IETF Logo Mail Archive

Re: [Spasm] Name Constraints on Email Addresses

Jim Schaad <ietf@augustcellars.com> Fri, 14 April 2017 21:02 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C43A8129571 for <spasm@ietfa.amsl.com>; Fri, 14 Apr 2017 14:02:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rncCTSaRneqn for <spasm@ietfa.amsl.com>; Fri, 14 Apr 2017 14:02:37 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B41F129510 for <spasm@ietf.org>; Fri, 14 Apr 2017 14:02:37 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0131_01D2B526.585F48F0"
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1492203752; h=from:subject:to:date:message-id; bh=Vv4ojsGPL4HzOjziEhSa4J5gCRDUWX/pfBeBOgIlUxA=; b=g6mXGGJbVa+JtME/0cJIIxdzvPK59OR9IyU0urB+TPNL8wesnstEpu5f1ZU9NtZPXs9N4AYorOU MHYYvaRxo0y5eD+lNhmi6/10Ew5/k91i6U3v5TcfUpUYWlo5uiI15zohnUmGh5IwVu2pHnD9tEAlt sfV8BY1EXy7arUUzdqPNl1i3AlxGGiEYv4Kdu+LPI/M4B0lEooouT/vyIvP4x5qLCrEAd/YRf2mEA NNbYNzsn3VmvltJyMCOoyEbgC0Y9li1FIYn+dxyPYZu1ylXiiPD2TSNht7CHtatklw5MBbBrkpW49 jluN0dDmBzkLyDOph5Re8taWQDLK/0Dzsu8A==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 14 Apr 2017 14:02:31 -0700
Received: from Hebrews (173.8.216.38) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 14 Apr 2017 14:02:29 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Wei Chuang' <weihaw@google.com>, 'Russ Housley' <housley@vigilsec.com>
CC: 'SPASM' <spasm@ietf.org>
References: <30C54B1B-1C86-418D-B039-8B8047F80622@vigilsec.com> <CAAFsWK0wZpr2mxT2FLWK_TFP9o+UoN1ZF+xEczJSdL4kEmM0qg@mail.gmail.com>
In-Reply-To: <CAAFsWK0wZpr2mxT2FLWK_TFP9o+UoN1ZF+xEczJSdL4kEmM0qg@mail.gmail.com>
Date: Fri, 14 Apr 2017 13:52:20 -0700
Message-ID: <013001d2b561$04ba0240$0e2e06c0$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIeO488JsHtVy6npyVMC8jP8meMgAE3jOdboSSN9SA=
X-Originating-IP: [173.8.216.38]
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Ahez7zjgjRq9j4sx1LkJlXD_8Qw>
Subject: Re: [Spasm] Name Constraints on Email Addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2017 21:02:40 -0000

See inline.

 

From: Spasm [mailto:spasm-bounces@ietf.org] On Behalf Of Wei Chuang
Sent: Friday, April 14, 2017 12:46 PM
To: Russ Housley <housley@vigilsec.com>
Cc: SPASM <spasm@ietf.org>
Subject: Re: [Spasm] Name Constraints on Email Addresses

 

We have a new draft nearly ready.  Two question remains with respect to backwards compatibility

 

1) Should use of SmtpUTF8Name subject be restricted to only when the email address local part contains local part contains UTF-8 with a MUST or SHOULD?

MUST- provides stronger guarantees in the backwards compatibility with legacy path verifiers

SHOULD- allows some future issuers to use SmtpUTF8Name subject with ASCII local part email addresses once legacy verifiers are no longer a concern.

 

[JLS] This should be a MUST – you are never going to know when the backwards compatibility problems are going to go away.

 

2) Should name constraints always use the rfc822Name form with MUST or SHOULD?

MUST- provides stronger guarantees for backwards compatibility with legacy path verifiers

SHOULD- allows for future implementation to use SmtpUTF8Name name constraints once CAs need not worry about legacy verifiers. 

 

[JLS] I thought that the SmtpUTF8Name constraint option was history and disappeared from the document and processing entirely.  SmptUTF8Name form only uses the RFC822Name constraint option when doing constraints.

 

Jim

 

 

thanks,

-Wei

 

On Sun, Apr 2, 2017 at 9:25 AM, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com> > wrote:

At the LAMPS WG session is Chicago, we discussed the concerns raised during IETF Last Call on draft-ietf-lamps-eai-addresses.  The discussion proposed a different way forward for constraints on email addresses.  The suggestion has two parts.  First, an update to RFC 5280, Section 4.2.1.10.  Second, have the constraints against the rfc822Name apply to the SmtpUTF8Name by mapping any A-Labels that paper in the constraint to U-Labels.  No SmtpUTF8Name constraints are ever needed.

RFC 5280, Section 4.2.1.10 offers three ways to constrain email addresses, but no one in the room doing the LAMPS session was aware of any use of the constraint applying to a particular mailbox.  The idea is to remove that capability going forward, which allows the rfc822Name constraint to apply to both rfc822Name and SmtpUTF8Name.

OLD:

   A name constraint for Internet mail addresses MAY specify a
   particular mailbox, all addresses at a particular host, or all
   mailboxes in a domain.  To indicate a particular mailbox, the
   constraint is the complete mail address.  For example,
   "root@example.com <mailto:root@example.com> " indicates the root mailbox on the host
   "example.com <http://example.com> ".  To indicate all Internet mail addresses on a
   particular host, the constraint is specified as the host name.  For
   example, the constraint "example.com <http://example.com> " is satisfied by any mail
   address at the host "example.com <http://example.com> ".  To specify any address within a
   domain, the constraint is specified with a leading period (as with
   URIs).  For example, ".example.com <http://example.com> " indicates all the Internet mail
   addresses in the domain "example.com <http://example.com> ", but not Internet mail
   addresses on the host "example.com <http://example.com> ”.

NEW:

   A name constraint for Internet mail addresses MAY specify all
   addresses at a particular host or all mailboxes in a domain.  To
   indicate all Internet mail addresses on a particular host, the
   constraint is specified as the host name.  For example, the constraint
   "example.com <http://example.com> " is satisfied by any mail address at the host
   "example.com <http://example.com> ".  To specify any address within a domain, the constraint
   is specified with a leading period (as with URIs).  For example,
   ".example.com <http://example.com> " indicates all the Internet mail addresses in the domain
   "example.com <http://example.com> ", but not Internet mail addresses on the host
   “example.com <http://example.com> .

It was observed that the conversion of an A-Lable to a U-Label and back to an A-Label may not alway give the same string.  Perhaps we could say: Conforming CAs SHOULD only include A-Lables in the rfc822Name constraint that result in the same result when converted to a U-Label and back again to an A-Label.

The represent a significant change in direction for this document.  Please speak promptly is you disagree with this new direction.

Russ

_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org> 
https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email