IETF Logo Mail Archive

Re: [Spasm] Name Constraints on Email Addresses

Russ Housley <housley@vigilsec.com> Wed, 05 April 2017 16:53 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 329681270A0 for <spasm@ietfa.amsl.com>; Wed, 5 Apr 2017 09:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnFMSrzjdOXp for <spasm@ietfa.amsl.com>; Wed, 5 Apr 2017 09:53:48 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BD5F1293DB for <spasm@ietf.org>; Wed, 5 Apr 2017 09:53:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id A62AA300440 for <spasm@ietf.org>; Wed, 5 Apr 2017 12:53:44 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ggAUMAOYpqJj for <spasm@ietf.org>; Wed, 5 Apr 2017 12:53:43 -0400 (EDT)
Received: from new-host-7.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 0A4BA300431 for <spasm@ietf.org>; Wed, 5 Apr 2017 12:53:43 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 05 Apr 2017 12:53:50 -0400
References: <30C54B1B-1C86-418D-B039-8B8047F80622@vigilsec.com> <20170403001229.GL25754@mournblade.imrryr.org>
To: SPASM <spasm@ietf.org>
In-Reply-To: <20170403001229.GL25754@mournblade.imrryr.org>
Message-Id: <0C91EFEE-FEF1-4509-9D49-B430CC0B59C7@vigilsec.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/S51LzYs_1j7-Y-Zleg-THO072hA>
Subject: Re: [Spasm] Name Constraints on Email Addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 16:53:50 -0000

> On Apr 2, 2017, at 8:12 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> 
> On Sun, Apr 02, 2017 at 12:25:36PM -0400, Russ Housley wrote:
> 
>> At the LAMPS WG session is Chicago, we discussed the concerns raised during
>> IETF Last Call on draft-ietf-lamps-eai-addresses.  The discussion proposed
>> a different way forward for constraints on email addresses.  The suggestion
>> has two parts.  First, an update to RFC 5280, Section 4.2.1.10.  Second,
>> have the constraints against the rfc822Name apply to the SmtpUTF8Name by
>> mapping any A-Labels that paper in the constraint to U-Labels.  No
>> SmtpUTF8Name constraints are ever needed.
> 
> The proposed interpretation of rfc822Name constraints as SMTPUtf8Name
> constraints will of course entail not only decoding A-labels from
> to U-labels, but also an identity mapping on NR-LDH labels.

Yes, indeed.

> The proposed direction of the mapping (decoding constraints to
> UTF-8, rather than encoding SMTPUtf8 subjectAltNames to A-labels)
> is crucial and correct.  Decoding from punycode to UTF-8 is a very
> mechanical process that does not involve any input normalization,
> or differences in the rules beteen IDNA2003 and IDNA2008.
> 
> In particular, I think we can add a punycode *decoder* to OpenSSL,
> without introducing any dependencies on external libraries.  Adding
> an encoder would probably require libicu or similar, and would be
> a significant burden.
> 
> Well, we could perhaps be able to continue to express mailbox
> constraints for ASCII localparts, but it is hardly worth it.

At the meeting, no one knew of anyone using a mailbox constraint, and eliminating that case really does make things much simpler.

> 
>> It was observed that the conversion of an A-Lable to a U-Label and back
>> to an A-Label may not alway give the same string.  Perhaps we could say:
>> Conforming CAs SHOULD only include A-Labels in the rfc822Name constraint
>> that result in the same result when converted to a U-Label and back again
>> to an A-Label.
> 
> It suffices for the domain names that will appear in SMTPUtf8Name
> subjectAltName elements of the certificate to match the decoded
> rfc822Name constraints.
> 
> The real complexity is in whatever mapping, if any, the application
> has to do to construct a "canonical" reference identifier from the
> sender address of the message.  The applications I use (at least
> all the browsers and the Postfix MTA) perform the mappings from
> UTS#46 (<http://unicode.org/reports/tr46/#Mapping>) thereby producing
> the same A-label form for many case-variants of UTF-8 strings.
> Thus, for example:
> 
>    $ posttls-finger -c -Lsummary духовный.org 
>    posttls-finger: духовный.org asciified to xn--b1adqpd3ao5c.org
>    posttls-finger: Verified TLS connection established to smtp.imrryr.org[108.5.242.66]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> 
>    $ posttls-finger -c -Lsummary Духовный.org 
>    posttls-finger: Духовный.org asciified to xn--b1adqpd3ao5c.org
>    posttls-finger: Verified TLS connection established to smtp.imrryr.org[108.5.242.66]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> 
> In OpenSSL I don't think that the library can reasonably be expected
> to perform the UTS#46 mappings.  Instead, the application will be
> responsible for applying any such mapping to hand the library an
> email address whose domain part is already suitably mapped.
> 
> Would it be appropriate for the draft to align to real-world practice
> and converge on UTS#46 mapping of U-labels?

I think that John Klensin strongly suggested alignment with IDNA2008.  I do not think John is on this list, so I will try to channel his comment.  The UTS#46 mapping results in more cases where A-Label —> U-Label —> A-Label translations do not return the string that one started with.

> 
>> The represent a significant change in direction for this document.  Please
>> speak promptly is you disagree with this new direction.
> 
> Looks good to me.

Thanks.

Russ

v2.23.0 | Report a Bug | By Email