[Servercert-wg] IDNA2003 vs IDNA2008 usage

Martijn Katerbarg martijn.katerbarg at sectigo.com
Tue Mar 19 09:11:39 UTC 2024


We’ve recently become aware that some CAs have issued certificates containing punycode encoded domain labels compatible with IDNA2008, that are not compatible with IDNA2003. 

Our own interpretation is that IDNA2008 is currently not permitted. While the LDH, Non-Reserved LDH and XN label definitions reference RFC 5890, they only quote a very specific part of it. Meanwhile the P-Label definition directly references RFC3492 for encoding. Likewise RFC5280 which the BRs require adherence to, both reference IDNA2003 (RFC3490). (Side-note, I believe RFC9549 aims to rectify the issue with RFC5280) 

As a note, ballot SC48v2 updated the language to the current definition. 

I’m looking for the opinions of this group as to their interpretations, as well as opinions if we indeed want to allow IDNA2008 and make this clear within the language. 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240319/63c526e5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240319/63c526e5/attachment.bin>

More information about the Servercert-wg mailing list