[cabfpub] New proposed text for BR 1.1 issues 15 and 29

Yngve N. Pettersen (Developer Opera Software ASA) yngve at opera.com
Fri Sep 28 20:38:42 UTC 2012

On Fri, 28 Sep 2012 18:08:57 +0200, Hill, Brad <bhill at paypal-inc.com>  

> Well, if the CABF members have noticed anything about me, it's that I  
> perhaps am not cautious enough about peeing on fences that might be  
> electrified.  But even I can smell the ozone and see the charred bits of  
> fur stuck to this one.
> If the CAs want to "draw a line in the sand" with the browsers and  
> registrars on IDNA2008, that's your prerogative, but don't tell them I  
> told you to it.
> But maybe it's not a big issue yet.  Does anyone have a convenient copy  
> of the SSLObservatory data instantiated? Or perhaps Yngve can tell us  
> based on his data how many certificates are out there today for  
> non-ASCII names?

Might be able to do that, but not right now.

> I'd also like to know, Yngve (and other browsers) how you handle  
> punycode in certificates, since you mentioned that at the face-to-face.   
> Do we need to add additional requirements about reverse-encoding  
> punycode DNSNames to U-labels and applying the proposed tests?

Opera compares A-labels; that is the standard specified way of comparing  
U-labels (covert both to A-labels); incoming A-labels will be converted to  
U-label and back to A-label to make sure they are correct. That is, the  
validated A-Label name in the certificate must match the A-label DNS name  
we are connecting to.

Regarding wildcards, "xn--foo*" is not allowed.

> -Brad
> From: Rich Smith [mailto:richard.smith at comodo.com]
> Sent: Friday, September 28, 2012 11:06 AM
> To: Hill, Brad
> Subject: RE: [cabfpub] New proposed text for BR 1.1 issues 15 and 29
> Brad,
> I know we talked about the 2003 vs. 2008 problem and this is partly  
> because I'm not completely literate in this issue, but it seems to me  
> that given the possible name confusion, and the fact that 2008 expressly  
> prohibits the use of some characters, while 2003 only vaguely  
> discourages such use, I think it would be better for everyone if the  
> CA/B Forum drew a line in the sand and said only 2008 is acceptable.  We  
> should force the browsers AND the registries to update if they want  
> certs to work.  That being said, I'm not sure we can get away with  
> pushing the issue, but I think we should if we can.
> -Rich
> From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>  
> [mailto:public-bounces at cabforum.org]<mailto:[mailto:public-bounces at cabforum.org]>  
> On Behalf Of Hill, Brad
> Sent: Wednesday, September 26, 2012 2:20 PM
> To: public at cabforum.org<mailto:public at cabforum.org>
> Subject: [cabfpub] New proposed text for BR 1.1 issues 15 and 29
> Updated proposal attached.
> Changes:
> *         Updated rules for IDN hostname labels to "label components" to  
> allow, e.g. non-Latin scripts to be combined with Latin gTLD suffixes  
> such as ".com"
> *         Updated IDNA requirements such that hostnames must be valid in  
> EITHER IDNA2003 or IDNA2008.  Opera is currently the only browser that  
> supports IDNA2008, Mozilla has a bug to support it, and WebKit  
> apparently has no current plans to implement IDNA2008.  Allowing both  
> standards allows maximum compatibility, though there is some risk as  
> some names that are valid in one but not the other, and some which are  
> valid in both but resolve to different effective host names.
> *         Updated the Unicode Security Mechanisms Restriction Levels and  
> Alerts reference which has moved from UTR #36 to UTS #39 in the last few  
> weeks.
> Brad Hill

Yngve N. Pettersen
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 96 90 41 51              Fax:    +47 23 69 24 01

More information about the Public mailing list