Re: [Spasm] Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 08 March 2017 23:27 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D779127058; Wed, 8 Mar 2017 15:27:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5kzJ1vIatIp; Wed, 8 Mar 2017 15:27:57 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63D56120726; Wed, 8 Mar 2017 15:27:57 -0800 (PST)
Received: from [172.31.30.83] (gzac12-mdf2-1.aoa.twosigma.com [208.77.215.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 6D1A37A32D8; Wed, 8 Mar 2017 23:27:56 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Subject: Re: [Spasm] Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard
Date: Wed, 08 Mar 2017 18:27:55 -0500
References: <alpine.OSX.2.20.1702111606270.2386@ary.qy> <CAAFsWK0KoeeHeKxay=j=NR8AqbzaHXtjNoQNQqRHwUNT3-Pe_Q@mail.gmail.com> <D237E866-CEC3-4A3C-9D5E-0D1B48F1799B@dukhovni.org> <841bb724-7403-4682-3d50-f878f63b0346@cs.tcd.ie> <6d114340-c9a7-e311-e6f9-0614600cafd2@cs.tcd.ie> <CAAFsWK2RMGp0jqesx3cTbN=S7p0WuhH+0AbeJuuiZPF6WCbQOQ@mail.gmail.com>
To: "spasm@ietf.org" <spasm@ietf.org>, IETF general list <ietf@ietf.org>
In-Reply-To: <CAAFsWK2RMGp0jqesx3cTbN=S7p0WuhH+0AbeJuuiZPF6WCbQOQ@mail.gmail.com>
Message-Id: <BCEFAA3C-B711-4269-81C8-4DA0E1AA7AD0@dukhovni.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/ouNEFR9Gnf81WS1xz4vHt2xxyRU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 23:27:59 -0000

> On Mar 8, 2017, at 6:07 PM, Wei Chuang <weihaw@google.com> wrote:
> 
> https://tools.ietf.org/rfcdiff?url2=draft-ietf-lamps-eai-addresses-07.txt

This diff covers a lot more than just name constraints.  One oddity that
stands out is in section 5:

	3.  Ensure local-part is UTF-8.

I don't see how one would "ensure" such a thing, since no encoding
information is available for the localpart, is I would expect that
is always presumptively UTF-8 (if not us-ascii).

More importantly I don't believe that the name constraint issues are
adequately or correctly addressed in this revision.

Instead of prohibiting issuance of EE certs that HAVE SmtpUTF8Name SAN
elements via a cert chain that has a certificate with *just* rfc822Name
constraints, it attempts to require an unnecessary (and I think not
entirely robust) correspondence between the two types constraint, and
needlessly bans EE certs whose chains include just rfc822Name constraints
even in the absence of SmtpUTF8Name SAN elements.

The changes in this revision seem to me to be too extensive, and not
yet finished. :-(

-- 
	Viktor.