IETF Logo Mail Archive

Re: [Spasm] Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard

Wei Chuang <weihaw@google.com> Sun, 12 March 2017 21:40 UTC

Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53E1812943A for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 14:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KyioHDjgI4nR for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 14:40:48 -0700 (PDT)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05513129415 for <spasm@ietf.org>; Sun, 12 Mar 2017 14:40:47 -0700 (PDT)
Received: by mail-oi0-x22f.google.com with SMTP id m124so70771997oig.1 for <spasm@ietf.org>; Sun, 12 Mar 2017 14:40:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=rMU2MCNcroOGJ8WCZDC389TRL5m3HRBoV3Sac6n/QcA=; b=hsHvUj+BTRBkLWIP3zyWeszOs1SZ0n6oD1UoLN8NlQgLAsdoiXJCOx6yE/CDVPtcG+ HCIRMrqaSsKc5ZnpzvhHhtjCvfDGna1DieNAPOn8zr68EfNX0LojyvufjvpE0lB6bZb4 /zDz+eoP6aYEtfLBFza90l2Sv7Nfv66XXI4nseVZeEHcvB3fDnyybzaeOU8XFfJizvRP o0pYIMSCdolwV2IkEtlx5afg0qJBu1Pc/ON50NiB9EdHqSwYI90Xdr4gOlCoEvIR8WJA ICmjeuvJ6rzHHze/zuGPo7zrIm60XY+ibpGntVk7QhDhdF+ZEt696rQbdYUL3W0atrA6 dkeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=rMU2MCNcroOGJ8WCZDC389TRL5m3HRBoV3Sac6n/QcA=; b=CqlpZlJZ6lS1SR+wAs6iqwiJNtYRkQTGrqGZ1kobdUuyLngHXOIG0KSZpLLzfP0sj1 teTv+AnpQ9dqFhj33HISKw2Z4KqzwtdEXCvYnefTnspPU7LgBkC61d+seBWey+JxQKQv SE+2//EdFF3AEq7yh+IiAIjV2Tmi7qTrxEr+lOmP8t3aJKDrTIf3knDBJ/PNRv7jXvKZ 1NcONo4QL6v3rx8eZlDf6lGexKxdjkf1PYnYYHlBCgEFVK97rPTAyowoIqCTpOv8GdVB fzKwflZVv0x0mo2BVBb/pE2IgKEgsAe8xY2XN//tsEsnlJAUt0o2n+BekMNl+rC7p/3c xeHQ==
X-Gm-Message-State: AMke39ngyzAjdrgoeJJ5UyNRR/Y0V4+6x/8+R4v+5ZxuiuIZ9+ln6pdsHi1ZpQFMc4pqhwU4VohGXhE5RHbvG9fP
X-Received: by 10.202.226.146 with SMTP id z140mr14326118oig.166.1489354847134; Sun, 12 Mar 2017 14:40:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.41.226 with HTTP; Sun, 12 Mar 2017 14:40:45 -0700 (PDT)
In-Reply-To: <CAAFsWK1Q=d-9E++J0Z7UyEn3mshKkbYZ9yuGX974XvU8rO0VQw@mail.gmail.com>
References: <alpine.OSX.2.20.1702111606270.2386@ary.qy> <CAAFsWK0KoeeHeKxay=j=NR8AqbzaHXtjNoQNQqRHwUNT3-Pe_Q@mail.gmail.com> <D237E866-CEC3-4A3C-9D5E-0D1B48F1799B@dukhovni.org> <841bb724-7403-4682-3d50-f878f63b0346@cs.tcd.ie> <6d114340-c9a7-e311-e6f9-0614600cafd2@cs.tcd.ie> <CAAFsWK2RMGp0jqesx3cTbN=S7p0WuhH+0AbeJuuiZPF6WCbQOQ@mail.gmail.com> <BCEFAA3C-B711-4269-81C8-4DA0E1AA7AD0@dukhovni.org> <CAAFsWK3yJ9r+6abTXZQsNsey+VcRpdtVv=Hku_54_LZ9y1T2xQ@mail.gmail.com> <B8A5967B-9C19-4167-8A20-B82DFD46A924@dukhovni.org> <00c401d298b8$616fffa0$4001a8c0@gateway.2wire.net> <CAAFsWK1Q=d-9E++J0Z7UyEn3mshKkbYZ9yuGX974XvU8rO0VQw@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
Date: Sun, 12 Mar 2017 14:40:45 -0700
Message-ID: <CAAFsWK3n=dpix1dF6_tm+ZBSqkC=+DW301HaLSg__p-0Tt0rxg@mail.gmail.com>
To: IETF general list <ietf@ietf.org>, SPASM <spasm@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a11408a3aa04c46054a8f722c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/6k9ZCY60MmQMPM6MfJBkGfwZK0Q>
Subject: Re: [Spasm] Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 21:40:51 -0000

The latest draft 08 is up:
https://tools.ietf.org/html/draft-ietf-lamps-eai-addresses-08

The diff is:
https://tools.ietf.org/rfcdiff?url2=draft-ietf-lamps-eai-addresses-08.txt

This draft attempts to capture Viktor's name constraint verifier logic, and
illustrate the examples in the diagrams.

-Wei


On Thu, Mar 9, 2017 at 10:22 AM, Wei Chuang <weihaw@google.com> wrote:

> There seems to be a consensus here and internally to the changes that
> Viktor proposes.  We can put that in the next draft update.
>
> -Wei
>
> On Thu, Mar 9, 2017 at 1:34 AM, tom p. <daedulus@btconnect.com> wrote:
>
>> ----- Original Message -----
>> From: "Viktor Dukhovni" <ietf-dane@dukhovni.org>
>> To: <spasm@ietf.org>; "IETF general list" <ietf@ietf.org>
>> Sent: Thursday, March 09, 2017 3:19 AM
>> > On Mar 8, 2017, at 8:17 PM, Wei Chuang <weihaw@google.com> wrote:
>> >
>> > Okay.  I think the direction then is to have SmtpUTF8Name respect
>> rfc822Name name constraints and vice versa.
>>
>> Well, no, the simplest proposal on the table is for SmtpUTF8Name to
>> be *prohibited* when rfc822Name constraints are present and SmtpUTF8Name
>> constraints are not.  When both present, they can operate independently.
>>
>> <tp>
>>
>> Getting security right can be tricky as the legion of failed attempts
>> that make it to RFC testify but what you are proposing here seems so
>> simple, so obviously the right thing to do that I am puzzled, bewildered
>> even, that anyone can disagree with you.
>>
>> Tom Petch
>>
>> The verifier logic is then:
>>
>> 1. If neither rfc822Name constraints nor SmtpUTF8Name constraints
>>            are present in any CA certificate in the chain, any mixture
>> of
>>            rfc822Name and SmtpUTF8Name SAN elements is valid.
>>
>> 2. If some certificate in the chain contains *only* rfc822Name
>>    constraints, then these apply to rfc822Name SAN elements, but
>>    all SmtpUTF8Names are prohibited.
>>
>> 3. When both types of constraints are present in all CA certificates
>>            that have either type, then constraints for each SAN type are
>>    exclusively based on just the corresponding constraint type.
>>
>> 4. If some certificate in the chain contains only SmtpUTF8Name
>>      constraints then those are unavoidably at risk of bypass via
>>            rfc822Name SAN elements when processed by legacy verifiers.
>>    Therefore, this should be avoided, and the CA needs to
>>      publish rfc822Name constraints that prevent bypass.  Such
>>    constraints *need not* be equivalent (not always possible)
>>    to the desired SmtpUTF8Name constraints.  Rather, it suffices
>>    to not permit rfc822Name elements that would be prohibited
>>    if they were simply cut/pasted (with no A-label to U-label
>>            conversions) as SmtpUTF8Name elements.  It is not necessary
>>    for these to permit everything that SmtpUTF8Name permits.
>>
>> Thus for example, if SmtpUtf8Name only permits addresses in the non
>> NR-LDH
>> domain "духовный.org <http://xn--b1adqpd3ao5c.org>" (or a specific set
>> of addresses in such a domain),
>> then the corresponding rfc822Name constraint could just permit "." (or
>> the
>> reserved "invalid" TLD if that's preferable) which is not a usable email
>> domain.  This ensures that only the permitted SmtpUTF8Name SANs are used
>> and no rfc822Name SANs are used.
>>
>> If, instead the Smtp8Name constraints are excluded non-ASCII address
>> forms,
>> then since these have no literal rfc822Name equivalents, the rfc822Name
>> constraints can be omitted with the same effect.
>>
>> Only when the intention is to permit NR-LDH domains with either ASCII or
>> UTF-8 localparts (or an all-ASCII full address) do the rfc822Name and
>> SmtpUTF8Name constraints need to be fully equivalent.  This is of course
>> trivial to do.  Just cut/paste the same string into both types of
>> constraint.
>>
>> --
>> Viktor.
>>
>>
>

v2.23.0 | Report a Bug | By Email