On Thu, 15 Nov 2018, Michael Casadevall wrote:
I was referring to how the From header in the email is used by MTAs and how it relates to S/MIME, and why the u-label needs to be in the certificate *or* verification has to allow for conversion on the fly.
Actually, it needs both. I agree with Viktor that when you're creating the certificate you can assume the CA is sending you good data. But when you're using it, you're goint to be testing it against whatever junk the MUA or the user provides. For example, assume the name in the cert is exámple, and the user checks it against exámple except that the user's UTF-8 has an unnormalized a' rather than a precomposed á. One possibility would be to normalize it and compare and say yes. Another would be to check the code points and reject it as not a valid U-label. But it would be wrong to decode the punycode, compare the UTF-8, and say nope, they're different. Regards, John Levine, john.levine@standcore.com Standcore LLC