<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#467886" vlink="#96607D" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:JA'>Hi Martijn,<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:JA'>The same Punycode algorithm as defined in RFC 3492 is used by IDNA2003, 2008, and more to convey Unicode code points in domain labels in a way that conforms to the LDH syntax. The BRs currently require that any labels that are prefixed with “xn—” contain valid Punycode-encoded values (the defined term “P-label” was created to denote this type of label). Given that IDNA2008 “A-labels” which may contain code points that are not allowed in IDNA2003 (or other deviations from IDNA2003) are valid Punycode, such values are allowed by the BRs as valid P-labels.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:JA'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:JA'>This flexibility in allowing differing IDNA standards in domain labels was an explicit design decision of SC48v2, as there was much variation between browsers and domain registries in terms of conformance to the various IDNA standards.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:JA'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:JA'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:JA'>Corey<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:JA'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:JA'>From:</span></b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:JA'> Servercert-wg <servercert-wg-bounces@cabforum.org> <b>On Behalf Of </b>Martijn Katerbarg via Servercert-wg<br><b>Sent:</b> Tuesday, March 19, 2024 5:12 AM<br><b>To:</b> CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Subject:</b> [Servercert-wg] IDNA2003 vs IDNA2008 usage<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in'><span style='font-size:11.0pt;color:#212121'>All,<o:p></o:p></span></p><p style='margin:0in;caret-color: rgb(33, 33, 33);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='font-size:11.0pt;color:#212121'> <o:p></o:p></span></p><p style='margin:0in;caret-color: rgb(33, 33, 33);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='font-size:11.0pt;color:#212121'>We’ve recently become aware that some CAs have issued certificates containing punycode encoded domain labels compatible with IDNA2008, that are not compatible with IDNA2003.<o:p></o:p></span></p><p style='margin:0in;caret-color: rgb(33, 33, 33);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='font-size:11.0pt;color:#212121'> <o:p></o:p></span></p><p style='margin:0in;caret-color: rgb(33, 33, 33);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='font-size:11.0pt;color:#212121'>Our own interpretation is that IDNA2008 is currently not permitted. While the LDH, Non-Reserved LDH and XN label definitions reference RFC 5890, they only quote a very specific part of it. Meanwhile the P-Label definition directly references RFC3492 for encoding. Likewise RFC5280 which the BRs require adherence to, both reference IDNA2003 (RFC3490). (Side-note, I believe RFC9549 aims to rectify the issue with RFC5280)<o:p></o:p></span></p><p style='margin:0in'><span style='font-size:11.0pt;color:#212121'><o:p> </o:p></span></p><p style='margin:0in;caret-color: rgb(33, 33, 33);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='font-size:11.0pt;color:#212121'>As a note, ballot SC48v2 updated the language to the current definition.<o:p></o:p></span></p><p style='margin:0in;caret-color: rgb(33, 33, 33);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='font-size:11.0pt;color:#212121'> <o:p></o:p></span></p><p style='margin:0in;caret-color: rgb(33, 33, 33);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='font-size:11.0pt;color:#212121'>I’m looking for the opinions of this group as to their interpretations, as well as opinions if we indeed want to allow IDNA2008 and make this clear within the language.<o:p></o:p></span></p><p style='margin:0in;caret-color: rgb(33, 33, 33);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='font-size:11.0pt;color:#212121'> <o:p></o:p></span></p><p style='margin:0in;caret-color: rgb(33, 33, 33);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='font-size:11.0pt;color:#212121'>Regards,<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Martijn<o:p></o:p></p></div></body></html>