IETF Logo Mail Archive

[lamps] draft-ietf-lamps-eai-addresses-10 full review Part 2

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 14 June 2017 04:24 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF156131B00 for <spasm@ietfa.amsl.com>; Tue, 13 Jun 2017 21:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYlgZObp7msB for <spasm@ietfa.amsl.com>; Tue, 13 Jun 2017 21:24:53 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0DBA129B19 for <spasm@ietf.org>; Tue, 13 Jun 2017 21:24:52 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E4F017A3309; Wed, 14 Jun 2017 04:24:51 +0000 (UTC)
Date: Wed, 14 Jun 2017 04:24:51 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: SPASM <spasm@ietf.org>
Message-ID: <20170614042451.GD23375@mournblade.imrryr.org>
Reply-To: spasm@ietf.org
References: <1AE5876A-D3B4-4711-A701-03F64532F3B0@vigilsec.com> <20170607045725.GI25754@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170607045725.GI25754@mournblade.imrryr.org>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/HtktFPTa8nUIx2ekyWDFsG8ufGk>
Subject: [lamps] draft-ietf-lamps-eai-addresses-10 full review Part 2
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 04:24:56 -0000

> 6.  Name constraints in path validation
> 
>    This section updates [RFC5280] name constraints defined in section
>    4.2.1.10 to work with SmtpUTF8Name subjectAltName.

Better something along the lines of:

     This section updates section 4.2.1.10 of [RFC5280] to extend
     rfc822Name name constraints to SmtpUTF8Name subjectAltNames.


>                                                        The following
>    specifies that a SmtpUTF8Name aware CA use a compatible name
>    constraint representation.

What's a "compatible name constraint representation"?  Either
clarify or delete...

>                                Similarly a SmtpUTF8Name aware path
>    validators MUST be able to apply name constraint comparison to the
>    subject distinguished name and both forms of subject alternative name
>    rfc822Name and SmtpUTF8Name.

It is I think long past time to end support for extracting DNS-ID
names and email email addresses from the certificate subject DN.
We should consider updating 5280 to drop support for matching
"emailAddress" in the subject DN when no rfc822name subject
alternative names are present.  If so, perhaps there should be no
mention of enforcing email name constraints against the subject DN.

Also, it is not clear what the "MUST" here means.  It seems to me
that this sentence is design rationale, not a protocol requirement.

>    The SmtpUTF8Name aware email address name constraint form is
>    specified to be rfc822Name motivated by compatibility considerations
>    with legacy systems that already understand that form.

Better:

     Both rfc822Name and SmtpUTF8Name subject alternative names
     represent the same underlying email address namespace.  Since
     legacy CAs constrained to issue certificates for a specific
     set of domains would lack corresponding UTF-8 constraints,
     this specification modifies and extends rfc822Name name
     constraints to cover SmtpUTF8Name subject alternative names.
     This ensures that the introduction of SmtpUTF8Name does not
     violate existing name constraints.

>                                                            This
>    specification modifies [RFC5280] name constraint to only require with
>    MAY that it represents all addresses at a host or all mailboxes in a
>    domain, and require with MAY NOT that it represent a particular
>    mailbox.

Better:

     Since it is not valid to include non-ASCII UTF-8 characters
     in the local-part of rfc822Name name constraints, and since
     name constraints that include a local-part are rarely, if at
     all, used in practice, this specification modifies [RFC5280]
     name constraints to only admit the forms represent all addresses
     at a host or all mailboxes in a domain, and deprecates rfc822Name
     name constraints that represent a particular mailbox.  That is,
     rfc822Name constraints with a local-part MUST NOT be used.

>              For context, [RFC5280] Section 4.2.1.10 specifies with MAY
>    that name constraint represent a particular mailbox, all addresses at
>    a host, or all mailboxes in a domain by specifying the complete email
>    address, a host name, or a domain.  The change is due to rfc822Name
>    name constraints inability to represent a specific mailbox with a
>    UTF-8 email local part email address.  CA certificate issuers should
>    be aware of this lessened support.

Delete.

>    Constraint comparison with SmtpUTF8Name subjectAltName starts with
>    the setup steps defined by Section 5.  The setup applies to the
>    inputs of the comparison which is one of a subject distinguished name
>    or a rfc822Name or SmtpUTF8Name subjectAltName, and one of a
>    rfc822Name name constraint.

Delete, and instead describe the actual process.


>                                 Non-normatively the setup will convert
>    any domain A-label to U-label in the rfc822Name name constraint, and
>    to lower case any domain NR-LDH label in both the name constraint and
>    the subject.

Instead of "non-normatively", specify that comparison MUST be equivalent
to:

    0.  CA certificates which include rfc822Name name constraints
	with a local-part are now invalid for issuing end-entity
	email certificates.  Equivalently, such CA certificates
	now exclude all rfc822Name and SmtpUTF8Name subject
	alternative names in the end-entity certificate.

    1.  Strip the local-part and "@" separator from each rfc822Name and
	SmtpUTF8Name, leaving just the domain-part.

    2.  Decoding any A-labels in the rfc822Name name constraint to U-labels.

    3.  Converting any NR-LDH labels in the rfc822Name name constraint to
	lower case.

    4.  Decoding any A-labels in the domain-part of each rfc822Name
        or SmtpUTF8Name subject alternative name to U-labels.

    5.  Converting any NR-LDH labels in the domain-part of each
	rfc822Name or SmtpUTF8Name subject alternative name to
	lower case.

    6.  If the resulting name constraint domain starts with a "."
	character, then for the name constraint to match, a suffix
	of the resulting subject alternative name domain MUST match
	the name constraint (including the leading ".") octet for octet.

    7.  If the resulting name constraint domain does not start with a "."
	character, then for the name constraint to match, the entire
	resulting subject alternative name domain MUST match the
	name constraint octet for octet.

>                  After setup, this follows the comparison steps defined
>    in 4.2.1.10 of [RFC5280] with some modifications as follows.  The
>    comparison process starts by determining the name constraint
>    representation i.e. email host name or domain part, then comparing
>    the name constraint against the corresponding part in the email
>    address using a byte for byte comparison.  This document suggests
>    that name constraint comparison with subject distinguished name or
>    rfc822Name subjectAltName also follow these setup and comparisons
>    steps as well.

Delete.

There should be some discussion of what CAs are expected to do when
issuing constrained intermediate subsidiary CAs (accept only IDNA2008
conformant names with no mappings, converting to A-labels in
rfc822Name subject alternative names and name constraints).

>    The name constraint requirement with SmtpUTF8Name subject alternative
>    name is illustrated in the non-normative diagram Figure 1.  The first
>    example (1) illustrates a permitted rfc822Name ASCII only hostname
>    name constraint, and the corresponding valid rfc822Name
>    subjectAltName and SmtpUTF8Name subjectAltName email addresses.  The
>    second example (2) illustrates a permitted rfc822Name hostname name
>    constraint with A-label, and the corresponding valid rfc822Name
>    subjectAltName and SmtpUTF8Name subjectAltName email addresses.
>

I would here re-iterate the requirement to use an A-label domain-part
encoding in an rfc822Name subject alternative name when the local-part
is all-ASCII.

>    +-------------------------------------------------------------------+
>    |  Root CA Cert                                                     |
>    +-------------------------------------------------------------------+
>                                      v
>    +-------------------------------------------------------------------+
>    |  Intermediate CA Cert                                             |
>    |      Permitted                                                    |
>    |        rfc822Name: elementary.school.example.com (1)              |
>    |        rfc822Name: xn--pss25c.example.com (2)                     |
>    +-------------------------------------------------------------------+
>                                      v
>    +-------------------------------------------------------------------+
>    |  Entity Cert (w/explicitly permitted subjects)                    |
>    |    SubjectAltName Extension                                       |
>    |      rfc822Name: student@elemenary.school.example.com (1)         |
>    |      SmtpUTF8Name: u+5B66u+751F@elementary.school.example.com (1) |
>    |                                                                   |
>    |      rfc822Name: student@xn--pss25c.example.com (2)               |
>    |      SmtpUTF8Name: u+533Bu+751F@u+5927u+5B66.example.com (2)      |
>    +-------------------------------------------------------------------+
> 
>    Name constraints with SmtpUTF8Name and rfc822Name
> 
>                                  Figure 1

> 7.  Security Considerations
> 
>    Use for SmtpUTF8Name for certificate subjectAltName (and
>    issuerAltName) will incur many of the same security considerations of
>    Section 8 in [RFC5280] but is further complicated by permitting non-
>    ASCII characters in the email address local-part.

	s/Use for/Use of/
	s/of Section 8/as in Section 8/
	s/but is further complicated/, but introduces a new issue/

>                                                       This complication,
>    as mentioned in Section 4.4 of [RFC5890] and in Section 4 of
>    [RFC6532], is that use of Unicode introduces the risk of visually
>    similar and identical characters which can be exploited to deceive
>    the recipient.

	s/This complication/The issue/

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email