Nov. 14, 2018
4:07 p.m.
On Wed, 14 Nov 2018, Dmitry Belyavsky wrote:
If I read the RFC 8398 correctly, to verify the chain we do not need to punycode anything. We need to unpunycode to compare email with nameConstraints.
I suppose, if you are 100% sure that the UTF-8 email you're comparing it with has the domain part fully normalized according to IDNA2008 specs. Regards, John Levine, john.levine@standcore.com Standcore LLC