Re: [pkix] [Spasm] IDNA2008 and PKIX certificates
Russ Housley <housley@vigilsec.com> Mon, 19 December 2016 17:17 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FB25129BC2 for <pkix@ietfa.amsl.com>; Mon, 19 Dec 2016 09:17:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpMDKcLA4Aye for <pkix@ietfa.amsl.com>; Mon, 19 Dec 2016 09:17:22 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ED4D12952F for <pkix@ietf.org>; Mon, 19 Dec 2016 09:17:22 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id C38FB3002C1 for <pkix@ietf.org>; Mon, 19 Dec 2016 12:07:04 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qu50s6_C7kGK for <pkix@ietf.org>; Mon, 19 Dec 2016 12:07:03 -0500 (EST)
Received: from [192.168.2.100] (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 8A015300098; Mon, 19 Dec 2016 12:07:03 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <1480062929.2875.5.camel@redhat.com>
Date: Mon, 19 Dec 2016 12:17:44 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <74E53F2B-A88D-4889-8929-9F0E1EAD60A2@vigilsec.com>
References: <1480062929.2875.5.camel@redhat.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/XB9rm0HArMcShO8Fm7y40VBsPLg>
Cc: SPASM <spasm@ietf.org>, IETF PKIX <pkix@ietf.org>
Subject: Re: [pkix] [Spasm] IDNA2008 and PKIX certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2016 17:17:23 -0000
Nikos: RFC 5280 only needs to convert to punycode. The punycode form is carried in certificate, and the punycode form is used to compare two domain names. RFC 5280 refers to Section 4 of RFC 3490 for the conversion. In addition, Section 7.2 of RFC 5280 provides some guidance about the flags used in that process. RFC 5891 also referes to RFC 3490 for the conversion to punycode. I don't see a problem with RFC 5280 with respect to IDNA. Russ On Nov 25, 2016, at 3:35 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote: > Hi, > RFC5280 and its update (6818), reference IDNA2003 (rfc3490) for > storing internationalized DNS names. However, IDNA2003 is already > obsolete standard (it seems it was already deprecated when RFC6818 was > published [0]), in practice phased out, and incompatible with IDNA2008. > My understanding is that the situation with internationalized names in > certificates/https is not at a good state (you are lucky if it works). > > Is there some plan to update RFC5280 to fix that situation? an example > would be to switch to IDNA2008 and to the corresponding ToUnicode > operation for the reverse mapping. > > regards, > Nikos > > > PS. Originally posted in PKIX-list and precis groups.
- [pkix] IDNA2008 and PKIX certificates Nikos Mavrogiannopoulos
- Re: [pkix] IDNA2008 and PKIX certificates Sean Turner
- Re: [pkix] IDNA2008 and PKIX certificates Nikos Mavrogiannopoulos
- Re: [pkix] IDNA2008 and PKIX certificates Sean Turner
- Re: [Spasm] [precis] [Fwd: [pkix] IDNA2008 and PK… Nikos Mavrogiannopoulos
- Re: [pkix] [Spasm] IDNA2008 and PKIX certificates Russ Housley
- Re: [pkix] [Spasm] IDNA2008 and PKIX certificates Alexey Melnikov
- Re: [pkix] [Spasm] IDNA2008 and PKIX certificates Nikos Mavrogiannopoulos
- Re: [pkix] [Spasm] IDNA2008 and PKIX certificates Nikos Mavrogiannopoulos