[cabf_validation] IDN Encoding Ballot

Wayne Thayer wthayer at mozilla.com
Thu Feb 14 10:29:45 MST 2019

Since we didn't get to this on today's call. I'd like to ask for some
discussion on the list about requiring IDNA2008 encoding with a sunset on
IDNA2003. I would boil the options down to:

1. We should require consistent and unambiguous encoding of IDNs in SANs
and CNs when represented as Unicode, and that means we should require
conformance with IDNA2008
2. Some existing domains rely on IDNA2003 encoding to display as intended,
and browsers support the UTS #46 compatibility processing specification
[1], so we should allow both IDNA2003 and IDNA2008
3. CAs shouldn't be held to any encoding requirements as long as they are
only accepting punycode from the subscriber and validating the domain name,
then placing the punycode into the certificate

I'm not an IDN expert, so I'll be happy to have someone correct and clarify
this. What does everyone think we should do?



[1] http://unicode.org/faq/idn.html

On Wed, Feb 13, 2019 at 9:49 AM Wayne Thayer <wthayer at mozilla.com> wrote:

> The recent debate [1] [2] over IDNA2003 vs IDNA2008 encoding motivated me
> to take a stab at fixing the problem. Here is a draft ballot based on Peter
> Bowen's Ballot 202:
> https://docs.google.com/document/d/1RHb9lGfe70uh6UcHg96OM7dewv9tFhi1-ZMXgDUbBi0/edit?usp=sharing
> My thanks to Corey Bonnell and Roland Shoemaker for their input.
> Can we add this to tomorrow''s VWG meeting agenda?
> The big open question is if we should forbid IDNA2003 encoding in
> certificates.
> Thanks,
> Wayne
> [1] https://cabforum.org/pipermail/servercert-wg/2019-January/000520.html
> [2]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/ad6NfLGZ730/9yTm3iJgFAAJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190214/7860fcab/attachment.html>

More information about the Validation mailing list