IETF Logo Mail Archive

Re: [Spasm] Name Constraints on Email Addresses

Wei Chuang <weihaw@google.com> Fri, 14 April 2017 19:46 UTC

Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3FB6129584 for <spasm@ietfa.amsl.com>; Fri, 14 Apr 2017 12:46:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x9pOXCKEKUjk for <spasm@ietfa.amsl.com>; Fri, 14 Apr 2017 12:46:00 -0700 (PDT)
Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A94B12957B for <spasm@ietf.org>; Fri, 14 Apr 2017 12:46:00 -0700 (PDT)
Received: by mail-vk0-x22f.google.com with SMTP id r69so42503407vke.2 for <spasm@ietf.org>; Fri, 14 Apr 2017 12:46:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=j4XRK6zg5xZzeA+HV1g+hoLrHjZZte6KW0p8cX3Rgqc=; b=NDXQixncIVtzOzznMrfUjpIkqLDS68/CKbU2MvQBa+VdL1s4Rp/lkshg+ff9ORBXHb 6w5LAN46If72m4rN7Hv7NG6XjlleWb3FVZxQtLqOeCcyHQtvAbWfMtrCfP+OplXvxi25 lmdftKNbQhihCldjRqhzfhpUbZzd84ssNDKh586wjyp9qKw/sgAnnp1zuuGgRcsvukLr 1kFBkxQzoGQmIYj73VE+OmViys9DhohAE8dCdujIOpcqihUdwbpY3SwL6+yU6c9z+Dxk zAfoT70KCLSLP4ELTLnLwsZHznqqTtdFloie6yKhURd7l+vfEhPzdgk6/JltGTk/nKqc zcQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=j4XRK6zg5xZzeA+HV1g+hoLrHjZZte6KW0p8cX3Rgqc=; b=Z1ayHqcDOyCTLQKrTfrqG/UlQ+Uqx97EKXLENCVMrni3hKdYDC/k5aGg2OE59vYb67 jeVrtKNYz9Mt52iIGDpSby9gVZZBA2xnzZfkcWJENst0NVom+qn3fQzNsFDx0DtrRqa7 jk8ip2kKTALLgZ0zbygARHPmH/4D5oC7Z2f0JKM/yecLuKrjk0aUvxQnQiFMKo8NHpkD N9wUQdfGXf+bmGE1TYFjoAXyExq9DriLJ0ihOQYF03zk5GM3B185lE5KfNn7p9pzZl7v 9uEELKXRa1yKxN9JVcqdr8+IpnHaeTuqteL9gWsHw60/5uCP6gi3dChwWk+AvqqqhkBV UMNw==
X-Gm-Message-State: AN3rC/6KWPD9INWwYKOelRMiecER41WXert0KyObtE0wJ3kKYPDCtdva QUtbN7+Nmn0WNk6qlxLxrSJHgLVcQVfxZbDJMA==
X-Received: by 10.31.170.68 with SMTP id t65mr3871440vke.133.1492199159344; Fri, 14 Apr 2017 12:45:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.51.200 with HTTP; Fri, 14 Apr 2017 12:45:58 -0700 (PDT)
In-Reply-To: <30C54B1B-1C86-418D-B039-8B8047F80622@vigilsec.com>
References: <30C54B1B-1C86-418D-B039-8B8047F80622@vigilsec.com>
From: Wei Chuang <weihaw@google.com>
Date: Fri, 14 Apr 2017 12:45:58 -0700
Message-ID: <CAAFsWK0wZpr2mxT2FLWK_TFP9o+UoN1ZF+xEczJSdL4kEmM0qg@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: SPASM <spasm@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a11431b66da8b7d054d25b0c4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/F0ubokp97dva6PFKzaW839MocTY>
Subject: Re: [Spasm] Name Constraints on Email Addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2017 19:46:03 -0000

We have a new draft nearly ready.  Two question remains with respect to
backwards compatibility

1) Should use of SmtpUTF8Name subject be restricted to only when the email
address local part contains local part contains UTF-8 with a MUST or SHOULD?
MUST- provides stronger guarantees in the backwards compatibility with
legacy path verifiers
SHOULD- allows some future issuers to use SmtpUTF8Name subject with ASCII
local part email addresses once legacy verifiers are no longer a concern.

2) Should name constraints always use the rfc822Name form with MUST or
SHOULD?
MUST- provides stronger guarantees for backwards compatibility with legacy
path verifiers
SHOULD- allows for future implementation to use SmtpUTF8Name name
constraints once CAs need not worry about legacy verifiers.

thanks,
-Wei

On Sun, Apr 2, 2017 at 9:25 AM, Russ Housley <housley@vigilsec.com> wrote:

> At the LAMPS WG session is Chicago, we discussed the concerns raised
> during IETF Last Call on draft-ietf-lamps-eai-addresses.  The discussion
> proposed a different way forward for constraints on email addresses.  The
> suggestion has two parts.  First, an update to RFC 5280, Section 4.2.1.10.
> Second, have the constraints against the rfc822Name apply to the
> SmtpUTF8Name by mapping any A-Labels that paper in the constraint to
> U-Labels.  No SmtpUTF8Name constraints are ever needed.
>
> RFC 5280, Section 4.2.1.10 offers three ways to constrain email addresses,
> but no one in the room doing the LAMPS session was aware of any use of the
> constraint applying to a particular mailbox.  The idea is to remove that
> capability going forward, which allows the rfc822Name constraint to apply
> to both rfc822Name and SmtpUTF8Name.
>
> OLD:
>
>    A name constraint for Internet mail addresses MAY specify a
>    particular mailbox, all addresses at a particular host, or all
>    mailboxes in a domain.  To indicate a particular mailbox, the
>    constraint is the complete mail address.  For example,
>    "root@example.com" indicates the root mailbox on the host
>    "example.com".  To indicate all Internet mail addresses on a
>    particular host, the constraint is specified as the host name.  For
>    example, the constraint "example.com" is satisfied by any mail
>    address at the host "example.com".  To specify any address within a
>    domain, the constraint is specified with a leading period (as with
>    URIs).  For example, ".example.com" indicates all the Internet mail
>    addresses in the domain "example.com", but not Internet mail
>    addresses on the host "example.com”.
>
> NEW:
>
>    A name constraint for Internet mail addresses MAY specify all
>    addresses at a particular host or all mailboxes in a domain.  To
>    indicate all Internet mail addresses on a particular host, the
>    constraint is specified as the host name.  For example, the constraint
>    "example.com" is satisfied by any mail address at the host
>    "example.com".  To specify any address within a domain, the constraint
>    is specified with a leading period (as with URIs).  For example,
>    ".example.com" indicates all the Internet mail addresses in the domain
>    "example.com", but not Internet mail addresses on the host
>    “example.com.
>
> It was observed that the conversion of an A-Lable to a U-Label and back to
> an A-Label may not alway give the same string.  Perhaps we could say:
> Conforming CAs SHOULD only include A-Lables in the rfc822Name constraint
> that result in the same result when converted to a U-Label and back again
> to an A-Label.
>
> The represent a significant change in direction for this document.  Please
> speak promptly is you disagree with this new direction.
>
> Russ
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email