IETF Logo Mail Archive

Re: [Spasm] Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 14 March 2017 13:44 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3F4312717B for <spasm@ietfa.amsl.com>; Tue, 14 Mar 2017 06:44:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mD6CizMkbkkE for <spasm@ietfa.amsl.com>; Tue, 14 Mar 2017 06:44:06 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2879B128DE8 for <spasm@ietf.org>; Tue, 14 Mar 2017 06:44:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id D05CFBEAA; Tue, 14 Mar 2017 13:44:03 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tspnjEsj2SGl; Tue, 14 Mar 2017 13:43:57 +0000 (GMT)
Received: from [10.87.48.75] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E8B5ABE74; Tue, 14 Mar 2017 13:43:56 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1489499037; bh=iHgzECNC/U8CMhP77mcT6+tccfCoPfS5cqm1zBHIojU=; h=Subject:To:References:From:Date:In-Reply-To:From; b=3Y0EGYaaWx0ZbDppXCb+VLjonQ/KDc86nXCqH6jWwxWuMiLg4MlwcM+BKOUVFKnt8 eQ8VecgqTa8SKws8jZiIilOhnpfLApXDvz0x4R+49TKFGgmp/PrUCAWVdpAiYzIYZW c+q4QdVoxadBkhva2u6dwsdeJtF/YHK0u3d+HUBU=
To: Russ Housley <housley@vigilsec.com>, SPASM <spasm@ietf.org>
References: <alpine.OSX.2.20.1702111606270.2386@ary.qy> <CAAFsWK0KoeeHeKxay=j=NR8AqbzaHXtjNoQNQqRHwUNT3-Pe_Q@mail.gmail.com> <D237E866-CEC3-4A3C-9D5E-0D1B48F1799B@dukhovni.org> <841bb724-7403-4682-3d50-f878f63b0346@cs.tcd.ie> <6d114340-c9a7-e311-e6f9-0614600cafd2@cs.tcd.ie> <CAAFsWK2RMGp0jqesx3cTbN=S7p0WuhH+0AbeJuuiZPF6WCbQOQ@mail.gmail.com> <BCEFAA3C-B711-4269-81C8-4DA0E1AA7AD0@dukhovni.org> <CAAFsWK3yJ9r+6abTXZQsNsey+VcRpdtVv=Hku_54_LZ9y1T2xQ@mail.gmail.com> <B8A5967B-9C19-4167-8A20-B82DFD46A924@dukhovni.org> <00c401d298b8$616fffa0$4001a8c0@gateway.2wire.net> <CAAFsWK1Q=d-9E++J0Z7UyEn3mshKkbYZ9yuGX974XvU8rO0VQw@mail.gmail.com> <CAAFsWK3n=dpix1dF6_tm+ZBSqkC=+DW301HaLSg__p-0Tt0rxg@mail.gmail.com> <9EC9BC6B-B1AB-4B1C-AC73-5501AA94465B@vigilsec.com> <ca43dc75bbe046f38a78e5f864fc4051@usma1ex-dag1mb1.msg.corp.akamai.com> <DDAEF1CF-E00A-4242-BCFE-A307E154F3C6@vigilsec.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <a9c997f7-a3ba-d3fb-86de-d975f247c3c6@cs.tcd.ie>
Date: Tue, 14 Mar 2017 13:43:53 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <DDAEF1CF-E00A-4242-BCFE-A307E154F3C6@vigilsec.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="wfcdCJV0qo0qLn2KUV04ku5xr1RHEfeJd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/KYUuGbb1XZR71_U5oKYpd8HpA9E>
Subject: Re: [Spasm] Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 13:44:11 -0000

Hi Russ, all,

So I've thought about this a bit and chatted with a few
folks, and I'm just not quite convinced that we've had
enough time or eyeballs to process the perfectly reasonable
looking (but significant) changes that were made during
and since the end of IETF LC by this Thursday's IESG
telechat. So I've taken this document off that agenda.

Apologies that that'll cause a bit more delay due to the
handover of ADs around IETF98 but I hope that that won't
be a bad delay.

I guess these LC changes are ones that it'd be good to go
over in Chicago as well, just to be sure that we've landed
in a good place.

Note that after Chicago, the new AD can re-inject the
document back into the process at IESG evaluation again
if that's the right thing to do, so this change does not
mean that a new IETF last call will be needed. Though of
course if there are further changes that might end up
being the right thing to do. In any case, for those who
like process minutiae, I've left this in the "waiting
for writeup" state but just taken it off this week's
agenda.

Cheers, and sorry again for being a cause of delay,
S.

On 13/03/17 15:14, Russ Housley wrote:
> It appears that autocorrect made a typo much worse.  I meant so say...
> 
> These changes were made in response to an IETF Last Call comment.  Please review them.  The vast bulk of the changes are in Section 6.  Please speak promptly if you think this is the wrong technical solution.
> 
> Russ
> 
>> From: Russ Housley [mailto:housley@vigilsec.com <mailto:housley@vigilsec.com>] 
> Sent: Monday, March 13, 2017 10:45 AM
> To: SPASM
> Subject: Re: [Spasm] Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard
>  
> These changes were made in response to an IETF Last Call comment.  Please review them.  The vast bulk of the changes are in Section 6.  Please speak promptly if you think this is the word technical solution.
>  
> Russ
>  
>  
>  
> On Mar 12, 2017, at 5:40 PM, Wei Chuang <weihaw@google.com <mailto:weihaw@google.com>> wrote:
>  
> The latest draft 08 is up:
> https://tools.ietf.org/html/draft-ietf-lamps-eai-addresses-08 <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dlamps-2Deai-2Daddresses-2D08&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=1MWONujUfB8F3GUGv6AW8UGwQuNDq0G3TEAGmYYij6I&s=bRu_sJbqhowJkrhC9p2CRMvk6nCfIJUndl7MrfSRMk0&e=>
>  
> The diff is:
> https://tools.ietf.org/rfcdiff?url2=draft-ietf-lamps-eai-addresses-08.txt <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_rfcdiff-3Furl2-3Ddraft-2Dietf-2Dlamps-2Deai-2Daddresses-2D08.txt&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=1MWONujUfB8F3GUGv6AW8UGwQuNDq0G3TEAGmYYij6I&s=PKrOrXVJsbBO0wcBMB-rgIRT7iOO4OFjgtoR64Bf9Wg&e=>
>  
> This draft attempts to capture Viktor's name constraint verifier logic, and illustrate the examples in the diagrams.
>  
> -Wei
>  
>  
> On Thu, Mar 9, 2017 at 10:22 AM, Wei Chuang <weihaw@google.com <mailto:weihaw@google.com>> wrote:
> There seems to be a consensus here and internally to the changes that Viktor proposes.  We can put that in the next draft update.
>  
> -Wei
>  
> On Thu, Mar 9, 2017 at 1:34 AM, tom p. <daedulus@btconnect.com <mailto:daedulus@btconnect.com>> wrote:
> ----- Original Message -----
> From: "Viktor Dukhovni" <ietf-dane@dukhovni.org <mailto:ietf-dane@dukhovni.org>>
> To: <spasm@ietf.org <mailto:spasm@ietf.org>>; "IETF general list" <ietf@ietf.org <mailto:ietf@ietf.org>>
> Sent: Thursday, March 09, 2017 3:19 AM
>> On Mar 8, 2017, at 8:17 PM, Wei Chuang <weihaw@google.com <mailto:weihaw@google.com>> wrote:
>>
>> Okay.  I think the direction then is to have SmtpUTF8Name respect
> rfc822Name name constraints and vice versa.
> 
> Well, no, the simplest proposal on the table is for SmtpUTF8Name to
> be *prohibited* when rfc822Name constraints are present and SmtpUTF8Name
> constraints are not.  When both present, they can operate independently.
> 
> <tp>
> 
> Getting security right can be tricky as the legion of failed attempts
> that make it to RFC testify but what you are proposing here seems so
> simple, so obviously the right thing to do that I am puzzled, bewildered
> even, that anyone can disagree with you.
> 
> Tom Petch
> 
> The verifier logic is then:
> 
> 1. If neither rfc822Name constraints nor SmtpUTF8Name constraints
>            are present in any CA certificate in the chain, any mixture
> of
>            rfc822Name and SmtpUTF8Name SAN elements is valid.
> 
> 2. If some certificate in the chain contains *only* rfc822Name
>    constraints, then these apply to rfc822Name SAN elements, but
>    all SmtpUTF8Names are prohibited.
> 
> 3. When both types of constraints are present in all CA certificates
>            that have either type, then constraints for each SAN type are
>    exclusively based on just the corresponding constraint type.
> 
> 4. If some certificate in the chain contains only SmtpUTF8Name
>      constraints then those are unavoidably at risk of bypass via
>            rfc822Name SAN elements when processed by legacy verifiers.
>    Therefore, this should be avoided, and the CA needs to
>      publish rfc822Name constraints that prevent bypass.  Such
>    constraints *need not* be equivalent (not always possible)
>    to the desired SmtpUTF8Name constraints.  Rather, it suffices
>    to not permit rfc822Name elements that would be prohibited
>    if they were simply cut/pasted (with no A-label to U-label
>            conversions) as SmtpUTF8Name elements.  It is not necessary
>    for these to permit everything that SmtpUTF8Name permits.
> 
> Thus for example, if SmtpUtf8Name only permits addresses in the non
> NR-LDH
> domain "духовный.org <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Db1adqpd3ao5c.org_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=1MWONujUfB8F3GUGv6AW8UGwQuNDq0G3TEAGmYYij6I&s=Oe17K7ooNPBDUmFvzu-ND8age2YROKJisOoK3yEMDGE&e=>" (or a specific set of addresses in such a domain),
> then the corresponding rfc822Name constraint could just permit "." (or
> the
> reserved "invalid" TLD if that's preferable) which is not a usable email
> domain.  This ensures that only the permitted SmtpUTF8Name SANs are used
> and no rfc822Name SANs are used.
> 
> If, instead the Smtp8Name constraints are excluded non-ASCII address
> forms,
> then since these have no literal rfc822Name equivalents, the rfc822Name
> constraints can be omitted with the same effect.
> 
> Only when the intention is to permit NR-LDH domains with either ASCII or
> UTF-8 localparts (or an all-ASCII full address) do the rfc822Name and
> SmtpUTF8Name constraints need to be fully equivalent.  This is of course
> trivial to do.  Just cut/paste the same string into both types of
> constraint.
> 
> --
> Viktor.
> 
> 
> 
> 
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email