--On Wednesday, February 8, 2017 05:13 +0000 Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> wrote: >... > I am asking the author to remove that dependency, leaving > construction of the normal form of the reference identifier to > the application rather than the X.509 stack. If he is > unsuccessful, and there is a fundamental requirement for X.509 > certificate validation code to become IDNA aware, that'd be a > major barrier to widespread support for this specification. As you and others have pointed out, SMTPUTF8 is deploying rather slowly. That should not be a surprise to anyone who participated in the WG discussions and understands the issues -- there are a complex sequencing and support tradeoffs involved although with a number of problems some would describe as involving "chicken and egg" relationships and others would claim would benefit from a flag day. So, as I understand it, you want to shift the issues to the application in order to get more rapid deployment. I prefer to keep the decisions, including a single canonical form, bound to the X.509 certificate because I think, especially given the security implications of either false positives or false negatives, that getting implementations right (and consistent) is more important than getting quick deployment. A preference for "right" over "quick" is particularly important where IDNs are concerned given the number of inconsistent implementations of things claiming to be IDNA in the wild. best, john