[UA-discuss] OpenSSL, was Where should IDN translation happen?
Dmitry Belyavsky
beldmit at gmail.com
Thu Nov 15 08:29:42 UTC 2018
Dear John,
On Wed, Nov 14, 2018 at 7:59 PM Dmitry Belyavsky <beldmit at gmail.com> wrote:
>
>
> On Wed, Nov 14, 2018 at 7:07 PM John Levine <john.levine at standcore.com>
> wrote:
>
>> On Wed, 14 Nov 2018, Dmitry Belyavsky wrote:
>> > If I read the RFC 8398 correctly, to verify the chain we do not need to
>> > punycode anything.
>> > We need to unpunycode to compare email with nameConstraints.
>>
>> I suppose, if you are 100% sure that the UTF-8 email you're comparing it
>> with has the domain part fully normalized according to IDNA2008 specs.
>>
>
> Got your point.
>
> If nameConstraints and email itself are encoded with the same errors, it
> will work;
> otherwise we get nasty errors.
>
>
I've got a response from Victor Dukhovni. His position is:
1. It's better to ask OpenSSL about their plans :) via
openssl-project at openssl.org
2. (Limiting scope to EAI certificates) OpenSSL must trust the CA software
that has provided punycode representation of the domain name. So we can
decode
A-labels and compare them. So the certificate itself can be verified, and
questions
whether the EAI address matches the address in From: header is out of scope
of the
certificate validation process.
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20181115/4c9a3345/attachment.html>
More information about the UA-discuss
mailing list