<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 23, 2018 at 9:26 AM, García Jimeno, Oscar via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="ES">
<div class="gmail-m_8501591513198120616WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi, we need to issue a certificate for <a href="http://www.gueñes.eus" target="_blank">
www.gueñes.eus</a>. According to CABForum requirements, the dnsName, if included in the CN, must match the SAN of the certificate. Our problem is that according to RFC5280 the dnsName in the SAN must be encoded with IA5String, and can’t include not ASCII 7-bits
characters (like ‘ñ’). If we encode the CN using UTF-8 (<a href="http://www.gueñes.eus" target="_blank">www.gueñes.eus</a>) and the SAN using IA5String (<a href="http://www.xn--guees-qta.eus" target="_blank">www.xn--guees-qta.eus</a>), then tools like zlint or
<a href="https://misissued.com/batch/1/" target="_blank">https://misissued.com/batch/1/</a> don’t accept them as valid, because they see them as different names (<a href="http://www.gueñes.eus" target="_blank">www.gueñes.eus</a> in CN vs
<a href="http://www.xn--guees-qta.eus" target="_blank">www.xn--guees-qta.eus</a> in SAN).</span><span lang="EN-US" style="font-size:10pt;font-family:"Courier New";color:rgb(34,34,34)">
</span><span lang="EN-US">Shall we issue the CN as <a href="http://www.xn--guees-qta.eus" target="_blank">
<span style="color:windowtext;text-decoration:none">www.xn--guees-qta.eus</span></a> like the SAN, or can we have different values between CN and SAN?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal">Thanks<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<table class="gmail-m_8501591513198120616MsoNormalTable" border="0" cellpadding="0" width="650" style="width:487.5pt;background:white">
<tbody>
<tr>
<td style="background:transparent;padding:7.5pt">
<p class="MsoNormal"><b><i><span style="color:rgb(0,51,102)">.eus</span></i></b><b><span style="color:rgb(0,51,102)">
<span style="font-variant:small-caps">gara !</span><u></u><u></u></span></b></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif;color:rgb(0,51,102);background:white">horregatik orain nire helbide elektronikoa da:</span><span style="color:rgb(0,51,102)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,51,102)">por eso mi dirección de correo electrónico ahora es: </span><span><a href="mailto:o-garcia@izenpe.eus" target="_blank"><span style="color:blue">o-garcia@izenpe.eus</span></a><u></u><u></u></span></p>
<p class="MsoNormal" style="line-height:9.75pt"><b><span style="font-size:8.5pt;font-family:Tahoma,sans-serif;color:black"><u></u> <u></u></span></b></p>
<p class="MsoNormal" style="line-height:9.75pt"><b><span style="font-size:8.5pt;font-family:Tahoma,sans-serif;color:black">Oscar García</span></b><span><u></u><u></u></span></p>
<p class="MsoNormal" style="line-height:9.75pt"><b><span style="font-size:8.5pt;font-family:Tahoma,sans-serif;color:black">CISSP, CISM<u></u><u></u></span></b></p>
<p class="MsoNormal" style="line-height:9.75pt"><span style="font-size:8.5pt;font-family:Tahoma,sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:navy"><img border="0" width="589" height="99" id="gmail-m_8501591513198120616Imagen_x0020_1" src="cid:image001.jpg@01D3F2A7.BBC7F3A0" alt="Descripción: Descripción: firma_email_Izenpe_eus"></span><span style="font-size:8.5pt;font-family:Tahoma,sans-serif;color:black"><u></u><u></u></span></p>
</td>
</tr>
<tr>
<td width="80%" style="width:80%;background:transparent;padding:7.5pt">
<div align="center">
<table class="gmail-m_8501591513198120616MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100%;background:white">
<tbody>
<tr>
<td valign="top" style="padding:0cm"></td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
<tr>
<td valign="top" style="background:transparent;padding:7.5pt">
<p class="MsoNormal" style="line-height:9.75pt"><span style="font-size:7.5pt;font-family:Tahoma,sans-serif;color:rgb(136,136,136)">ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko
helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style="color:rgb(136,136,136)"><br>
</span><span style="font-size:7.5pt;font-family:Tahoma,sans-serif;color:rgb(136,136,136)">ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span style="font-size:12pt"><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Comic Sans MS";color:purple"><img border="0" width="199" height="71" id="gmail-m_8501591513198120616Imagen_x0020_2" src="cid:image002.png@01D3F2A7.BBC7F3A0" alt="Descripción: cid:image001.png@01D2DDEC.B8FB6830"></span><span><u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a></blockquote><div><br></div><div>There are no known compatibility issues in having the CN match the A-Label form (that is, xn--).</div><div><br></div><div>There are no known display issues in having the CN match the A-Label form (that is, xn--).</div><div><br></div><div>There are known display and compatibility issues in having the CN use the U-Label form. Notably, Microsoft Windows CryptoAPI is the only API that is known to translate the U-Label into A-Label. Software which does not support SAN traditionally expects a byte-for-byte match with the hostname, which will be presented in its A-Label form.</div><div><br></div><div>Unfortunately, some CAs voted against providing this guidance within the BRs, and thus the ballot ( <a href="https://cabforum.org/2017/07/26/ballot-202-underscore-wildcard-characters/">https://cabforum.org/2017/07/26/ballot-202-underscore-wildcard-characters/</a> ) failed. No further details have been provided as to the basis of the objecting CAs, so the Forum is left with little input as how to make this acceptable to them.</div><div><br></div><div>The ballot could otherwise be resubmitted unchanged.</div></div><br></div></div>