This came up on m.d.s.p. today:

I haven't dug in deeply, but it sounds like we handle IDNs in CNs and SANs 

I think we should look for a way to solve that specific problem, without biting 
off the whole thing -- one solution would be to simply drop support for CNs in 
match_hostname, as both Chrome and Firefox have already done :-)

