IDNA200x and PKIX chain validation
simon at josefsson.org
Thu Mar 27 20:18:21 CET 2008
John C Klensin <klensin at jck.com> writes:
> --On Thursday, 27 March, 2008 09:40 -0700 Paul Hoffman
> <phoffman at imc.org> wrote:
>> At 4:26 PM +0100 3/27/08, Simon Josefsson wrote:
>>> Doesn't this approach lead to, for example, that the outcome
>>> of X.509 certificate chain validation will depend on the
>>> locale in which the application is running in?
>> Not at all. The domain names used in chain validation are
>> expressed as punycode/A-labels.
> And, as I understand it, are generally also in length-string
> label format, rather than dot-separated domain names. So they
> are isolated from almost anything that goes on in the
> "characters the user is expected to see and interact with" side
> of things.
I don't follow this. Yes, domain names in certificates are stored as
A-labels/LDH-labels today. But the matching that takes places is
against what the user types (the hostname in a https URL, for example).
If the user types an IDN, that is converted into a A-label using
IDNA200x and used during comparisons with what's in the certificate
(possibly a IDNA2003 value). If the A-label can be different depending
on the locale in which the browser runs in, the validation will yield
More information about the Idna-update