IETF Logo Mail Archive

[pkix] Support for email address internationalization in RFC5280 certificates

Wei Chuang <weihaw@google.com> Thu, 04 February 2016 19:05 UTC

Return-Path: <weihaw@google.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F8B1ACDAA for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 11:05:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOFntC2IJipm for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 11:05:35 -0800 (PST)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B16511ACD5A for <pkix@ietf.org>; Thu, 4 Feb 2016 11:05:35 -0800 (PST)
Received: by mail-ig0-x235.google.com with SMTP id mw1so66141421igb.1 for <pkix@ietf.org>; Thu, 04 Feb 2016 11:05:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=rhPz+mrVU8dnmeopPwkyKrSoybNN1IR6us0qn8eKI3w=; b=d/6sMOaLYz4dUF1cbeeoNWdR4ac4a27FWQI8jW8jTo2OVb3hOcHC04NCHDZVt5ke/+ bhtpg8FtVkFJ6SfFrxn/KOrh0LhZ0F81V2C02Fep0hIJ69CVyR/9QXrI66wb7N2ST12o l8HwJzdjHBQtD/ktNjgRAicdXMcCZeh8MnFLOyvbkqrkWB+4hw7nCtuAOr6Od2rVbjN4 x3lgssNGlvSFUGhSgB8kthB21fQ8q5lL5N090pcEH119llUIJ/zL+qWP69kbTpV8WoZf +u6Ls0LQQnFuafjVlRhoYwrVkCS95vD+XfH126pV3/2L2FLrmXVhkktBxb4kn0pARp2u ed8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=rhPz+mrVU8dnmeopPwkyKrSoybNN1IR6us0qn8eKI3w=; b=FPcdU3NmZgNQPYH6NsfRrUTQnAPzf7noa9qT9HdP7X/v4WhPLGrqBH1xh6N+lHiphA nxYzN2kK8OEnY+5lHw1zdbSJZlFEnsNDOGxU0L6IA4+XuceR5FmuIB+bBnfhswjFSb69 /maChoS0dLpDuJXQTcoc1tZ3euyPJ4w1VyQxk/NykBgPVs9+Mc2J44OUsnYZSMu4BB1f Kds5nHIMKYv92LA4xO308eB2dpqkJMba8phbvDrvzWrQXTnJtAwHFb2nwl14Fvbs4/uo pismaD3/Pj78LereBL5n+m5hmlmMy3q2davUKoz27+jU6R63IyPk3QAtGOKaQvB1YhRI NK0Q==
X-Gm-Message-State: AG10YOTBXP00AZdBprs6oad/qznzjjuu9oW6LHtySB2MzmIIGgTCyvC7BQEZ16Vy/EfW27loRNb0qTl+e4LWKCiv
MIME-Version: 1.0
X-Received: by 10.50.142.68 with SMTP id ru4mr11957339igb.54.1454612734966; Thu, 04 Feb 2016 11:05:34 -0800 (PST)
Received: by 10.64.149.39 with HTTP; Thu, 4 Feb 2016 11:05:34 -0800 (PST)
Date: Thu, 04 Feb 2016 11:05:34 -0800
Message-ID: <CAAFsWK0F6K_9VrDL7aX0QN56mWdhHsq0KV_1moR9pJ=A4E1BaA@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
To: pkix@ietf.org
Content-Type: multipart/alternative; boundary="001a11c3b7845ae2bb052af66bbf"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/nJVvsrmAQYmIU-lDaobhv9W0Lvk>
Subject: [pkix] Support for email address internationalization in RFC5280 certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 19:05:37 -0000

PKIX community,

We've observed a limitation for specifying internationalized email
addresses as the local part which is restricted to essentially ASCII.  That
is subject or issuer email addresses which should be stored as
subject-alt-name or issuer-alt-name rfc822Name and are encoded as
IA5String.  This is despite the internationalization in email usage as
specified by internationalization of email headers in RFC6532 allowing
Unicode in To, From, etc fields and becoming fairly commonplace.  RFC5280
already specifies internationalization of the domain but lacks any
specification for the local-part.  We propose a brief draft to specify an
encoding of email UTF-8 local part to base64.  This described in:
http://www.ietf.org/id/draft-lbaudoin-iemax-02.txt
One goal of that draft is to be compatible with existing PKI practices such
as path constraints with email address as this draft refines the existing
rfc822Name rather than specifies a new location for email addresses.

There are some other alternatives that probably should be mentioned for
discussion.  Instead of base64, another possibility is percent encoding as
done in RFC3987.  Our proposal is likely to be more compact and easier to
identify, but would welcome feedback.  Another direction is to specify a
SAN/IAN otherName compatible with Unicode for internationalized email.  A.
Melnikov specified this in an earlier draft
<https://www.ietf.org/archive/id/draft-ietf-pkix-eai-addresses-00.txt>.

Another thing to consider is whether there are other RFC5280 types that
need updating for internationalization.  Please consider looking into
uniformResourceIdentifier
as well.

-Wei

v2.23.0 | Report a Bug | By Email