Re: Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard

Russ Housley <housley@vigilsec.com> Sat, 11 February 2017 18:48 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0D2F12941A for <ietf@ietfa.amsl.com>; Sat, 11 Feb 2017 10:48:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rLG6b6OJQrtB for <ietf@ietfa.amsl.com>; Sat, 11 Feb 2017 10:48:58 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0396D129888 for <ietf@ietf.org>; Sat, 11 Feb 2017 10:48:58 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 0FFD7300425 for <ietf@ietf.org>; Sat, 11 Feb 2017 13:42:17 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Ds3Hl0hkMTSs for <ietf@ietf.org>; Sat, 11 Feb 2017 13:42:15 -0500 (EST)
Received: from russhousleymbp.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id C870F30009D for <ietf@ietf.org>; Sat, 11 Feb 2017 13:42:15 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Subject: Re: Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard
Date: Sat, 11 Feb 2017 13:42:15 -0500
References: <CAAFsWK2QjdkovXTgJR-6Hpj=u=MD5Mjk0srYVpoqNnK_d7_Y9Q@mail.gmail.com> <78EFB6CA-BB21-4B6F-964C-9A0BBAA68023@dukhovni.org> <CAAFsWK0p5Zjj73Av3Z=TpjRmpJwFekfj9N+4zdcE_fFDcw65dA@mail.gmail.com> <20170206182023.GN28349@mournblade.imrryr.org> <20170208051311.GP28349@mournblade.imrryr.org> <CAAFsWK3xY35+yD5drtmUJUNMaAA8pRUwM3h22rvm+k7g5W8uKg@mail.gmail.com> <20170208151943.GQ28349@mournblade.imrryr.org> <CAAFsWK20Sf51W+cRUBET8-U5XXO+Z1ixOt3dgu70ad99FPsrWg@mail.gmail.com> <20170209175737.GV28349@mournblade.imrryr.org> <EB04BFE1-6A74-4697-9D4F-67A356B107DE@vigilsec.com> <20170209223951.GW28349@mournblade.imrryr.org>
To: IETF <ietf@ietf.org>
In-Reply-To: <20170209223951.GW28349@mournblade.imrryr.org>
Message-Id: <2B16B736-AA1A-4C50-AF5C-65C87A93099F@vigilsec.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/o3OKArsEfIx-XQm61uAolzgXp-Y>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Feb 2017 18:48:59 -0000

Viktor:

[bottom posting]

> 
>> RFC 5280 says:
>> 
>> A name constraint for Internet mail addresses MAY specify a
>> particular mailbox, all addresses at a particular host, or all
>> mailboxes in a domain.  To indicate a particular mailbox, the
>> constraint is the complete mail address.  For example,
>> "root@example.com" indicates the root mailbox on the host
>> "example.com".  To indicate all Internet mail addresses on a
>> particular host, the constraint is specified as the host name.  For
>> example, the constraint "example.com" is satisfied by any mail
>> address at the host "example.com".  To specify any address within a
>> domain, the constraint is specified with a leading period (as with
>> URIs).  For example, ".example.com" indicates all the Internet mail
>> addresses in the domain "example.com", but not Internet mail
>> addresses on the host "example.com”.
>> 
>> I think you are talking about constraints on addresses at a particular
>> host and constraints on mailboxes in a domain, but not constraints on a
>> particular mailbox.  Please correct me is I got that wrong.
> 
> Primarily, but not exclusively.  In the case that an issuer CA is
> constrainted to a specific rfc822Name, it should not be possible
> to evade that constraint by using the same (all-ASCII) address as
> an SmtpUtf8Name.
> 
>> I think you are suggesting that any A-label in the rfc822Name be converted
>> to a U-label, and the result is used to constrain the SmtpUtf8Name.
> 
> No.  I am *not* suggesting *any* conversions.  If a CA has rfc822Name
> constraints and no SmptUtf8Name constraints, and the rfc822Name
> constraints limit the CA to "example.com", ".example.com", or as
> you suggest above, a particular set of explicit rfc822Name addresses,
> my suggestion is that it MUST NOT be able to issue SmtpUtf8Name altnames
> that violate those constraints.  For example:
> 
> * CA is constrained to permitted subtree rfc822Name: example.com
> 	- can issue SmtpUtfName: виктор@example.com
> 	- cannot issue SmtpUtf8Name: виктор@example.net
> 
> In the current form of the draft both would be allowed, the second
> is a clear violation of the principle of least surprise (and the
> policy of the parent CA that created the name constraint).
> 
>> If people like your suggestion, then a constraint for a particular mailbox
>> will still require a SmtpUtf8Name, so I think the mechanism described in
>> the draft is needed.  It would just be used in combination with the above.
> 
> As to particular addresses, again:
> 
> 
> * CA is constrained to permitted subtree rfc822Name: viktor@example.com
> 	- cannot SmtpUtfName: виктор@example.com
> 	- cannot issue SmtpUtf8Name: виктор@example.net
> 
> In the current form of the draft both would be allowed, in clear
> violation of the name constraint on the permitted email addresses.


Wei is arguing that the two (ffc822Name and SmtpMUtf8Name) should be completely separate.

You are arguing for some crossover, but I do not understand how A-labels in the rfc822Name are handled in your proposal.

If rfc822Name permits 'xn--fa-hia.de’ then it would need to be translated to 'faß.de’ for comparison in SmtpUtf8Name.

Russ