Re: [Spasm] Name Constraints on Email Addresses
Russ Housley <housley@vigilsec.com> Wed, 05 April 2017 16:53 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 329681270A0 for <spasm@ietfa.amsl.com>; Wed, 5 Apr 2017 09:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnFMSrzjdOXp for <spasm@ietfa.amsl.com>; Wed, 5 Apr 2017 09:53:48 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BD5F1293DB for <spasm@ietf.org>; Wed, 5 Apr 2017 09:53:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id A62AA300440 for <spasm@ietf.org>; Wed, 5 Apr 2017 12:53:44 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ggAUMAOYpqJj for <spasm@ietf.org>; Wed, 5 Apr 2017 12:53:43 -0400 (EDT)
Received: from new-host-7.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 0A4BA300431 for <spasm@ietf.org>; Wed, 5 Apr 2017 12:53:43 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 05 Apr 2017 12:53:50 -0400
References: <30C54B1B-1C86-418D-B039-8B8047F80622@vigilsec.com> <20170403001229.GL25754@mournblade.imrryr.org>
To: SPASM <spasm@ietf.org>
In-Reply-To: <20170403001229.GL25754@mournblade.imrryr.org>
Message-Id: <0C91EFEE-FEF1-4509-9D49-B430CC0B59C7@vigilsec.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/S51LzYs_1j7-Y-Zleg-THO072hA>
Subject: Re: [Spasm] Name Constraints on Email Addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 16:53:50 -0000
> On Apr 2, 2017, at 8:12 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > On Sun, Apr 02, 2017 at 12:25:36PM -0400, Russ Housley wrote: > >> At the LAMPS WG session is Chicago, we discussed the concerns raised during >> IETF Last Call on draft-ietf-lamps-eai-addresses. The discussion proposed >> a different way forward for constraints on email addresses. The suggestion >> has two parts. First, an update to RFC 5280, Section 4.2.1.10. Second, >> have the constraints against the rfc822Name apply to the SmtpUTF8Name by >> mapping any A-Labels that paper in the constraint to U-Labels. No >> SmtpUTF8Name constraints are ever needed. > > The proposed interpretation of rfc822Name constraints as SMTPUtf8Name > constraints will of course entail not only decoding A-labels from > to U-labels, but also an identity mapping on NR-LDH labels. Yes, indeed. > The proposed direction of the mapping (decoding constraints to > UTF-8, rather than encoding SMTPUtf8 subjectAltNames to A-labels) > is crucial and correct. Decoding from punycode to UTF-8 is a very > mechanical process that does not involve any input normalization, > or differences in the rules beteen IDNA2003 and IDNA2008. > > In particular, I think we can add a punycode *decoder* to OpenSSL, > without introducing any dependencies on external libraries. Adding > an encoder would probably require libicu or similar, and would be > a significant burden. > > Well, we could perhaps be able to continue to express mailbox > constraints for ASCII localparts, but it is hardly worth it. At the meeting, no one knew of anyone using a mailbox constraint, and eliminating that case really does make things much simpler. > >> It was observed that the conversion of an A-Lable to a U-Label and back >> to an A-Label may not alway give the same string. Perhaps we could say: >> Conforming CAs SHOULD only include A-Labels in the rfc822Name constraint >> that result in the same result when converted to a U-Label and back again >> to an A-Label. > > It suffices for the domain names that will appear in SMTPUtf8Name > subjectAltName elements of the certificate to match the decoded > rfc822Name constraints. > > The real complexity is in whatever mapping, if any, the application > has to do to construct a "canonical" reference identifier from the > sender address of the message. The applications I use (at least > all the browsers and the Postfix MTA) perform the mappings from > UTS#46 (<http://unicode.org/reports/tr46/#Mapping>) thereby producing > the same A-label form for many case-variants of UTF-8 strings. > Thus, for example: > > $ posttls-finger -c -Lsummary духовный.org > posttls-finger: духовный.org asciified to xn--b1adqpd3ao5c.org > posttls-finger: Verified TLS connection established to smtp.imrryr.org[108.5.242.66]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > > $ posttls-finger -c -Lsummary Духовный.org > posttls-finger: Духовный.org asciified to xn--b1adqpd3ao5c.org > posttls-finger: Verified TLS connection established to smtp.imrryr.org[108.5.242.66]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > > In OpenSSL I don't think that the library can reasonably be expected > to perform the UTS#46 mappings. Instead, the application will be > responsible for applying any such mapping to hand the library an > email address whose domain part is already suitably mapped. > > Would it be appropriate for the draft to align to real-world practice > and converge on UTS#46 mapping of U-labels? I think that John Klensin strongly suggested alignment with IDNA2008. I do not think John is on this list, so I will try to channel his comment. The UTS#46 mapping results in more cases where A-Label —> U-Label —> A-Label translations do not return the string that one started with. > >> The represent a significant change in direction for this document. Please >> speak promptly is you disagree with this new direction. > > Looks good to me. Thanks. Russ
- Re: [Spasm] Name Constraints on Email Addresses Russ Housley
- Re: [Spasm] Name Constraints on Email Addresses Nico Williams
- Re: [Spasm] Name Constraints on Email Addresses Russ Housley
- Re: [Spasm] Name Constraints on Email Addresses Viktor Dukhovni
- Re: [Spasm] Name Constraints on Email Addresses Wei Chuang
- Re: [Spasm] Name Constraints on Email Addresses Jim Schaad
- Re: [Spasm] Name Constraints on Email Addresses Russ Housley
- Re: [Spasm] Name Constraints on Email Addresses Jim Schaad
- Re: [Spasm] Name Constraints on Email Addresses Viktor Dukhovni
- [Spasm] Name Constraints on Email Addresses Russ Housley
- Re: [Spasm] Name Constraints on Email Addresses Viktor Dukhovni
- Re: [Spasm] Name Constraints on Email Addresses Wei Chuang
- Re: [Spasm] Name Constraints on Email Addresses Russ Housley
- Re: [Spasm] Name Constraints on Email Addresses Russ Housley
- Re: [Spasm] Name Constraints on Email Addresses Nico Williams