IDNA200x and PKIX chain validation
John C Klensin
klensin at jck.com
Thu Mar 27 18:12:21 CET 2008
--On Thursday, 27 March, 2008 10:03 -0700 Paul Hoffman
<phoffman at imc.org> wrote:
> At 12:49 PM -0400 3/27/08, John C Klensin wrote:
>> --On Thursday, 27 March, 2008 09:40 -0700 Paul Hoffman
>> <phoffman at imc.org> wrote:
>>
>>> At 4:26 PM +0100 3/27/08, Simon Josefsson wrote:
>>>> Doesn't this approach lead to, for example, that the
>>>> outcome of X.509 certificate chain validation will depend
>>>> on the locale in which the application is running in?
>>>
>>> Not at all. The domain names used in chain validation are
>>> expressed as punycode/A-labels.
>>
>> And, as I understand it, are generally also in length-string
>> label format, rather than dot-separated domain names.
>
> Nope, you are wrong about that: the are full FQDNs.
> Fortunately, that's irrelevant for Simon's concern.
Indeed. And thanks for the clarification -- I must have
misunderstand Sam.
john
More information about the Idna-update
mailing list