Thanks everyone for your input on this topic. As a result of this discussion, I have concluded that this is not a clear violation of Mozilla policy. I've closed the DFN bug as INVALID, and I am planning to propose a ballot to the CAB Forum to clarify this requirement.
- Wayne On Wed, Jan 30, 2019 at 8:11 AM Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Von: Ryan Sleevi <r...@sleevi.com> > >> On Fri, Jan 25, 2019 at 2:01 PM Buschart, Rufus <mailto: > rufus.busch...@siemens.com> wrote: > >>> Von: Ryan Sleevi <mailto:r...@sleevi.com> > >>> > >>> The CA can perform ToASCII(ToUnicode(label)) == label to validate. > >> > >> Sorry to be picky, but this check only proofs that a label is a valid > IDNA label but not that it is _not_ a weird server name. > > > > Picky is good! Obviously I'm very picky ;) > > > > What's not clear to me is why that distinction is relevant, particularly > on the validation side of things. IDNA-aware software will, > > by virtue of being IDNA-aware, treat it as an A-label if it's a valid > ACE label with the ACE prefix, and, correspondingly, transform > > into a U-Label if they see it as appropriate. From the discussion you > were having with Jakob, it's not clear the relevance of that > > point about 'weird hostname' vs 'U-label' - perhaps I missed something? > > At the end, it all comes down to the question, whether a CA software has > to be IDNA aware or not. This question can be divided in two separate > sub-questions: > > 1) MUST a CA software be IDNA aware? > 2) SHOULD a CA software be IDNA aware? > > Regarding 1: Ballot 202 wanted to make IDNA awareness a strict requirement > for any CA. Ballot 202 failed, therefor it should be clear, that a CA can > choose whether to be IDNA aware or not. > Regarding 2: Due to bullet 1 this is a business decision of any CA and I > believe there are good reasons simply to be ignorant towards IDNA naming > syntax, because you can't tell if this is just a weird host name or an > A-label. > > ==> As a conclusion I believe any bug that was opened due to the issuance > of certificates that include hostnames which could be read as an A-label > should be rejected, as long as the A-label was validated (and all other > rules of the BRGs, etc. are followed). > > /Rufus > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy