[UA-discuss] OpenSSL, was Where should IDN translation happen?
Dmitry Belyavsky
beldmit at gmail.com
Wed Nov 14 15:28:34 UTC 2018
Dear John,
On Wed, Nov 14, 2018 at 3:59 PM John Levine <john.levine at standcore.com>
wrote:
> On Wed, 14 Nov 2018, Dmitry Belyavsky wrote:
> > OpenSSL team does not want to link OpenSSL with, say, libidn (and to
> > implement IDN conversion inside the library for domains).
> > I've found out that 2-3 functions inherited from RFC 3492 will fit all
> the
> > purposes necessary to implement RFC 8399.
>
> Wait -- surely you know that you can't just punycode any old UTF-8 and
> expect it to work. I can understand why openssl wouldn't want all of
> libidn2 but at least you need to check that the strings are all valid
> IDNA2008 code points.
>
> If you don't, you're going to have hard to find bugs with names that look
> the same but aren't normalized so comparisons will fail.
>
If I read the RFC 8398 correctly, to verify the chain we do not need to
punycode anything.
We need to unpunycode to compare email with nameConstraints.
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20181114/998c9eb1/attachment.html>
More information about the UA-discuss
mailing list