Re: [pkix] Support for email address internationalization in RFC5280 certificates
Peter Bowen <pzbowen@gmail.com> Sat, 06 February 2016 00:46 UTC
Return-Path: <pzbowen@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 126C21B3173 for <pkix@ietfa.amsl.com>; Fri, 5 Feb 2016 16:46:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwzSmpDUWvCR for <pkix@ietfa.amsl.com>; Fri, 5 Feb 2016 16:46:12 -0800 (PST)
Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ECAF1B3172 for <pkix@ietf.org>; Fri, 5 Feb 2016 16:46:12 -0800 (PST)
Received: by mail-pa0-x22f.google.com with SMTP id yy13so42172303pab.3 for <pkix@ietf.org>; Fri, 05 Feb 2016 16:46:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ZfC/DI9m++HzdH2wgZArdNhQXO48aBcu+yVsWBXDLP4=; b=HwrC9Wo2A9KJ09LwdLBqdZ4kHqmrNigp0C3YA2TfJqeL78t5+uzqiMyWNyNWAMlyDq 4qxOLTkrOXkr5hUwu4bblwzj/Z2UjohZGHTEBmY4igUgCBfq1jC86218Bf5M6gyJSaMU qs6lQasBcALJXgpcDDHkCBt61N9Ft2BhIANJuUhhjX9QfWKyuvCuEV0oLi+koIZoFAU4 5Fek+bcwh5nHXOjyMp+wGp9Ppcs+xAKl6GRn+/lQNbTMAvtMBDYGzctM1iHYamv55BpM kTF258CB5hlnJT0gl+j69WkerdLtyfmo4dXQX+h2u9jOEe3VeL+8Z+miGjXCnDBSla1f UgRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ZfC/DI9m++HzdH2wgZArdNhQXO48aBcu+yVsWBXDLP4=; b=m8ae6gOoqBMkbvH3rkHDVS5GsGFhNAHa9btCDcdAH6mMXS+czKA6Q1zneZV53hLRnD 00vaG1nmtzhOIz2NCyzyX0wALg37ii+Q3becOAKnIGCf4Uj16ntFYLI5tNkDPJZ1+pd3 oyasdzGXFuPnUDl8OuR5hUi3RecQjaUJ6kdfTTfnVVMeFGoQcBkZ6WesCThnCHdRsziS dMeT8nGbO6b+AP/TDEdIiwfTHp1cQxdiAS/AtUDX1igIYwbRwRzVdVmj8cXN4RAf+Jz4 O4UCQbD+QxvyTR3Mz2c62o8g1Rjm+af9/A1gf/736rC/BNPabSMYRhI2wAuZJVXzoGR7 4hgA==
X-Gm-Message-State: AG10YOTL9GTjJZgpNdowvttl3JaxLRghQggO8AIDgKYPdAX5FJH+oNP7X7iNpNI4yFU54mISEbaKX8PLTOxIag==
MIME-Version: 1.0
X-Received: by 10.66.100.135 with SMTP id ey7mr24437114pab.108.1454719571908; Fri, 05 Feb 2016 16:46:11 -0800 (PST)
Received: by 10.66.142.193 with HTTP; Fri, 5 Feb 2016 16:46:11 -0800 (PST)
In-Reply-To: <CAAFsWK0F6K_9VrDL7aX0QN56mWdhHsq0KV_1moR9pJ=A4E1BaA@mail.gmail.com>
References: <CAAFsWK0F6K_9VrDL7aX0QN56mWdhHsq0KV_1moR9pJ=A4E1BaA@mail.gmail.com>
Date: Fri, 05 Feb 2016 16:46:11 -0800
Message-ID: <CAK6vND-nAztjm9DzKNdCf1Hm2rbN5zAN4GWKuu5PiF49LeRSsw@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: Wei Chuang <weihaw@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/YAe0ofmHVpDE-0Tm5jcU3NAl09Y>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Support for email address internationalization in RFC5280 certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Feb 2016 00:46:14 -0000
On Thu, Feb 4, 2016 at 11:05 AM, Wei Chuang <weihaw@google.com> wrote: > PKIX community, > > We've observed a limitation for specifying internationalized email addresses > as the local part which is restricted to essentially ASCII. That is subject > or issuer email addresses which should be stored as subject-alt-name or > issuer-alt-name rfc822Name and are encoded as IA5String. This is despite > the internationalization in email usage as specified by internationalization > of email headers in RFC6532 allowing Unicode in To, From, etc fields and > becoming fairly commonplace. RFC5280 already specifies internationalization > of the domain but lacks any specification for the local-part. We propose a > brief draft to specify an encoding of email UTF-8 local part to base64. > This described in: > http://www.ietf.org/id/draft-lbaudoin-iemax-02.txt > One goal of that draft is to be compatible with existing PKI practices such > as path constraints with email address as this draft refines the existing > rfc822Name rather than specifies a new location for email addresses. > > There are some other alternatives that probably should be mentioned for > discussion. Instead of base64, another possibility is percent encoding as > done in RFC3987. Our proposal is likely to be more compact and easier to > identify, but would welcome feedback. Another direction is to specify a > SAN/IAN otherName compatible with Unicode for internationalized email. A. > Melnikov specified this in an earlier draft. One thing to note is that rfc822Name is confusingly named. RFC5280 defines it as a "Mailbox" as defined in Section 4.1.2 of [RFC2821] 2821 has been obsoleted by 5321. So the proper reference for adding Internationalized Email addresses is probably RFC6531. That being said, did you consider the approach of redefining rfc822Name as being of type Rfc822Name and defining Rfc822Name as Rfc822Name ::= CHOICE { ia5string IA5String, utf8string UTF8String } If it is required that the domain-part only consist of A-labels even when using the utf8string choice, then all existing name constraints will still work. The obvious tradeoff here is potential incompatibility. Systems that use ASN.1 grammar (as opposed to blind encoding parsing) may reject certificates with UTF8String for rfc822Name type GeneralNames. Thanks, Peter
- Re: [pkix] Support for email address internationa… Wei Chuang
- Re: [pkix] Support for email address internationa… Peter Bowen
- [pkix] Support for email address internationaliza… Wei Chuang
- Re: [pkix] Support for email address internationa… Sean Leonard
- Re: [pkix] [smime] Support for email address inte… Russ Housley
- Re: [pkix] [smime] Support for email address inte… Jim Schaad
- Re: [pkix] [smime] Support for email address inte… Wei Chuang
- Re: [pkix] [smime] Support for email address inte… George Michaelson
- Re: [pkix] [smime] Support for email address inte… Dr Stephen Henson
- Re: [pkix] [smime] Support for email address inte… George Michaelson
- Re: [pkix] [smime] Support for email address inte… Sean Leonard
- Re: [pkix] [smime] Support for email address inte… Dr. Pala