Re: [pkix] Strings in certificates
Wei Chuang <weihaw@google.com> Fri, 05 February 2016 23:10 UTC
Return-Path: <weihaw@google.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53A591B2EBC for <pkix@ietfa.amsl.com>; Fri, 5 Feb 2016 15:10:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z0kY5LRzgB1R for <pkix@ietfa.amsl.com>; Fri, 5 Feb 2016 15:10:01 -0800 (PST)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D0871B2E51 for <pkix@ietf.org>; Fri, 5 Feb 2016 15:10:01 -0800 (PST)
Received: by mail-io0-x22c.google.com with SMTP id f81so144429626iof.0 for <pkix@ietf.org>; Fri, 05 Feb 2016 15:10:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=AtoZrWtOcTJrzaUsO/Uhl/pBTS7Fvm11rvzAglF5VJE=; b=alwqpXEpKu3GTmGdtk3jlGn+VdCTm4Z37IEIKKD+vksmJ1th0ZRrgiR1dNBa+MQPzq QLWgedlbJ24SLhMhv8vw1iI6GKl1ycgk9ZOcU6Ri5eg6lFJHRMXUK0MlXfy7Yv/LKyxk pB+s1yVhNsBc/eZnPI1U2J4eCVmRPJhR/zSYiNgWZ/ZNB1/Vxc7dkudXzfsITCDyI8hS xnqivv7J65lyDRKNkRnOGeUE+3+wwZvXuVLLSDisvCcjAQKaQ/aI3i99dVeeU9ftUg5P X39Bvna8asUZxtt3yEw9YS3HFh26IzfJoZ8e00gMoWYX9Xfegl6LkRT1W1BA/1+9UrKT lxzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=AtoZrWtOcTJrzaUsO/Uhl/pBTS7Fvm11rvzAglF5VJE=; b=QL6BXeZwEBisuW6R3Ep3kNFp8MxuDY/2/Mjw/2eff07m8OB5R5ako07YGCWtXT5RiJ Tk43NzUNm7qOK+zMGLFeupJZcvvjD13yInQewvrixWeV/T3oqqpP3rBVF5lzMONrcsok 4Z+F4z+DrESfOhCFklJ3WiCG8ew9NfaC8YVkrySaqV9CNoDcWp5oE2ra2ltkZ1tSI6Px e8ZwMucE/IAvyMQ0+5GEcw5+rvPS0rqsgg3fUYUCPZaGQk1vMN8e5oVBWwyO9s85heWG /YpRaDlOUG1rfbd0IH4oJFVR5CeA/XIcURwMUhD2ZhnylXUp1x8S8s+4V299hQxFyLjP bHuQ==
X-Gm-Message-State: AG10YOQJ2sIRSN7rMCU6qU9tHvD2HxInTdAAW3GHqpnrHKOwRUwOslLER7XkgeT5yJS2Hvy+ohXhSu8i/Hi9EiFF
MIME-Version: 1.0
X-Received: by 10.107.132.106 with SMTP id g103mr16842631iod.141.1454713800656; Fri, 05 Feb 2016 15:10:00 -0800 (PST)
Received: by 10.64.149.39 with HTTP; Fri, 5 Feb 2016 15:10:00 -0800 (PST)
In-Reply-To: <CAK6vND-73A7XSpPgb=or9NZCUYY0s0ADHU50j06-c5jayoaMNw@mail.gmail.com>
References: <CAK6vND-NRgJVW9Qjg+vktv5s0TGhGtMBB76f5hQ77nvsqz9JXw@mail.gmail.com> <A9FBB43B-47E7-4144-91EA-F5013A41BEA7@sn3rd.com> <CAK6vND-73A7XSpPgb=or9NZCUYY0s0ADHU50j06-c5jayoaMNw@mail.gmail.com>
Date: Fri, 05 Feb 2016 15:10:00 -0800
Message-ID: <CAAFsWK0iph93ZAga=k+O_O1d3CJ4gmmwzNn7_NbJJPBRXQBqyA@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
To: Peter Bowen <pzbowen@gmail.com>
Content-Type: multipart/alternative; boundary="001a113ec9fe56d785052b0df39e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/n8mt_j35wtGiEs_mbE-XJx5DUqg>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Strings in certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 23:10:03 -0000
On Mon, Jan 25, 2016 at 5:46 PM, Peter Bowen <pzbowen@gmail.com> wrote: > Sean, > > Thanks for providing your thoughts. > > On Mon, Jan 25, 2016 at 2:25 PM, Sean Turner <sean@sn3rd.com> wrote: > > My two cents … > > > > On Jan 18, 2016, at 22:10, Peter Bowen <pzbowen@gmail.com> wrote: > >> > >> In writing certlint (https://github.com/awslabs/certlint), I ran > >> across several items related to strings in certificates that are > >> slightly unclear. I’m hoping that someone might be able to help > >> clarify a few things: > >> > >> > >> 1) TeletexString, BMPString, and UniversalString types of > DirectoryStrings > >> > >> RFC 5280 says CAs should not use TeletexString, BMPString, and > >> UniversalString types for DirectoryStrings. As early as 1999 (RFC > >> 2459) these were flagged as deprecated. > >> > >> Is there anything that has moved these to SHALL NOT/MUST NOT or are we > >> still at SHOULD NOT? > > > > I’d love to hear that CAs haven’t generated these string types for the > last decade …. > > You won't hear that from me. I've seen hundreds (if not thousands) of > certificates issued in the last week that use these string types. > > >> 2) VisibleString and BMPString types of DisplayText > >> > >> RFC 5280 says: > >> Conforming CAs SHOULD use the > >> UTF8String encoding for explicitText, but MAY use IA5String. > >> Conforming CAs MUST NOT encode explicitText as VisibleString or > >> BMPString. > >> > >> However the organization field of noticeref also uses DisplayText. Do > >> the same rules apply? > > > > I remember something about this … ah yeah @ IETF 74: > > https://ietf.org/proceedings/74/slides/pkix-3.pdf > > > > I think it was just meant to apply to explicitText because that’s what > was seen in the wild given the following statement in s4.2.1.4: > > "Conforming CAs SHOULD NOT use the noticeRef option.” > > Yes, I was pointed to RFC 6818 which changed this rule. > > >> 3) Unicode normalization > >> > >> A number of fields in certificates can take unicode strings. Is there > >> any specification as to how (or if) they should be normalized? > > > > I thought there were references in s7 of RFC 5280 (and some tweaks in s5 > of RFC 6818). There’s also some additional information in RFC 6125. In a > perfect world, the output of precis (https://datatracker.ietf.org/ > wg/precis/documents/) would be adopted the world over. I’m not going to > hold my breath though. > > I don't see anything there that specifies a specific normalization > form for storage, except for the one thing about explicitText. I'll > assuming anything (including mixed) is good. > Just piling on. May be I'm misreading those two section (s7 of RFC5280 and s5 of RFC6818), while there's IDN support, there's no mention of handling Unicode in email address rfc822Name local-part or URL uniformResourceIdentifier path or query parts. It seems like an important loophole that should be fixed. Would folks here be willing to help in standardizing some in certificate encoding for these types? thanks, -Wei > > Thanks, > Peter > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix >
- Re: [pkix] Strings in certificates Wei Chuang
- Re: [pkix] Strings in certificates Russ Housley
- Re: [pkix] Strings in certificates Wei Chuang
- [pkix] Strings in certificates Peter Bowen
- Re: [pkix] Strings in certificates Erwann Abalea
- Re: [pkix] Strings in certificates Rob Stradling
- Re: [pkix] Strings in certificates Erwann Abalea
- Re: [pkix] Strings in certificates Sean Turner
- Re: [pkix] Strings in certificates Peter Bowen