[UA-discuss] OpenSSL, was Where should IDN translation happen?
Dmitry Belyavsky
beldmit at gmail.com
Wed Nov 14 08:04:16 UTC 2018
Dear John,
>In the above case, had OpenSSL supported IDNs directly, it would have
> >prevented this bug in the first place. That being said, since TLS
> >essentially only uses A-labels as far as I can tell, I can’t necessarily
> >say it’s wrong that OpenSSL doesn’t support IDNs.
>
> RFCs 8398 and 8399 allow EAI mail addresses as Alternative Names and
> suggest pretty strongly that even though the domains in certs are
> A-labels, libraries should handle U-labels and convert where needed.
> Since they have to handle U-labels in the EAI addresses, the domains
> aren't a lot of extra work.
>
> I presume that at some point OpenSSL will catch up with those RFCs but
> I don't know what the schedule is.
>
As I wrote before, I've started to implement RFC 8399 and the show-stopper
for now is obtaining a set of test cases.
OpenSSL team does not want to link OpenSSL with, say, libidn (and to
implement IDN conversion inside the library for domains).
I've found out that 2-3 functions inherited from RFC 3492 will fit all the
purposes necessary to implement RFC 8399.
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20181114/63327d16/attachment.html>
More information about the UA-discuss
mailing list