[cabfpub] Ballot 202 - Underscore and Wildcard Characters

Geoff Keating geoffk at apple.com
Wed Jul 26 19:27:23 UTC 2017

My understanding is that the punycode issue is not altered by this ballot, because the current definitions state:
Domain Name: The label assigned to a node in the Domain Name System.

and in the DNS, the label assigned to a node with an internationalised domain name is encoded in punycode.  So it is not allowed to produce certificates with UTF-encoded IDNs today.

I think that if GDCA is serious about this concern, they should propose a ballot which removes the restriction that commonName must match one of the subjectAltNames.  I don’t know if the world is ready for such a ballot yet, but I think the resulting discussion would be beneficial.  Perhaps the ballot could propose some additional restriction(s), such as that the commonName must contain a space, or a character higher than 0x00FF in unicode, or must not contain a period, so that the commonName couldn’t be mistaken for a domain name.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170726/0a095a28/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170726/0a095a28/attachment-0003.p7s>

More information about the Public mailing list