On 02/21/2009 11:19 PM, Paul Hoffman:
I don't see how the attack could have been done without wildcards. CA
guidelines say that certificates should not be issued with homographic
characters that might cause confusion
They do? Where?
Some CA policies do. I can't recall right now, but EV might address that
as well.
The attack here takes place entirely within
the wildcard portion of the domain because that's the portion the CA can't
verify when they issue the certificate.
That's true whether or not it is an IDNA label.
Yup.
>> I believe that Unicode Technical Report #36 addresses this.
>
> UTR #36 is not a CA guideline, it is a guideline that some CAs might
read and implement. I know of none that have. Does anyone here know
which CAs, if any, do any filtering based on IDNA labels in requested certs?
>
You don't like that I mention particular CAs, but the one I'm affiliated
with does to some extend. ;-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto