On Wed, Nov 14, 2018 at 7:07 PM John Levine <john.levine@standcore.com> wrote:

On Wed, 14 Nov 2018, Dmitry Belyavsky wrote:
> If I read the RFC 8398 correctly, to verify the chain we do not need to
> punycode anything.
> We need to unpunycode to compare email with nameConstraints.

I suppose, if you are 100% sure that the UTF-8 email you're comparing it
with has the domain part fully normalized according to IDNA2008 specs.

Got your point.

If nameConstraints and email itself are encoded with the same errors, it will work;

otherwise we get nasty errors.

SY, Dmitry Belyavsky