[cabfpub] Clarification on BR (commonName) and IDNs

Peter Bowen pzb at amzn.com
Tue Jan 26 10:04:43 MST 2016

In the BRs, for commonName, it says "If present, this field MUST contain a single IP address or Fully‐Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension.”

RFC 5280 requires the SAN and domainComponent DN attribute to contain the punycode (e.g. xn—) form of Internationalized Domain Names.  However it is silent on commonName.

Is it allowable to have the commonName contain the Unicode string for IDNs in the SAN or must it only include the punycode form from the SAN?


More information about the Public mailing list