IDNA200x and PKIX chain validation

Simon Josefsson simon at
Thu Mar 27 20:18:21 CET 2008

John C Klensin <klensin at> writes:

> --On Thursday, 27 March, 2008 09:40 -0700 Paul Hoffman
> <phoffman at> wrote:
>> At 4:26 PM +0100 3/27/08, Simon Josefsson wrote:
>>> Doesn't this approach lead to, for example, that the outcome
>>> of X.509 certificate chain validation will depend on the
>>> locale in which the application is running in?
>> Not at all. The domain names used in chain validation are
>> expressed as punycode/A-labels.
> And, as I understand it, are generally also in length-string
> label format, rather than dot-separated domain names.   So they
> are isolated from almost anything that goes on in the
> "characters the user is expected to see and interact with" side
> of things.

I don't follow this.  Yes, domain names in certificates are stored as
A-labels/LDH-labels today.  But the matching that takes places is
against what the user types (the hostname in a https URL, for example).

If the user types an IDN, that is converted into a A-label using
IDNA200x and used during comparisons with what's in the certificate
(possibly a IDNA2003 value).  If the A-label can be different depending
on the locale in which the browser runs in, the validation will yield
different results.


More information about the Idna-update mailing list