[cabfpub] New proposed text for BR 1.1 issues 15 and 29

Hill, Brad bhill at paypal-inc.com
Fri Sep 28 16:08:57 UTC 2012

Well, if the CABF members have noticed anything about me, it's that I perhaps am not cautious enough about peeing on fences that might be electrified.  But even I can smell the ozone and see the charred bits of fur stuck to this one.

If the CAs want to "draw a line in the sand" with the browsers and registrars on IDNA2008, that's your prerogative, but don't tell them I told you to it.

But maybe it's not a big issue yet.  Does anyone have a convenient copy of the SSLObservatory data instantiated? Or perhaps Yngve can tell us based on his data how many certificates are out there today for non-ASCII names?

I'd also like to know, Yngve (and other browsers) how you handle punycode in certificates, since you mentioned that at the face-to-face.  Do we need to add additional requirements about reverse-encoding punycode DNSNames to U-labels and applying the proposed tests?


From: Rich Smith [mailto:richard.smith at comodo.com]
Sent: Friday, September 28, 2012 11:06 AM
To: Hill, Brad
Subject: RE: [cabfpub] New proposed text for BR 1.1 issues 15 and 29

I know we talked about the 2003 vs. 2008 problem and this is partly because I'm not completely literate in this issue, but it seems to me that given the possible name confusion, and the fact that 2008 expressly prohibits the use of some characters, while 2003 only vaguely discourages such use, I think it would be better for everyone if the CA/B Forum drew a line in the sand and said only 2008 is acceptable.  We should force the browsers AND the registries to update if they want certs to work.  That being said, I'm not sure we can get away with pushing the issue, but I think we should if we can.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org]<mailto:[mailto:public-bounces at cabforum.org]> On Behalf Of Hill, Brad
Sent: Wednesday, September 26, 2012 2:20 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] New proposed text for BR 1.1 issues 15 and 29

Updated proposal attached.


*         Updated rules for IDN hostname labels to "label components" to allow, e.g. non-Latin scripts to be combined with Latin gTLD suffixes such as ".com"

*         Updated IDNA requirements such that hostnames must be valid in EITHER IDNA2003 or IDNA2008.  Opera is currently the only browser that supports IDNA2008, Mozilla has a bug to support it, and WebKit apparently has no current plans to implement IDNA2008.  Allowing both standards allows maximum compatibility, though there is some risk as some names that are valid in one but not the other, and some which are valid in both but resolve to different effective host names.

*         Updated the Unicode Security Mechanisms Restriction Levels and Alerts reference which has moved from UTR #36 to UTS #39 in the last few weeks.

Brad Hill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120928/1c57c938/attachment-0004.html>

More information about the Public mailing list