Re: [pkix] [Spasm] IDNA2008 and PKIX certificates
Alexey Melnikov <alexey.melnikov@isode.com> Mon, 19 December 2016 17:33 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8B64129BDF; Mon, 19 Dec 2016 09:33:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.101
X-Spam-Level:
X-Spam-Status: No, score=-5.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkM4bzkbh1OJ; Mon, 19 Dec 2016 09:33:35 -0800 (PST)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 6E444128B37; Mon, 19 Dec 2016 09:33:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1482168814; d=isode.com; s=june2016; i=@isode.com; bh=TJsob14lZasEaHZxpYbAAeVO/rC4deBeNTO5jg6xAg4=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=myL7mkLDqVxS5pWaVtw5NGGt9XwPhoaM2Dr8kIFE4Q3d7BTa3AEhEbV/+2izpKrVZD5NRx L4fSauV+clIH1+QDnXY/Ly2WsYClEq3fAvHmE7mfpdkgyeB3S9pxC0T9iWwD47gSA9P4f7 EMGkXYcpjHE6IGYv8DCASt/9eW68nSA=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <WFgZ7QAY1w07@statler.isode.com>; Mon, 19 Dec 2016 17:33:34 +0000
To: Russ Housley <housley@vigilsec.com>, Nikos Mavrogiannopoulos <nmav@redhat.com>
References: <1480062929.2875.5.camel@redhat.com> <74E53F2B-A88D-4889-8929-9F0E1EAD60A2@vigilsec.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <09a818a7-ef87-bf45-f59f-044cd1072305@isode.com>
Date: Mon, 19 Dec 2016 17:33:32 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
In-Reply-To: <74E53F2B-A88D-4889-8929-9F0E1EAD60A2@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/Mtw1RGeNcQk5KWrCcZX0an9JOPY>
Cc: SPASM <spasm@ietf.org>, IETF PKIX <pkix@ietf.org>
Subject: Re: [pkix] [Spasm] IDNA2008 and PKIX certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2016 17:33:37 -0000
Hi Russ, On 19/12/2016 17:17, Russ Housley wrote: > Nikos: > > RFC 5280 only needs to convert to punycode. The punycode form is > carried in certificate, and the punycode form is used to compare two > domain names. > > RFC 5280 refers to Section 4 of RFC 3490 for the conversion. In > addition, Section 7.2 of RFC 5280 provides some guidance about the flags > used in that process. > > RFC 5891 also referes to RFC 3490 for the conversion to punycode. > > I don't see a problem with RFC 5280 with respect to IDNA. I think RFC 5280 should be updated to say that RFC 5891 applies. This is not a big update, but it needs doing. Best Regards, Alexey > Russ > > > On Nov 25, 2016, at 3:35 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote: > >> Hi, >> RFC5280 and its update (6818), reference IDNA2003 (rfc3490) for >> storing internationalized DNS names. However, IDNA2003 is already >> obsolete standard (it seems it was already deprecated when RFC6818 was >> published [0]), in practice phased out, and incompatible with IDNA2008. >> My understanding is that the situation with internationalized names in >> certificates/https is not at a good state (you are lucky if it works). >> >> Is there some plan to update RFC5280 to fix that situation? an example >> would be to switch to IDNA2008 and to the corresponding ToUnicode >> operation for the reverse mapping. >> >> regards, >> Nikos >> >> >> PS. Originally posted in PKIX-list and precis groups. > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [pkix] IDNA2008 and PKIX certificates Nikos Mavrogiannopoulos
- Re: [pkix] IDNA2008 and PKIX certificates Sean Turner
- Re: [pkix] IDNA2008 and PKIX certificates Nikos Mavrogiannopoulos
- Re: [pkix] IDNA2008 and PKIX certificates Sean Turner
- Re: [Spasm] [precis] [Fwd: [pkix] IDNA2008 and PK… Nikos Mavrogiannopoulos
- Re: [pkix] [Spasm] IDNA2008 and PKIX certificates Russ Housley
- Re: [pkix] [Spasm] IDNA2008 and PKIX certificates Alexey Melnikov
- Re: [pkix] [Spasm] IDNA2008 and PKIX certificates Nikos Mavrogiannopoulos
- Re: [pkix] [Spasm] IDNA2008 and PKIX certificates Nikos Mavrogiannopoulos