Maintained by: NLnet Labs

unicode request blocking

Petr Menšík
Tue Apr 25 18:17:52 CEST 2017


Hi Joris,

I think it is all about domain registrars. You cannot prevent anyone
generating self-signed certificate. That is no problem, they are not
trusted by anyone. If you are talking about domain verified certificates
provided (for example) by LetsEncrypt, that will be solved by good
registrar policy as well. These certificates are generated only for
already available domains. You will not be able to verify your domain
unless registrar adds it into the TLD. If he refuses to add it for a
reason, you will not get trusted certificate for it as well.

If registrars do their job well, I think there is no more work required
for certificate providers. Do you agree?

Cheers,
Petr

Dne 22.4.2017 v 21:36 Joris L. via Unbound-users napsal(a):
> Thanks Paul,
> 
> Evidently, indeed. If one registers a name it must be protected in any
> code, ascii, ansi, utf ...
> 
> Remains the problem of a man-in-the-middel and self generated
> certificates with legitimate server names, given the rise of free ssl
> certificates this may be a legitimate concern. It also suggests the
> creation and validation of certificates on the client side must be
> extended to registrars of domain names etc. to warrant safe usage. I've
> not really put much thought in it since i'm not in a position to make a
> difference anyway.
> 
> Br,
> 
> JL
> 
> Sent from ProtonMail mobile