[Servercert-wg] [Ext] IDN encoding

Paul Hoffman paul.hoffman at icann.org
Mon Jan 21 19:04:46 MST 2019 

On Jan 21, 2019, at 4:49 PM, Jeremy Rowley via Servercert-wg <servercert-wg at cabforum.org> wrote:
> 
> We received a report for someone saying that certificates issued with puny-code are mis-issued if they use IDNA2008. Considering a number of people probably received the same report, I figured we should raise and discuss the implications here.  

(Pedantic note: it is spelled "Punycode" consistently in all RFCs.)

> SUMMARY:
> Certificates are being issued with puny-code created using two separate IDN conversion standards: IDNA2003 and IDNA2008.  Section 7 of RFC 5280 specifies that conforming applications MUST perform the conversion specified in RFC 3490. However, RFC 8399 is listed as an internationalization update to RFC 5280. RFC8399 is never referenced in RFC 5280 though.

Later RFCs cannot be referenced in earlier RFCs because, well, they are issued later.

RFC 8399 is a formal, standard-track update to RFC 5280. If you say "we conform to RFC 5280", that means you do not conform to any later document that is a formal update to RFC 5280. For reference, RFC 5280 has been updated by three later RFCs:
- RFC 6818: "Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"
- RFC 8398: "Internationalized Email Addresses in X.509 Certificates"
- RFC 8399: "Internationalization Updates to RFC 5280"
All three are standards issued by the IETF.

> ISSUES:
> 	• Does a CA have to check the puny-code provided by a customer for compliance? Generally, we send the validation request to the puny-code domain (not the pre-conversation name). This confirms control over the domain so is there a need to check this? If we aren’t doing the conversion, are we actually an implementer in this case?

The domain name as it appears in the DNS is encoded in Punycode. That is the encoding that appears in the certificate. It is exactly what you should check.

> 	• If required to check the conversion is proper (including if we are doing the conversion with our own systems), do we need to conform to IDNA2003, IDN2008 or either one of the CAs choosing? Because 8399 is an “Update” and not something that “Obsoletes” 3490, I think the answer is either one is okay?

No. RFC 8399 updates RFC 5280. The updated combination of RFCs says that you need to use the IDNA 2008 rules. Section 2.1 is pretty clear on this.

> 	• Do we want a ballot to standardize this?  

The CABForum can choose to standardize on anything they want. A reasonable rule of thumb would be to standardize on the most recent updates to RFC 5280 unless there was a reason stated in the BR not to.

--Paul Hoffman

More information about the Servercert-wg mailing list