IETF Logo Mail Archive

Re: [Spasm] comments on draft-ietf-pkix-eai-addresses-01

Wei Chuang <weihaw@google.com> Fri, 17 June 2016 18:35 UTC

Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 792EA12D815 for <spasm@ietfa.amsl.com>; Fri, 17 Jun 2016 11:35:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.126
X-Spam-Level:
X-Spam-Status: No, score=-4.126 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YyISkB4sYnRW for <spasm@ietfa.amsl.com>; Fri, 17 Jun 2016 11:35:37 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABE8912D84D for <spasm@ietf.org>; Fri, 17 Jun 2016 11:35:37 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id p204so129668500oih.3 for <spasm@ietf.org>; Fri, 17 Jun 2016 11:35:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IrzYGavzUXeEbHFKLj+ESo89L8VYL5XXXSpunwpEeR0=; b=MAkdmPtQGLuc7+9QPTJVhEmKNW3q/NB/0eY/XW1EovArk/STwWLO/kSRs1vgRuQx79 1T48GJE5RpKcqU3PngN6Yqg1T8ObVdezsZ2UpVZxoYUHAfO7j8ET74EtwqAizBnsFTN3 2fSx2HlfKKquT6M+IfYjmPfRa5pSwCCuC7o0iLBX776Pp9cjzhz1DpabB3A+Qk9KprL8 uwL6aC4kFAbbWkqRZ1jCZchd4MRIwKq/zgMrkg5xFX4wP6Rzz9OG4apuKdWsSwhCUGTX 3BC5Xr4Sk6txo2fyUDROVo1XOy1d7/r0rBmqMUeOAZw5weGcd7lNheT7I/A9arKiEti5 G3QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IrzYGavzUXeEbHFKLj+ESo89L8VYL5XXXSpunwpEeR0=; b=KmO1Q0TqX/e7I/JiWEy1GFQUa5m/vq7AbwPMQH4wfTkMk+CJWytygyEOMSlaBYZ2+N LC189I9qFIu03ZqrW5DW3Bd275mOxNJLZIXZCKfI3KRKCGr37ik/bWebC8vWBFj9keZy 2UYY1eKRPBgU43pOxU/ylJfvCy1dmUZ1YvICoTslCg8bBGUI/zMQS7EdJHo1gv1j5FD7 +vYU42vI/Lxrwr6ZPSYZ9zMEPCWs6TMLakBJV0WZPg/pOf8DAPmm4ua6f/+UhHBxzcLz CeQnd5nethddDGIHk076T+0WutHE5LWBvIZJly40KsAax10nsAhvuTGrjrxgCghJTfBq S5VA==
X-Gm-Message-State: ALyK8tKaPsBJ109FM097I2vXAVAdE17IGDYdKFwoOmQx/Zvl6TQOQY0WhQXn4L9tsmEh5QaCXugVScz0ZEwUsZg/
X-Received: by 10.202.171.143 with SMTP id u137mr2359173oie.31.1466188536345; Fri, 17 Jun 2016 11:35:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.27.139 with HTTP; Fri, 17 Jun 2016 11:35:35 -0700 (PDT)
In-Reply-To: <e535c2c6-c1e3-63e3-5296-dd35cac669aa@seantek.com>
References: <064201d1ada1$0b94dc20$22be9460$@augustcellars.com> <5740CA5D.9000900@isode.com> <000301d1b4a3$f6fdc470$e4f94d50$@augustcellars.com> <e535c2c6-c1e3-63e3-5296-dd35cac669aa@seantek.com>
From: Wei Chuang <weihaw@google.com>
Date: Fri, 17 Jun 2016 11:35:35 -0700
Message-ID: <CAAFsWK168-2uXW6ug0a-aQsH7zipxciivaDqX5Fa1ig1qQqHBg@mail.gmail.com>
To: Sean Leonard <dev+ietf@seantek.com>
Content-Type: multipart/alternative; boundary="001a113c2efee25c6005357d9eca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Er6rKPwmZFZugqPB7q92ThVdyUE>
Cc: spasm@ietf.org
Subject: Re: [Spasm] comments on draft-ietf-pkix-eai-addresses-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 18:35:39 -0000

On Thu, Jun 16, 2016 at 6:31 AM, Sean Leonard <dev+ietf@seantek.com> wrote:

> A few additional points popped out at me:
>
> Currently, draft-melnikov-spasm-eai-addresses-01 does not restrict out
> plain (ASCII-only) e-mail addresses. This means that ASCII-only e-mail
> addresses can be "hidden" from implementations that don't support this new
> eai method. I am not in favor of this. The text is not really clear about
> whether non-internationalized email addresses are allowed in eaiName. It
> should be clear in saying that eaiName is restricted to internationalized
> email addresses, i.e., where there is at least one character beyond the
> ASCII range in the local-part. Email addresses that are limited to ASCII in
> the local-part MUST be encoded in rfc822Name only.
>

Handling coexistence of rfc822Name and eaiName is an interesting question
and in an ideal world we could switch from one to the other to reduce the
implementation cost.  Realistically we'll have to support both for awhile.
I think your suggestion is good which is to support both but restrict usage
and will likely reduce deployment confusion.  This consequence of this will
likely mean keeping rfc822Name and eaiName as acceptable email address
representations for the foreseeable future.

Let me pose another suggestion I received which is to start a transition to
eaiName- we could add a SHOULD recommendation that all future PKIX subject
email addresses be represented as eaiName, with language stating the intent
to transition to eaiName as the sole representation, along with a SHOULD
NOT on future usage of rfc822Name.  Some future revision could change this
to MUST/MUST-NOT.  What do you think of this approach?


>
> Can the ASN.1 reflect this with an appropriate string restriction?


> The comparison algorithm is convoluted.


Domain name represented in A-labels is what RFC5280 requires for its
verification process (step 7.2).  The draft just simply states insuring it
is represented as A-label in the certificate stored form to reduce risk of
translation error by verifier implementation.


> There will be implementations that don't bother with the convoluted
> algorithm, and running the convoluted algorithm over thousands or hundreds
> of millions of certificates is going to have a meaningful impact on
> performance. It's better to put the address in a form that is amenable to
> octet-by-octet comparison. This argues in favor of requiring the domain
> name to be in U-labels instead of A-labels, and to normalize case (to
> lowercase) for characters in the ASCII range.


A better place to ask for this change, is to update RFC5280 to mandate
comparison as U-label domains.  This draft is just taking the position that
there ought to be just one in certificate domain form which is going to be
whatever the RFC5280 comparison form is.

-Wei


>
>
> Sean
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email