Re: Certificates with improperly normalized IDNs

On 6/25/18 1:35 PM, swchang10--- via dev-security-policy wrote: > On Friday, August 11, 2017 at 6:54:22 AM UTC-7, Peter Bowen wrote: >> On Thu, Aug 10, 2017 at 1:22 PM, Jonathan Rudenberg via >> dev-security-policy wrote: >>> RFC 5280 section 7.2 and the associated IDNA RFC requires that >>>

Re: Certificates with improperly normalized IDNs

On Friday, August 11, 2017 at 6:54:22 AM UTC-7, Peter Bowen wrote: > On Thu, Aug 10, 2017 at 1:22 PM, Jonathan Rudenberg via > dev-security-policy wrote: > > RFC 5280 section 7.2 and the associated IDNA RFC requires that > > Internationalized Domain Names are normalized before encoding to

Re: Certificates with improperly normalized IDNs

On Thu, Aug 10, 2017 at 1:22 PM, Jonathan Rudenberg via dev-security-policy wrote: > RFC 5280 section 7.2 and the associated IDNA RFC requires that > Internationalized Domain Names are normalized before encoding to punycode. > > Let’s Encrypt appears to

Re: Certificates with improperly normalized IDNs

On 11/08/2017 00:14, Ryan Sleevi wrote: On Thu, Aug 10, 2017 at 5:31 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: This raises the question if CAs should be responsible for misissued domain names, or if they should be allowed to issue certificates to

Re: Certificates with improperly normalized IDNs

On 11/08/2017 00:00, Jonathan Rudenberg wrote: On Aug 10, 2017, at 17:31, Jakob Bohm via dev-security-policy wrote: On 10/08/2017 22:22, Jonathan Rudenberg wrote: RFC 5280 section 7.2 and the associated IDNA RFC requires that Internationalized Domain

Re: Certificates with improperly normalized IDNs

On Thu, Aug 10, 2017 at 2:31 PM, Jakob Bohm via dev-security-policy wrote: > On 10/08/2017 22:22, Jonathan Rudenberg wrote: >> >> RFC 5280 section 7.2 and the associated IDNA RFC requires that >> Internationalized Domain Names are normalized before encoding

Re: Certificates with improperly normalized IDNs

On Thu, Aug 10, 2017 at 5:31 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > This raises the question if CAs should be responsible for misissued > domain names, or if they should be allowed to issue certificates to > actually existing DNS names. > No. It

Re: Certificates with improperly normalized IDNs

> On Aug 10, 2017, at 17:31, Jakob Bohm via dev-security-policy > wrote: > > On 10/08/2017 22:22, Jonathan Rudenberg wrote: >> RFC 5280 section 7.2 and the associated IDNA RFC requires that >> Internationalized Domain Names are normalized before encoding

Re: Certificates with improperly normalized IDNs

We are aware of this and are looking into it further. On 08/10/2017 01:22 PM, Jonathan Rudenberg via dev-security-policy wrote: > RFC 5280 section 7.2 and the associated IDNA RFC requires that > Internationalized Domain Names are normalized before encoding to punycode. > > Let’s Encrypt appears

Re: Certificates with improperly normalized IDNs

On 10/08/2017 22:22, Jonathan Rudenberg wrote: RFC 5280 section 7.2 and the associated IDNA RFC requires that Internationalized Domain Names are normalized before encoding to punycode. Let’s Encrypt appears to have issued at least three certificates that have at least one dnsName without the