[cabfpub] Ballot 202 - Underscore and Wildcard Characters

Ryan Sleevi sleevi at google.com
Wed Jul 26 17:03:00 UTC 2017

On Wed, Jul 26, 2017 at 12:41 PM, Kirk Hall via Public
<public at cabforum.org> wrote:
> Peter, Ben, and Ryan – do you have a response to the punycode issue raised
> by CFCA, GDCA, and SHECA?


Is a response needed? It's 1 AM in China. Are you expecting these CAs
to change their votes? Are you expecting other CAs to share these

They've established their position based on information not shared
during discussion, and within hours to the vote closing, so there
doesn't seem much to respond to?

CFCA has indicated that it believes local browser UI is more important
than ensuring the security of certificates by ensuring there is a
consistent and unambiguous representation. The only reason given for
voting against is that some (unspecified, local) browsers are
presumably capable of displaying U-Labels in the address bar (or else
they would, again presumably, run afoul of the unspecified local
laws), but apparently incapable of displaying that same representation
in a certificate viewer.

Had this been raised during the discussion period, it certainly could
have been an opportunity to obtain additional information to evaluate
these claims, as well as explain the risk that exists with using the
U-Label form - for all IDNA-aware browsers. That is, the use of
U-Labels in the commonName creates several risks

1) IDNA display policies by browsers are hugely important,
security-relevant matters. IDNA expressed in U-Label form creates
meaningful divergence from the browsers' security mitigations.
2) U-Labels are not intended to be stable storage; the ACE-encoded
A-label (punycode) represents a stable, wire-safe format
3) The presumed risk is a CA that displays U-labels in its address bar
and A-labels in its certificate viewer - but that sounds like a
"browser issue" more than a "CA must issue these" issue.

These are reasons I would disagree with their assessment, but given
the situation, it doesn't seem terribly productive to do so within
hours of the vote. I'm assuming you asked because Entrust hasn't voted
yet, and I do hope you'll consider these real technical and security
concerns in consideration of the vote. If your concern is the local
laws, as you know, the BRs have a provision for that, so it would in
no way unduly burden those CAs that believe they're affected by this,
should these explanations be insufficient.

More information about the Public mailing list