IDNA200x and PKIX chain validation

John C Klensin klensin at
Thu Mar 27 17:49:22 CET 2008

--On Thursday, 27 March, 2008 09:40 -0700 Paul Hoffman
<phoffman at> wrote:

> At 4:26 PM +0100 3/27/08, Simon Josefsson wrote:
>> Doesn't this approach lead to, for example, that the outcome
>> of X.509 certificate chain validation will depend on the
>> locale in which the application is running in?
> Not at all. The domain names used in chain validation are
> expressed as punycode/A-labels.

And, as I understand it, are generally also in length-string
label format, rather than dot-separated domain names.   So they
are isolated from almost anything that goes on in the
"characters the user is expected to see and interact with" side
of things.


More information about the Idna-update mailing list