On Wed, May 23, 2018 at 9:26 AM, García Jimeno, Oscar via Public < [email protected]> wrote:
> Hi, we need to issue a certificate for www.gueñes.eus. According to > CABForum requirements, the dnsName, if included in the CN, must match the > SAN of the certificate. Our problem is that according to RFC5280 the > dnsName in the SAN must be encoded with IA5String, and can’t include not > ASCII 7-bits characters (like ‘ñ’). If we encode the CN using UTF-8 ( > www.gueñes.eus) and the SAN using IA5String (www.xn--guees-qta.eus), then > tools like zlint or https://misissued.com/batch/1/ don’t accept them as > valid, because they see them as different names (www.gueñes.eus in CN vs > www.xn--guees-qta.eus in SAN). Shall we issue the CN as > www.xn--guees-qta.eus like the SAN, or can we have different values > between CN and SAN? > > > > Thanks > > > > *.eus** gara !* > > horregatik orain nire helbide elektronikoa da: > > por eso mi dirección de correo electrónico ahora es: [email protected] > > > > *Oscar García* > > *CISSP, CISM* > > > > [image: Descripción: Descripción: firma_email_Izenpe_eus] > > ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta > egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea > gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi > erantzuna. KONTUZ! > ATENCION! Este mensaje contiene informacion privilegiada o confidencial a > la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por > error le agradeceriamos que no hiciera uso de la informacion y que se > pusiese en contacto con el remitente. > > > > [image: Descripción: cid:[email protected]] > > > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public There are no known compatibility issues in having the CN match the A-Label form (that is, xn--). There are no known display issues in having the CN match the A-Label form (that is, xn--). There are known display and compatibility issues in having the CN use the U-Label form. Notably, Microsoft Windows CryptoAPI is the only API that is known to translate the U-Label into A-Label. Software which does not support SAN traditionally expects a byte-for-byte match with the hostname, which will be presented in its A-Label form. Unfortunately, some CAs voted against providing this guidance within the BRs, and thus the ballot ( https://cabforum.org/2017/07/26/ballot-202-underscore-wildcard-characters/ ) failed. No further details have been provided as to the basis of the objecting CAs, so the Forum is left with little input as how to make this acceptable to them. The ballot could otherwise be resubmitted unchanged.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
