[cabfpub] Ballot 202 - Underscore and Wildcard Characters
Geoff Keating
geoffk at apple.com
Wed Jul 26 19:27:23 UTC 2017
My understanding is that the punycode issue is not altered by this ballot, because the current definitions state:
Domain Name: The label assigned to a node in the Domain Name System.
and in the DNS, the label assigned to a node with an internationalised domain name is encoded in punycode. So it is not allowed to produce certificates with UTF-encoded IDNs today.
I think that if GDCA is serious about this concern, they should propose a ballot which removes the restriction that commonName must match one of the subjectAltNames. I don’t know if the world is ready for such a ballot yet, but I think the resulting discussion would be beneficial. Perhaps the ballot could propose some additional restriction(s), such as that the commonName must contain a space, or a character higher than 0x00FF in unicode, or must not contain a period, so that the commonName couldn’t be mistaken for a domain name.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170726/0a095a28/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170726/0a095a28/attachment-0002.p7s>
More information about the Public
mailing list