gauß.siemens.de. And if
you create a commonName then, you are required to check that it matches
the xn--gau-7ka.siemens.de in the SAN.
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
