Re: Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard

John C Klensin <john-ietf@jck.com> Wed, 08 February 2017 10:18 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E99EE129590 for <ietf@ietfa.amsl.com>; Wed, 8 Feb 2017 02:18:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COF705rf4TZf for <ietf@ietfa.amsl.com>; Wed, 8 Feb 2017 02:18:29 -0800 (PST)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1C40128E18 for <ietf@ietf.org>; Wed, 8 Feb 2017 02:18:29 -0800 (PST)
Received: from [198.252.137.70] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1cbPKW-000PEv-Rh for ietf@ietf.org; Wed, 08 Feb 2017 05:18:28 -0500
Date: Wed, 08 Feb 2017 05:18:22 -0500
From: John C Klensin <john-ietf@jck.com>
To: ietf@ietf.org
Subject: Re: Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard
Message-ID: <291B1050C3EE53B9DB4D8BF4@PSB>
In-Reply-To: <20170208051311.GP28349@mournblade.imrryr.org>
References: <B9F32633ED13374379C6E0D1@PSB> <20170124193109.68919.qmail@ary.lan> <20170201210155.GI28349@mournblade.imrryr.org> <D45CE6A5317D4B373CD90742@PSB> <CAAFsWK1kQUUZrq9Cs47+jYbEJXW+hQN8gzKb+2qjXYdfYhRFzw@mail.gmail.com> <E56ED618-6670-437D-87A9-BD59FC10DBC1@dukhovni.org> <CAAFsWK2QjdkovXTgJR-6Hpj=u=MD5Mjk0srYVpoqNnK_d7_Y9Q@mail.gmail.com> <78EFB6CA-BB21-4B6F-964C-9A0BBAA68023@dukhovni.org> <CAAFsWK0p5Zjj73Av3Z=TpjRmpJwFekfj9N+4zdcE_fFDcw65dA@mail.gmail.com> <20170206182023.GN28349@mournblade.imrryr.org> <20170208051311.GP28349@mournblade.imrryr.org>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.70
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/D_10tO1dZVdZlJrdPyxYyWbx03I>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 10:18:31 -0000


--On Wednesday, February 8, 2017 05:13 +0000 Viktor Dukhovni
<ietf-dane@dukhovni.org> wrote:

>...
> I am asking the author to remove that dependency, leaving
> construction of the normal form of the reference identifier to
> the application rather than the X.509 stack.  If he is
> unsuccessful, and there is a fundamental requirement for X.509
> certificate validation code to become IDNA aware, that'd be a
> major barrier to widespread support for this specification.

As you and others have pointed out, SMTPUTF8 is deploying rather
slowly.   That should not be a surprise to anyone who
participated in the WG discussions and understands the issues --
there are a complex sequencing and support tradeoffs involved
although with a number of problems some would describe as
involving "chicken and egg" relationships and others would claim
would benefit from a flag day.

So, as I understand it, you want to shift the issues to the
application in order to get more rapid deployment.  I prefer to
keep the decisions, including a single canonical form, bound to
the X.509 certificate because I think, especially given the
security implications of either false positives or false
negatives, that getting implementations right (and consistent)
is more important than getting quick deployment.   A preference
for "right" over "quick" is particularly important where IDNs
are concerned given the number of inconsistent implementations
of things claiming to be IDNA in the wild.

best,
   john