Re: [Spasm] Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard

Wei Chuang <weihaw@google.com> Thu, 09 March 2017 18:22 UTC

Return-Path: <weihaw@google.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD94D1296E1 for <ietf@ietfa.amsl.com>; Thu, 9 Mar 2017 10:22:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id thM5bWRsR7Rl for <ietf@ietfa.amsl.com>; Thu, 9 Mar 2017 10:22:55 -0800 (PST)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E8431296EC for <ietf@ietf.org>; Thu, 9 Mar 2017 10:22:55 -0800 (PST)
Received: by mail-oi0-x230.google.com with SMTP id m124so40492923oig.1 for <ietf@ietf.org>; Thu, 09 Mar 2017 10:22:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Rv0NKGsjrZt+Lp7X5SLRTAfi3qGr70uY3U1CkKSOZPM=; b=Aek5cQRdkge1xGQqizREk/WUcvIwYJ/fxCs616X2xSogZ8TJc/jf/YR2QC9nRKbX/+ RWErXYS9h0mZN2S/Bm6C6oGKsn6rW/QFY5yTa0EQy1LcEuLbG9GO+NwNZMHSFDbpPwCK GcHHMYDJjeAKCZmQiJkpyW3fiptoguiLEkxFyXXuq1l4BN6FgTiVNfJ1tkVKhoTRRZ21 1+vdHNRT6z0IBI8OvNFKwi98bcw8QesobE7f1sEgyYtixYutEAfiMKlroigGjtUZTg8g v6CQJ7L9Hgikw2NSTHc0dcqcGQJmvSk8i6T3SVc6falS1+clU/9PxsfaTujwyl6TdU6G EBOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Rv0NKGsjrZt+Lp7X5SLRTAfi3qGr70uY3U1CkKSOZPM=; b=tGxT3ZvrPLxRjAFfX+dyvAroCiK+pXism/iIJWdrLNt9mrcKIrvPUIEdNWNyXHqb9u sz0teSi80q8Kt6hifSRldspU01WG7Z5dD/NCuKxpf07jJh8dhDpCkQSF0nZModzfjPyy Ymy6eYnv+UbSlb7ltqMXhvm5FVAf25SAK7uH730GwKJfSmwrrg1Frce3WZEFZlHSGZJB 4YuFPMAK6Z+huig6C+XsIm9AJiQDgWzIHX4nqU1uTyxo2bN8lAqAAc7BtU76r5M2oriL HiVv/sJwLW3lgom5WjU7eYYB5/QF8fEQvqhlCuNIuC9GuFS0dQtV/XW1j2CjSVGawlup io9w==
X-Gm-Message-State: AMke39ks+hz5FdNmziGOsV84xL+XU37zzg4H1O+nvUt1N0TKS5qJ6l7PS1NeUTPDpjlBRo3S8swy17stTESecVKW
X-Received: by 10.202.90.84 with SMTP id o81mr7074567oib.106.1489083773985; Thu, 09 Mar 2017 10:22:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.41.226 with HTTP; Thu, 9 Mar 2017 10:22:26 -0800 (PST)
In-Reply-To: <00c401d298b8$616fffa0$4001a8c0@gateway.2wire.net>
References: <alpine.OSX.2.20.1702111606270.2386@ary.qy> <CAAFsWK0KoeeHeKxay=j=NR8AqbzaHXtjNoQNQqRHwUNT3-Pe_Q@mail.gmail.com> <D237E866-CEC3-4A3C-9D5E-0D1B48F1799B@dukhovni.org> <841bb724-7403-4682-3d50-f878f63b0346@cs.tcd.ie> <6d114340-c9a7-e311-e6f9-0614600cafd2@cs.tcd.ie> <CAAFsWK2RMGp0jqesx3cTbN=S7p0WuhH+0AbeJuuiZPF6WCbQOQ@mail.gmail.com> <BCEFAA3C-B711-4269-81C8-4DA0E1AA7AD0@dukhovni.org> <CAAFsWK3yJ9r+6abTXZQsNsey+VcRpdtVv=Hku_54_LZ9y1T2xQ@mail.gmail.com> <B8A5967B-9C19-4167-8A20-B82DFD46A924@dukhovni.org> <00c401d298b8$616fffa0$4001a8c0@gateway.2wire.net>
From: Wei Chuang <weihaw@google.com>
Date: Thu, 9 Mar 2017 10:22:26 -0800
Message-ID: <CAAFsWK1Q=d-9E++J0Z7UyEn3mshKkbYZ9yuGX974XvU8rO0VQw@mail.gmail.com>
Subject: Re: [Spasm] Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard
To: IETF general list <ietf@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a113d52726e708f054a5055ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/Cor3cMSxOIHfcyVU_zTtyiBPiPE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 18:22:57 -0000

There seems to be a consensus here and internally to the changes that
Viktor proposes.  We can put that in the next draft update.

-Wei

On Thu, Mar 9, 2017 at 1:34 AM, tom p. <daedulus@btconnect.com> wrote:

> ----- Original Message -----
> From: "Viktor Dukhovni" <ietf-dane@dukhovni.org>
> To: <spasm@ietf.org>rg>; "IETF general list" <ietf@ietf.org>
> Sent: Thursday, March 09, 2017 3:19 AM
> > On Mar 8, 2017, at 8:17 PM, Wei Chuang <weihaw@google.com> wrote:
> >
> > Okay.  I think the direction then is to have SmtpUTF8Name respect
> rfc822Name name constraints and vice versa.
>
> Well, no, the simplest proposal on the table is for SmtpUTF8Name to
> be *prohibited* when rfc822Name constraints are present and SmtpUTF8Name
> constraints are not.  When both present, they can operate independently.
>
> <tp>
>
> Getting security right can be tricky as the legion of failed attempts
> that make it to RFC testify but what you are proposing here seems so
> simple, so obviously the right thing to do that I am puzzled, bewildered
> even, that anyone can disagree with you.
>
> Tom Petch
>
> The verifier logic is then:
>
> 1. If neither rfc822Name constraints nor SmtpUTF8Name constraints
>            are present in any CA certificate in the chain, any mixture
> of
>            rfc822Name and SmtpUTF8Name SAN elements is valid.
>
> 2. If some certificate in the chain contains *only* rfc822Name
>    constraints, then these apply to rfc822Name SAN elements, but
>    all SmtpUTF8Names are prohibited.
>
> 3. When both types of constraints are present in all CA certificates
>            that have either type, then constraints for each SAN type are
>    exclusively based on just the corresponding constraint type.
>
> 4. If some certificate in the chain contains only SmtpUTF8Name
>      constraints then those are unavoidably at risk of bypass via
>            rfc822Name SAN elements when processed by legacy verifiers.
>    Therefore, this should be avoided, and the CA needs to
>      publish rfc822Name constraints that prevent bypass.  Such
>    constraints *need not* be equivalent (not always possible)
>    to the desired SmtpUTF8Name constraints.  Rather, it suffices
>    to not permit rfc822Name elements that would be prohibited
>    if they were simply cut/pasted (with no A-label to U-label
>            conversions) as SmtpUTF8Name elements.  It is not necessary
>    for these to permit everything that SmtpUTF8Name permits.
>
> Thus for example, if SmtpUtf8Name only permits addresses in the non
> NR-LDH
> domain "духовный.org <http://xn--b1adqpd3ao5c.org>" (or a specific set of
> addresses in such a domain),
> then the corresponding rfc822Name constraint could just permit "." (or
> the
> reserved "invalid" TLD if that's preferable) which is not a usable email
> domain.  This ensures that only the permitted SmtpUTF8Name SANs are used
> and no rfc822Name SANs are used.
>
> If, instead the Smtp8Name constraints are excluded non-ASCII address
> forms,
> then since these have no literal rfc822Name equivalents, the rfc822Name
> constraints can be omitted with the same effect.
>
> Only when the intention is to permit NR-LDH domains with either ASCII or
> UTF-8 localparts (or an all-ASCII full address) do the rfc822Name and
> SmtpUTF8Name constraints need to be fully equivalent.  This is of course
> trivial to do.  Just cut/paste the same string into both types of
> constraint.
>
> --
> Viktor.
>
>