August 10, 2017: Unicode Normalization Compliance Incident

On August 10, 2017, Let’s Encrypt became aware of a compliance issue that permitted certificates violating RFC 5280 to be created.

In order to comply with CA/Browser Forum Baseline Requirements, all certificates that should have been denied have been revoked. There were 16 non-compliant certificates in total.

A fix was applied to Let’s Encrypt systems on the same day the issue was discovered.

What was in violation of RFC 5280?

We previously didn’t enforce any unicode normalization form. However, RFC 5280 requires normalization form KC for IDNs via reference to RFC 3490, thus the violation.

What do affected subscribers need to do when getting a new certificate?

Use a punycode converter that uses normalization form KC, then request a new certificate.