IETF Logo Mail Archive

Re: [pkix] Support for email address internationalization in RFC5280 certificates

Wei Chuang <weihaw@google.com> Sun, 07 February 2016 15:15 UTC

Return-Path: <weihaw@google.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B38091B3BD6 for <pkix@ietfa.amsl.com>; Sun, 7 Feb 2016 07:15:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uFQqfF1BYGzD for <pkix@ietfa.amsl.com>; Sun, 7 Feb 2016 07:15:28 -0800 (PST)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAAF71B3BCD for <pkix@ietf.org>; Sun, 7 Feb 2016 07:15:27 -0800 (PST)
Received: by mail-ig0-x22d.google.com with SMTP id y8so15767503igp.0 for <pkix@ietf.org>; Sun, 07 Feb 2016 07:15:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=99Y0dEIrJMYWsOsIi1wdK3fWcK/qks1YRQdrQgh1aiM=; b=jvsaHXAZ947ZffGZQjeqO2Yt9X+sjhY+qv3VP/fn54E/CM7jiNh91nRx3EFRjHAN90 dY1OEGdl9Gxt4o6g8jWxUiovu19xnBkoLqDVK/ea24VCiNE3ZnJP9BSJKP/TlVqeXjLb Eatufwb/tYTFUxYVxk/lkHuGNcdXxjR0UdF02p5fxVa89FvKO53UlIa06t3ehpqvv8Hl ncpXEw703kev26uIDI6cin0sDBU4klRVXemxxvyog2mAjMvOr+GAaPz0l7pAj9t28lVU 2KE2Euk157PmVIjmqyMjKODrjp8Tr0SRTeqqr0wpgH6dyJzcNDFGI7P9TMm6J2F6jDQ6 nq/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=99Y0dEIrJMYWsOsIi1wdK3fWcK/qks1YRQdrQgh1aiM=; b=VHnjib8pIv/XEr1BZFq+ZG+hz9aSR3++2y1LQSBq0KWW3FOz3D2XLss5+eQApEV3RJ TzPatK+Jp9J5xDZti2TqPoqDiJK9JFB1Lx0b+ulyE9eySmZhTAKTYMJePUXku4z4ufpN c5ZQ0VjGFrV/Unut0hJb4cWPe449lwjRZ7MIoaMp0DJRJUB4rTFfT55me7Y+cqBhr2kv x9gk40yrYz5FeLCkcFH8pzK+sYKt4yJpHImqq4CIruamO5Bgdb42IVisEuaIbZ2h9RYT aunNPrLFVeQbBe2w0t9kfMtnofCPClk2NjEOwmyuGNvPym0KCVYSEbOsJAldX4lwb8Rx aklw==
X-Gm-Message-State: AG10YOSl/P2srGbx9ct3m6UFfsA/W2zOSRkiIc0WhBth/vn5W5b7IN3MnsdXQ0z68DwFr3F/LCFai1gu0u8mJv3k
MIME-Version: 1.0
X-Received: by 10.50.87.7 with SMTP id t7mr5442057igz.65.1454858127057; Sun, 07 Feb 2016 07:15:27 -0800 (PST)
Received: by 10.64.149.39 with HTTP; Sun, 7 Feb 2016 07:15:26 -0800 (PST)
In-Reply-To: <CAK6vND-nAztjm9DzKNdCf1Hm2rbN5zAN4GWKuu5PiF49LeRSsw@mail.gmail.com>
References: <CAAFsWK0F6K_9VrDL7aX0QN56mWdhHsq0KV_1moR9pJ=A4E1BaA@mail.gmail.com> <CAK6vND-nAztjm9DzKNdCf1Hm2rbN5zAN4GWKuu5PiF49LeRSsw@mail.gmail.com>
Date: Sun, 07 Feb 2016 07:15:26 -0800
Message-ID: <CAAFsWK0yYrEJkazOcyc+hOUTaihcBi6Aa31g9g3TyxvVzxyF5A@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
To: Peter Bowen <pzbowen@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bf0c28edd0d65052b2f8da4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/g6iXQYzxM_NgvdI_hGnM7IVxu8w>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Support for email address internationalization in RFC5280 certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2016 15:15:29 -0000

On Fri, Feb 5, 2016 at 4:46 PM, Peter Bowen <pzbowen@gmail.com> wrote:

> On Thu, Feb 4, 2016 at 11:05 AM, Wei Chuang <weihaw@google.com> wrote:
> > PKIX community,
> >
> > We've observed a limitation for specifying internationalized email
> addresses
> > as the local part which is restricted to essentially ASCII.  That is
> subject
> > or issuer email addresses which should be stored as subject-alt-name or
> > issuer-alt-name rfc822Name and are encoded as IA5String.  This is despite
> > the internationalization in email usage as specified by
> internationalization
> > of email headers in RFC6532 allowing Unicode in To, From, etc fields and
> > becoming fairly commonplace.  RFC5280 already specifies
> internationalization
> > of the domain but lacks any specification for the local-part.  We
> propose a
> > brief draft to specify an encoding of email UTF-8 local part to base64.
> > This described in:
> > http://www.ietf.org/id/draft-lbaudoin-iemax-02.txt
> > One goal of that draft is to be compatible with existing PKI practices
> such
> > as path constraints with email address as this draft refines the existing
> > rfc822Name rather than specifies a new location for email addresses.
> >
> > There are some other alternatives that probably should be mentioned for
> > discussion.  Instead of base64, another possibility is percent encoding
> as
> > done in RFC3987.  Our proposal is likely to be more compact and easier to
> > identify, but would welcome feedback.  Another direction is to specify a
> > SAN/IAN otherName compatible with Unicode for internationalized email.
> A.
> > Melnikov specified this in an earlier draft.
>
>
Thanks for pointing this out, and reinforcing the point about the confusion


> One thing to note is that rfc822Name is confusingly named.  RFC5280
> defines it as
>
>   a "Mailbox" as defined in Section 4.1.2 of [RFC2821]
>
> 2821 has been obsoleted by 5321.  So the proper reference for adding
> Internationalized Email addresses is probably RFC6531.
>

I pointed out the counter part RFC6532 internalized headers
whereas RFC6531 is the update for the SMTP protocol.  We certainly agree
about the issue.


>
> That being said, did you consider the approach of redefining
> rfc822Name as being of type Rfc822Name and defining Rfc822Name as
>
> Rfc822Name ::= CHOICE {
>   ia5string IA5String,
>   utf8string UTF8String
> }
>

This particular approach, no.  Using a new type has been explored by A.
Melnikov in his draft-ietf-pkix-eai-addresses-00 draft.  As you point out
it has the possibility of incompatibility but has advantages like
compactness and simpler implementation.  Our approach tries to retrofit
UTF-8 into rfc822Name through encoding to lessen compatibility issues but
how important that is depends on input the community.  Our perspective is
that we just want standardization and quite happy to move forward with any
reasonable approach.


>
> If it is required that the domain-part only consist of A-labels even
> when using the utf8string choice, then all existing name constraints
> will still work.
>
> The obvious tradeoff here is potential incompatibility.  Systems that
> use ASN.1 grammar (as opposed to blind encoding parsing) may reject
> certificates with UTF8String for rfc822Name type GeneralNames.
>
> Thanks,
> Peter
>

Thanks!
-Wei

v2.23.0 | Report a Bug | By Email