IETF Logo Mail Archive

[pkix] IDNA2008 and PKIX certificates

Nikos Mavrogiannopoulos <nmav@redhat.com> Tue, 22 November 2016 10:02 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90EBC129D00 for <pkix@ietfa.amsl.com>; Tue, 22 Nov 2016 02:02:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.399
X-Spam-Level:
X-Spam-Status: No, score=-8.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UxrDDJ9DlMZr for <pkix@ietfa.amsl.com>; Tue, 22 Nov 2016 02:02:31 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FB2C129D0B for <pkix@ietf.org>; Tue, 22 Nov 2016 02:02:14 -0800 (PST)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2409881231 for <pkix@ietf.org>; Tue, 22 Nov 2016 10:02:14 +0000 (UTC)
Received: from dhcp-10-40-1-102.brq.redhat.com ([10.40.2.184]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id uAMA2COG010996 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <pkix@ietf.org>; Tue, 22 Nov 2016 05:02:13 -0500
Message-ID: <1479808931.31825.10.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: pkix@ietf.org
Date: Tue, 22 Nov 2016 11:02:11 +0100
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 22 Nov 2016 10:02:14 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/tqExjIhAUNtDqZlpe8UGJpjAgq4>
Subject: [pkix] IDNA2008 and PKIX certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 10:02:33 -0000

Hi,
 RFC5280 and its update (6818), reference IDNA2003 (rfc3490) for
storing internationalized DNS names. However, IDNA2003 is already
obsolete standard (it seems it was already deprecated when RFC6818 was
published [0]) and in practice phased out. What is the current best
practice on internationalized names with certificates?

Is it transparently switch to IDNA2008 (rfc5890), and let software
figure out the reverse mappings to utf8 somehow?

Or is it store UTF-8 dns names on the certificate, and let the software
comparing DNS names do any mapping it deems necessary prior to
comparison?

regards,
Nikos

[0]. https://www.ietf.org/mail-archive/web/pkix/current/msg28386.html

v2.23.0 | Report a Bug | By Email