[Servercert-wg] IDN encoding

Wayne Thayer wthayer at mozilla.com
Tue Jan 22 10:21:23 MST 2019 

On Mon, Jan 21, 2019 at 5:50 PM Jeremy Rowley via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> We received a report for someone saying that certificates issued with
> puny-code are mis-issued if they use IDNA2008. Considering a number of
> people probably received the same report, I figured we should raise and
> discuss the implications here.
>
>
>
>
> SUMMARY:
>
> Certificates are being issued with puny-code created using two separate
> IDN conversion standards: IDNA2003 and IDNA2008.  Section 7 of RFC 5280
> specifies that conforming applications MUST perform the conversion
> specified in RFC 3490. However, RFC 8399 is listed as an
> internationalization update to RFC 5280. RFC8399 is never referenced in RFC
> 5280 though.
>
>
>
> ISSUES:
>
>    1. Does a CA have to check the puny-code provided by a customer for
>    compliance? Generally, we send the validation request to the puny-code
>    domain (not the pre-conversation name). This confirms control over the
>    domain so is there a need to check this? If we aren’t doing the conversion,
>    are we actually an implementer in this case?
>
> The BRs require 5280 compliance, so yes I think CAs need to ensure that
certificates they sign conform to IDNA2003.

>
>
>    1. If required to check the conversion is proper (including if we are
>    doing the conversion with our own systems), do we need to conform to
>    IDNA2003, IDN2008 or either one of the CAs choosing? Because 8399 is an
>    “Update” and not something that “Obsoletes” 3490, I think the answer is
>    either one is okay?
>
> The BRs only reference 5280, so to Paul's point IDNA2003 is what CAs need
to comply with.

>
>
>    1. Do we want a ballot to standardize this?
>
> Sounds like we need a ballot proposing adoption of the RFC 6819 and 8399
updates to 5280, with a suitable effective date to allow CAs to transition
from IDNA2003 to IDNA2008 conformance.

>
>
> NOTES:
>
> The browsers seem to be working in a transition mode where they use the
> full 2003 char set, then they also support any new ones from 2008 where
> there is a deviation they revert back to the 2003.
>
>    - MS Internet Explorer implements IDNA 2008 transitional mode – sends
>    to ‘ss’-version, no full IDNA 2008 is planned.
>    - Google Chrome implements IDNA 2008 transitional mode – sends to
>    ‘ss’-version, no full IDNA 2008 is planned.
>    - Mozilla Firefox implements IDNA2003 currently, and currently sends
>    to ‘ss’-version.
>    - Apple Safari doesn’t support full IDNA 2008, a relevant bug on
>    WebKit is still open; Safari currently sends to ‘ss’-version.
>    - Opera is currently based on the Blink engine and it implements
>    transitional IDNA 2008. Reportedly, Opera supported full IDNA 2008 in
>    v12.15, but then cancelled in Opera Next (v17), when it switched to the
>    Blink engine.
>
> This information appears to be taken from a 2014 article, and at least for
Firefox is out-of-date: https://bugzilla.mozilla.org/show_bug.cgi?id=479520
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190122/03820b6e/attachment-0001.html>

More information about the Servercert-wg mailing list