[cabfpub] New proposed text for BR 1.1 issues 15 and 29
Yngve N. Pettersen (Developer Opera Software ASA)
yngve at opera.com
Fri Sep 28 20:38:42 UTC 2012
On Fri, 28 Sep 2012 18:08:57 +0200, Hill, Brad <bhill at paypal-inc.com>
wrote:
> Well, if the CABF members have noticed anything about me, it's that I
> perhaps am not cautious enough about peeing on fences that might be
> electrified. But even I can smell the ozone and see the charred bits of
> fur stuck to this one.
>
> If the CAs want to "draw a line in the sand" with the browsers and
> registrars on IDNA2008, that's your prerogative, but don't tell them I
> told you to it.
>
> But maybe it's not a big issue yet. Does anyone have a convenient copy
> of the SSLObservatory data instantiated? Or perhaps Yngve can tell us
> based on his data how many certificates are out there today for
> non-ASCII names?
Might be able to do that, but not right now.
> I'd also like to know, Yngve (and other browsers) how you handle
> punycode in certificates, since you mentioned that at the face-to-face.
> Do we need to add additional requirements about reverse-encoding
> punycode DNSNames to U-labels and applying the proposed tests?
Opera compares A-labels; that is the standard specified way of comparing
U-labels (covert both to A-labels); incoming A-labels will be converted to
U-label and back to A-label to make sure they are correct. That is, the
validated A-Label name in the certificate must match the A-label DNS name
we are connecting to.
Regarding wildcards, "xn--foo*" is not allowed.
> -Brad
>
> From: Rich Smith [mailto:richard.smith at comodo.com]
> Sent: Friday, September 28, 2012 11:06 AM
> To: Hill, Brad
> Subject: RE: [cabfpub] New proposed text for BR 1.1 issues 15 and 29
>
> Brad,
> I know we talked about the 2003 vs. 2008 problem and this is partly
> because I'm not completely literate in this issue, but it seems to me
> that given the possible name confusion, and the fact that 2008 expressly
> prohibits the use of some characters, while 2003 only vaguely
> discourages such use, I think it would be better for everyone if the
> CA/B Forum drew a line in the sand and said only 2008 is acceptable. We
> should force the browsers AND the registries to update if they want
> certs to work. That being said, I'm not sure we can get away with
> pushing the issue, but I think we should if we can.
> -Rich
>
> From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>
> [mailto:public-bounces at cabforum.org]<mailto:[mailto:public-bounces at cabforum.org]>
> On Behalf Of Hill, Brad
> Sent: Wednesday, September 26, 2012 2:20 PM
> To: public at cabforum.org<mailto:public at cabforum.org>
> Subject: [cabfpub] New proposed text for BR 1.1 issues 15 and 29
>
> Updated proposal attached.
>
> Changes:
>
>
> * Updated rules for IDN hostname labels to "label components" to
> allow, e.g. non-Latin scripts to be combined with Latin gTLD suffixes
> such as ".com"
>
> * Updated IDNA requirements such that hostnames must be valid in
> EITHER IDNA2003 or IDNA2008. Opera is currently the only browser that
> supports IDNA2008, Mozilla has a bug to support it, and WebKit
> apparently has no current plans to implement IDNA2008. Allowing both
> standards allows maximum compatibility, though there is some risk as
> some names that are valid in one but not the other, and some which are
> valid in both but resolve to different effective host names.
>
> * Updated the Unicode Security Mechanisms Restriction Levels and
> Alerts reference which has moved from UTR #36 to UTS #39 in the last few
> weeks.
>
> Brad Hill
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve at opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 96 90 41 51 Fax: +47 23 69 24 01
********************************************************************
More information about the Public
mailing list