Comment Re:Are CA's that stupid? (Score 1) 280
No, they're not that stupid.
But the standards around this aren't exactly models of clarity.
In general, *hostnames* must be characters. And DNS entries that point to websites should also conform to hostnames. But DNS strings can be *anything*. Yes, they can be arbitrary strings of bytes, as long as the top-level domain is valid. The null is legal. Keep in mind that the CA is signing a DNS entry, which may be used for something different than web security.
The problem, as actually stated in the summary, is in the clients. They think they have a character string - they don't. They have a byte buffer of a certain length, and the clients should not be using null-termination based software to process the buffer.
