I think you’re right, and that it was a mistake (caused by my ignorance of details of DNS/IDNA stuff) to not remove it.
From: Corey Bonnell <Corey.Bonnell=40digicert....@dmarc.ietf.org> Date: Tuesday, July 26, 2022 at 5:57 PM To: "uta@ietf.org" <uta@ietf.org> Subject: [Uta] Security consideration for IDNs in draft-ietf-uta-rfc6125bis Hello, Apologies for not flagging this sooner, but I did want to raise this while a revised I-D is needed for addressing IP-IDs so perhaps this could be addressed as well. Section 7.2 [1] contains the following guidance: “Allowing internationalized domain names can lead to visually similar characters, also referred to as "confusables", being included within certificates. For discussion, see for example [IDNA-DEFS<https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#IDNA-DEFS>], Section 4.4<https://rfc-editor.org/rfc/rfc5890#section-4.4> and [UTS-39<https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#UTS-39>].” This document obsoletes the use of CN-IDs which may contain U-Labels as a source of presented identifiers. All types of identifiers specified in the document (DNS-ID, SRV-ID, and URI-ID) will have IDNs encoded as A-labels in certificates due to the limited character repertoire of IA5String, so it is not possible to encode the U-label representation of IDNs in the SAN for these types. Given this, I’m unsure of the value of having this consideration included, especially since the document describes an automated process of matching identifiers where the presence of “confusables” in the U-label representation of such identifiers has no bearing. Unless I’m missing something, I think this consideration should be removed. Thanks, Corey [1] https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#section-7.2
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
