Yep, I realize these two policies conflict a bit. We’re still doing the research to confirm what our obligations are with regards to IDNs and what the possible pitfalls are.
well I think domain checks are okay, similar to the high risk domains you already do, but not site checks.
Impersonating domains is not an IDN exclusive issue. Trying to police it via CA’s is pretty much pointless and will be largely ineffective.
I still don’t see what exactly is the problem regarding IDNs. All domain registries that are implementing IDNs are already blocking domains that mix scripts from different languages so if somebody wanted to register say gоοgⅼe.com (gоοgle.com), such attempt would be blocked at the registry level. And since there is no way how to obtain LE certificate for a non-existent domain name, I think there don’t have to be any special treatment to punycode domain names.
well do really ALL IDN registries have such policies?
also obviously there would be a problem for new IDN accepting registries that dont do that.
AFAIK yes, they do. See ICANN Guidelines for the Implementation of Internationalized Domain Names:
…visually confusable characters from different scripts will not be allowed to co-exist in a single set of permissible code points unless a corresponding policy and character table is clearly defined.
Allowing mixing IDN scripts would be dangerous for any registry, regardless of whether LE offers certificate for IDNs or not.
On the other hand, everybody should be free to register (and get a LE certificate) to any sub-domain name under domain of their own control. I don’t see any reason why should LE or any other CA forbid me from getting a certificate for gоοgle.example.com, when I own example.com.
Just wanted to add my voice to the choir of voices asking for IDN support. The ETA has been changed a few times now so I wonder if this ETA (november 30) is going to hold?
We are releasing a service relying on LE next week and now we have to tell our users they can’t register IDN domains and use with our service – I work at the Swedish registry responsible for .se and .nu so it feels kinda crappy not being able to offer the full domain name “experience”. Having that said, it’s so good LE exists and you guys are doing a great job!
My IDN domain which is a website for local language.
I wish SSL support for IDN domain like mine.
What about only supporting IDNs on subdomains first? And maybe also TLDs.
They can already do paypal.totalylegit.com. There is no point in avoiding homoglyphs in this case.
Full IDN support should land before November 30, 2016. See this thread for a recent discussion:
Hope to see IDN in LE soon … some of our Customers are already asking when they can get their LE Cert!
There is definitely ongoing progress and work on this.
I’m happy to point to three pieces of progress on Let’s Encrypt IDN support:
① The new Let’s Encrypt CPS 1.5 released today permits issuances for IDNs (as a policy matter).
② The Boulder CA software has added a feature to permit issuance for IDNs (as a technical matter).
③ The current development version of the Certbot client no longer prevents users from requesting punycode-formatted IDNs as part of their certificate requests (as a user interface matter).
It would be great for any other clients that currently forbid requesting certs containing punycode IDN names (the ones beginning with “
xn--”) to remove that limitation at this time.
There’s also ongoing work on Certbot to allow users to specify requested names in Unicode form instead of IDNA form so that users will eventually be able to say
-d éxample.org as a synonym for
-d xn--xample-9ua.org. Right now requests can be entered only using IDNA form (with
xn--) for all labels containing a non-ASCII character. If you don’t know the IDNA form of your domain, you can find it using various software such as the
Note that issuance of certs for IDNs has not begun yet and we’re still waiting for an announcement of when this may happen. But I wanted to let people know that several pieces have now been put in place to move the process forward.
Awesome! Thanks for keeping us posted!
Nice work to everybody involved in making IDNs happen!
Thank you all for making this happen! Already issued the first IDN LE Certs for our Clients!
I added encryption to my domains finally. Thanks a lot Let’s Encrypt staff for making it happen!
A post was split to a new topic: There was an error updating the certificate: couldn’t connect to host