For instance if I run IDNA encode bücher.tld you receive xn--bcher-kva.tld. Now imagine the certificate for https://bücher.tld has the following field within subjectAltName: (dNSName, xn--bcher*.tld).
Would this mean that the certificate would match býcher.tld since it IDNA-encodes to xn--bcher-qva.tld or are partial wildcards not allowed for IDNA-encoded domains? Are there any official documents about these two features interacting?
RFC6125 section 7.2 strongly discourages the use of wildcards inside an IDNA part of the domain name:
o There is no specification that defines how the wildcard character
may be embedded within the A-labels or U-labels [IDNA-DEFS] of an
internationalized domain name [IDNA-PROTO]; as a result,
implementations are strongly discouraged from including or
attempting to check for the wildcard character embedded within the
A-labels or U-labels of an internationalized domain name (e.g.,
"xn--kcry6tjko*.example.org"). Note, however, that a presented
domain name identifier MAY contain the wildcard character as long
as that character occupies the entire left-most label position,
where all of the remaining labels are valid NR-LDH labels,
A-labels, or U-labels (e.g., "*.xn--kcry6tjko.example.org").
Looking at the source code of OpenSSL and Chromium: they follow this recommendation and have explicit tests for this case. This means that neither xn--bcher*.tld nor *-kva.tld would match xn--bcher-kva.tld
I can not find anything about this topic in the CA browser forum baseline requirements though.
