** All documents supplied as evidence should be publicly available.
** Documents purporting to be from the CA's auditor (or other evaluator) should be available directly from the auditor (e.g., as documents downloadable from the auditor's web site.)
* CAs should indeed address the issue of homographic spoofing of internationalized domain names (IDNs) in their CP/CPS, even if primary responsibility for this falls on domain registries. This doesn't mean that the CAs prevent such spoofing. It merely means that a CA describes how it handles the issue of spoofing when authenticating the owner of a domain.
==== Notes for future work ====
* What (if anything) should we do regarding the use of non US-ASCII character sets in certs? To what extent is this supported today in NSS and by CAs? This whole problem seems analogous to the IDN problem.