[cabfcert_policy] FW: Certificates with improperly normalized IDNs
Ben Wilson
ben.wilson at digicert.com
Thu Aug 10 14:01:13 MST 2017
For tracking purposes, I'm forwarding this here.
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert.com at lists.mozilla.org] On Behalf Of Jonathan Rudenberg via dev-security-policy
Sent: Thursday, August 10, 2017 2:23 PM
To: mozilla-dev-security-policy at lists.mozilla.org
Subject: Certificates with improperly normalized IDNs
RFC 5280 section 7.2 and the associated IDNA RFC requires that Internationalized Domain Names are normalized before encoding to punycode.
Let’s Encrypt appears to have issued at least three certificates that have at least one dnsName without the proper Unicode normalization applied.
https://crt.sh/?id=187634027&opt=cablint
https://crt.sh/?id=187628042&opt=cablint
https://crt.sh/?id=173493962&opt=cablint
It’s also worth noting that RFC 3491 (referenced by RFC 5280 via RFC 3490) requires normalization form KC, but RFC 5891 which replaces RFC 3491 requires normalization form C. I believe that the BRs and/or RFC 5280 should be updated to reference RFC 5890 and by extension RFC 5891 instead.
Jonathan
_______________________________________________
dev-security-policy mailing list
dev-security-policy at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/policyreview/attachments/20170810/d508006c/attachment.p7s>
More information about the Policyreview
mailing list