IDNA200x and PKIX chain validation

Paul Hoffman phoffman at
Thu Mar 27 18:03:34 CET 2008

At 12:49 PM -0400 3/27/08, John C Klensin wrote:
>--On Thursday, 27 March, 2008 09:40 -0700 Paul Hoffman
><phoffman at> wrote:
>>  At 4:26 PM +0100 3/27/08, Simon Josefsson wrote:
>>>  Doesn't this approach lead to, for example, that the outcome
>>>  of X.509 certificate chain validation will depend on the
>>>  locale in which the application is running in?
>>  Not at all. The domain names used in chain validation are
>>  expressed as punycode/A-labels.
>And, as I understand it, are generally also in length-string
>label format, rather than dot-separated domain names.

Nope, you are wrong about that: the are full FQDNs. Fortunately, 
that's irrelevant for Simon's concern.

More information about the Idna-update mailing list