[cabf_validation] [EXTERNAL]Re: IDN Encoding Ballot

Bruce Morton Bruce.Morton at entrustdatacard.com
Thu Feb 14 15:39:16 MST 2019

Is there a simple tool available that would allow CAs to scan IDNs to determine if they are IDNA2003 or IDNA2008?

Thanks, Bruce.

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Wayne Thayer via Validation
Sent: February 14, 2019 12:30 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: [EXTERNAL]Re: [cabf_validation] IDN Encoding Ballot

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
Since we didn't get to this on today's call. I'd like to ask for some discussion on the list about requiring IDNA2008 encoding with a sunset on IDNA2003. I would boil the options down to:

1. We should require consistent and unambiguous encoding of IDNs in SANs and CNs when represented as Unicode, and that means we should require conformance with IDNA2008
2. Some existing domains rely on IDNA2003 encoding to display as intended, and browsers support the UTS #46 compatibility processing specification [1], so we should allow both IDNA2003 and IDNA2008
3. CAs shouldn't be held to any encoding requirements as long as they are only accepting punycode from the subscriber and validating the domain name, then placing the punycode into the certificate

I'm not an IDN expert, so I'll be happy to have someone correct and clarify this. What does everyone think we should do?



[1] http://unicode.org/faq/idn.html

On Wed, Feb 13, 2019 at 9:49 AM Wayne Thayer <wthayer at mozilla.com<mailto:wthayer at mozilla.com>> wrote:
The recent debate [1] [2] over IDNA2003 vs IDNA2008 encoding motivated me to take a stab at fixing the problem. Here is a draft ballot based on Peter Bowen's Ballot 202:


My thanks to Corey Bonnell and Roland Shoemaker for their input.

Can we add this to tomorrow''s VWG meeting agenda?

The big open question is if we should forbid IDNA2003 encoding in certificates.



[1] https://cabforum.org/pipermail/servercert-wg/2019-January/000520.html
[2] https://groups.google.com/d/msg/mozilla.dev.security.policy/ad6NfLGZ730/9yTm3iJgFAAJ

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190214/5b5e27b0/attachment.html>

More information about the Validation mailing list