gnutls_server_name_set and IDN
simon at josefsson.org
Wed Sep 23 17:59:05 CEST 2009
Daniel Black <daniel at cacert.org> writes:
>> What the new text means is that GnuTLS applications are responsible for
>> converting any internationalized domain name into ACE before passing the
>> string on to GnuTLS.
> Ok. Some really clear text in the documentation about this would be
Improved now, thanks, see:
> As the UTF-8/ ASCII error may be common is it beneficial to validate
> this input to check for >7F characters?
Hm, yes, maybe -- although it would prevents usage against some server
that for some reason used a non-ASCII string there. RFC 4366 can be
read to say that non-ASCII strings are OK, and not being able to interop
against such a server just because of a input sanitation code seems
overkill. But it is a tradeoff and I don't feel strongly about it.
>> Let me know what you think of this, there is still time to bring this up
>> in the IETF.
> Its clarify also simplifies it to the point that their is no mention
> of IDNA as an appropriate mechanism to convert encodings to ASCII. Was
> this intentional?
Yes I think/hope so -- not mentioning IDNA specifically avoids
inheriting the problems associated with it: support of non-ASCII
hostnames then becomes entirely the IDNA specifications' problem.
> I'm of the opinion, until abused otherwise, that appending "UTF-8 and
> other character sets can be converted to ASCII using the ToASCII
> function defined in RFC3490 section 4." (or similar) to the "HostName"
> definition paragraph.
IDNAbis is in WGLC now, so any such reference would be obsolete soon.
Given that IDNAbis is completely different (both in design and
implementation) compared to RFC 3490 I think a specific reference would
only confuse more than it would help. Then implementers will ask
whether the intention is that TLS SNI is only to be used with IDNA and
> also maybe 6.1. could say, in response to the last bit of 3.1, + "Server
> applications SHOULD validate server_name against any application layer
> equivalent field."
That makes sense to me. I'll forward that to the TLS list.
More information about the Gnutls-devel