> > thanks, > Rob > > There are two other pieces of feedback that seem reasonable to me, but they > didn't come with spec text, and I'm not sure how to incorporate them: > > Regarding Section 7.3, Watson Ladd writes: > "I think we actually need to say more here: the A-label used in the > X509 comparison needs to be the A-label derived and used to do the DNS > lookup. Otherwise we have the issue of bugs that change the IDN > behavior between application and X509/TLS library breaking the > relation between what the user put in and the cert presented. > > Also I don't think comparison is enough: don't name constraints need > to be included in the calculation?"
How about this: "The conversion from a U-label to an A-label MUST be done once and used both to carry out the DNS lookup and the evaluation of the end entity cert. Name constraints MUST be evaluated against the A-label converted name. This ensures that the same DNS entity as is actually connected to is validated against the certificate even in the presence of bugs in the conversion process". I think the U-lable and A-label text would have to be tweeked to the right form for a name containing those and one you can directly look up. Sincerely, Watson _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
