IETF Logo Mail Archive

Re: [pkix] [apps-discuss] character repertoire for fragment identifiers

Sean Leonard <dev+ietf@seantek.com> Sun, 11 January 2015 22:46 UTC

Return-Path: <dev+ietf@seantek.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B26041A1A9A; Sun, 11 Jan 2015 14:46:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YYw6FY95jvGk; Sun, 11 Jan 2015 14:46:07 -0800 (PST)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C32F21A882B; Sun, 11 Jan 2015 14:45:45 -0800 (PST)
Received: from [192.168.123.7] (unknown [23.241.1.22]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id D484122E25F; Sun, 11 Jan 2015 17:45:38 -0500 (EST)
Message-ID: <54B2FCCE.4000304@seantek.com>
Date: Sun, 11 Jan 2015 14:44:30 -0800
From: Sean Leonard <dev+ietf@seantek.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Sam Ruby <rubys@intertwingly.net>
References: <20140926010029.26660.82167.idtracker@ietfa.amsl.com> <CACweHNBEYRFAuw9-vfeyd_wf703cvM3ykZoRMqAokRFYG_O7hQ@mail.gmail.com> <DM2PR0201MB09602B351692D424A49C6B0DC3650@DM2PR0201MB0960.namprd02.prod.outlook.com> <CACweHNBN_Bv=jeXQ_VwXi2HzHKNEwZJ1NiF-BJJo_9-mhO60gQ@mail.gmail.com> <54A557E1.6050502@intertwingly.net> <CACweHNCQZg1U1u8U=-f6h0+BPnp6Wr_T=r_wGiPAbhTbuMCGWQ@mail.gmail.com> <54A94109.5010901@intertwingly.net> <00cf01d02cc7$d5dba4c0$4001a8c0@gateway.2wire.net> <54B16C2B.9050604@seantek.com> <54B17BBE.4000900@intertwingly.net> <54B18B61.8010308@seantek.com> <54B19435.8070401@intertwingly.net> <54B1B211.3050807@seantek.com> <54B1B682.3070609@intertwingly.net> <54B28E0F.8070306@gmx.de> <54B2936B.7030805@intertwingly.net> <05AD7DE2-1C54-45CD-B33A-13766D771E57@mnot.net> <54B2A2CD.5080502@gmx.de> <1A5BBD25-FEBD-49B1-9EFB-4EF8877BF0E7@mnot.net> <54B2A4F9.2070909@gmx.de> <54B2A894.4020201@intertwingly.net> <54B2F4C3.5020008@seantek.com> <54B2F806.2090509@intertwingly. net>
In-Reply-To: <54B2F806.2090509@intertwingly.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/sBm7ghCZ2CjSbIPymRSi6V1gfx8>
Cc: "pkix@ietf.org" <pkix@ietf.org>, apps-discuss@ietf.org
Subject: Re: [pkix] [apps-discuss] character repertoire for fragment identifiers
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jan 2015 22:46:10 -0000

On 1/11/2015 2:24 PM, Sam Ruby wrote:
> On 01/11/2015 05:10 PM, Sean Leonard wrote:
>>
>> I fully agree with Julian on the matter of US-ASCII for URIs. URIs (RFC
>> 3986) are only made of US-ASCII characters.
>>
>> If someone wishes to extend URIs (as opposed to IRIs or whatever) to
>> include non-US-ASCII characters, that's a problem for web browsers and
>> all other Internet software alike. This goes exactly to my point about
>> protocol slots.
>>
>> Certificates, CRLs, and other security objects are just as fundamentally
>> a part of the Web (and web browser) infrastructure as HTML. In
>> X.509/PKIX security objects, the GeneralName uniformResourceIdentifier
>> construct is US-ASCII only (IA5String). If you extend "URIs" to be
>> beyond US-ASCII, RFC 5280 has to be updated...and all the security
>> libraries that depend upon it. Just because HTML(5) can be served as
>> UTF-8 or use &amp; encoding or whatever, doesn't make the problem go 
>> away.
>>
>> Does the URL Interop test-results explicitly test for certificates? I
>> suggest attempting to put some non-US-ASCII characters in a GeneralName
>> protocol slot (say, for revocation) and see what happens.
>
> The topic is character repertoire for fragment identifiers, not 
> schemes.  I am not suggesting that we allow non-US-ASCII protocols.
>
> I am willing to accept that GeneralName's that are expressed in the 
> form of a URI must be ASCII-only.
>
> The next question is: are all possible URIs valid GeneralNames?
>
> Here are two examples:
>
> data:image/gif;base64,R0lGODlhyAAiALM...DfD0QAADs=

Yes. Use case: Certificate Image. RFC 6170 (previously RFC 3709).

> https://www.ietf.org/#related

Yes. Use case: Certification Practice Statement (CPS) Pointer 
(Certificate Policies, id-qt-cps). Section 4.2.1.4 of RFC 5280. I have 
seen fragments in there in the wild.

Both examples are valid.

Note: the examples I provide here are actually examples where the URIs 
are encoded directly in IA5Strings; there is no GeneralName CHOICE. But 
the premise still stands. Others with PKIX experience can point to 
systems/protocols where uniformResourceIdentifier is in use with the 
appropriate.

One offhand example that I was able to find, via a Google search, is the 
GS1 Certificate Profile Standard v2.0 
<http://www.gs1.org/gsmp/kc/epcglobal/cert/cert_2_0-standard-20100610.pdf>. 
That happens to use GeneralName. It's a bit elliptical, and refers to 
RFC 4043 (which I rarely see), but...it's there.

Sean

v2.23.0 | Report a Bug | By Email