Re: Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 16 February 2017 18:27 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F3F8127077 for <ietf@ietfa.amsl.com>; Thu, 16 Feb 2017 10:27:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pdGAVAeTbRSP for <ietf@ietfa.amsl.com>; Thu, 16 Feb 2017 10:27:00 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F8641296A2 for <ietf@ietf.org>; Thu, 16 Feb 2017 10:26:30 -0800 (PST)
Received: from [172.31.30.83] (gzac12-mdf2-1.aoa.twosigma.com [208.77.215.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 51E1D282D54 for <ietf@ietf.org>; Thu, 16 Feb 2017 18:26:29 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Subject: Re: Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAAFsWK0KoeeHeKxay=j=NR8AqbzaHXtjNoQNQqRHwUNT3-Pe_Q@mail.gmail.com>
Date: Thu, 16 Feb 2017 13:26:30 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <D237E866-CEC3-4A3C-9D5E-0D1B48F1799B@dukhovni.org>
References: <alpine.OSX.2.20.1702111606270.2386@ary.qy> <CAAFsWK0KoeeHeKxay=j=NR8AqbzaHXtjNoQNQqRHwUNT3-Pe_Q@mail.gmail.com>
To: IETF general list <ietf@ietf.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/4XMlLehfKRXKLRV9_urdEYZ3y-g>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: IETF general list <ietf@ietf.org>
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2017 18:27:02 -0000

> On Feb 16, 2017, at 10:30 AM, Wei Chuang <weihaw@google.com> wrote:
> 
>> How about if a CA with only rfc822Name constraints can't issue certs
>> with SmtpUTF8Names at all, and of course vice versa.  If you want both
>> kinds of names, the CA has to constrain both.
> 
> I had asked a few folks at Google for an opinion about the name constraints.
> Let me post Ryan Sleevi's (CC'ed) opinion: 
> 
> https://mailarchive.ietf.org/arch/msg/ietf/ngUOjvCHubjcyiG4uZ0w16-5-fg
> [the above] basically says option 3 [the acceptable approach of the 3],
> but unfortunately suffers from 'legacy' - namely, you cannot assume that
> all rfc822Name clients will be updated to support SmtpUtf8Name, and short
> of marking it critical (which would mean its undeployable), you can't
> assume that an SmtpUtf8Name nameConstraint will constrain an rfc822Name.

Given that rfc822Name is a well-known legacy element, while SmtpUtf8Name
is a novel element, the prescription can be asymmetric.  Specifically,
all that's really needed (in the simpler model proposed by John) is
to disallow SmtpUtf8Name altnames when (only) rfc822Name constraints
are present.

The converse is not required, a parent CA that is SmtpUtf8Name aware
and wants to issue a child CA with SmtpUtf8Name constraints can and
should also include appropriate rfc822Name constraints that ensure
that the desired SmtpUtf8Name constraints are not bypassed via
unauthorized rfc822Name altnames.

The rfc822Name constraints can either permit only equivalent domain
names (LDH or A-label forms), or, if no rfc822Name can be compatible
with the SmtpUtf8Name constraints, permit only something like
"nouser@nodomain.invalid"alid", thereby excluding all valid rfc822 addresses.

-- 
	Viktor.