I think the assertion that the commonName has anything to do with what the user would type and expect to see is unsupported by any of the relevant standards, and as Rob noted, having it be different from the SAN strings is not in compliance with the Baseline Requirements. It's also deprecated. If anything, it should cease to exist.
Requiring translation to a U-label by the CA adds a lot of additional complexity with no benefit. What users type and see are issues that are best left to Application Software Suppliers (browsers). -Tim > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Kurt Roeckx via dev-security-policy > Sent: Thursday, January 24, 2019 4:04 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded > international domain names > > On 2019-01-24 9:47, Buschart, Rufus wrote: > > Good morning! > > > > I would like to sharpen my argument from below a little bit: If a CA gets a > request to issue a certificate for the domain xn--gau-7ka.siemens.de, how > can the CA tell, that xn--gau-7ka is a punycode string in IDNA2008 and not > only a very strange server name? At least I don't have a glass bowl to read > the mind of my customers. Therefor I would say, it is perfectly okay to issue > a certificate for xn--gau-7ka.siemens.de as long as you perform a successful > domain validation for xn--gau-7ka.siemens.de. > > Will you fill something in in the commonName? I think what is expected in > the commonName is what the user would type and expect to see, I don't > think the commonName should contain xn--gau-7ka.siemens.de. If you have > a commonName, I would expect that it contains gauß.siemens.de. And if you > create a commonName then, you are required to check that it matches the > xn--gau-7ka.siemens.de in the SAN. > > > Kurt > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://clicktime.symantec.com/36Cdb8NdVuWoSCnRVsmajRE7Vc?u=https > %3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy