Re: [lamps] WG Last Call for draft-ietf-lamps-eai-addresses-10
Sean Leonard <dev+ietf@seantek.com> Tue, 18 July 2017 09:18 UTC
Return-Path: <dev+ietf@seantek.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34832131DD0 for <spasm@ietfa.amsl.com>; Tue, 18 Jul 2017 02:18:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLUF-epK19-y for <spasm@ietfa.amsl.com>; Tue, 18 Jul 2017 02:18:51 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C112131A93 for <spasm@ietf.org>; Tue, 18 Jul 2017 02:18:46 -0700 (PDT)
Received: from [192.168.122.115] (unknown [174.65.80.226]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 277E922E1F3 for <spasm@ietf.org>; Tue, 18 Jul 2017 05:18:33 -0400 (EDT)
From: Sean Leonard <dev+ietf@seantek.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 18 Jul 2017 02:18:32 -0700
References: <1AE5876A-D3B4-4711-A701-03F64532F3B0@vigilsec.com> <678040CE-455A-41FB-B877-054652348D52@vigilsec.com> <20170630191851.GD5673@mournblade.imrryr.org>
To: spasm@ietf.org
In-Reply-To: <20170630191851.GD5673@mournblade.imrryr.org>
Message-Id: <EFB7402E-1B65-45E9-8018-FF692679532F@seantek.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/SfxXTIOEOE6kSyFbI57O8hD1Y58>
Subject: Re: [lamps] WG Last Call for draft-ietf-lamps-eai-addresses-10
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 09:18:53 -0000
> On Jun 30, 2017, at 12:18 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > On Fri, Jun 30, 2017 at 12:28:48PM -0400, Russ Housley wrote: > >> With the posting of draft-ietf-lamps-eai-addresses-12, I believe that all >> WG Last Call comments have bee resolved. I will notify our Area Director >> that the document is ready. > > Indeed, grammar issues aside, which I expect will be addressed by > the RFC editor, looks largely done to me. It'll soon be time to > resume work to support the new name type in OpenSSL. This time > with rfc822Name name constraints applied to both rfc822Name and > SMTPUtf8Name subjectAltNames. > > My only technical quibble is that I'd have preferred to also see > deprecation of support for email addresses in the subject DN, > subject altnames have been broadly supported for a long time. This > is a non-critical issue. If there's not broad support for doing > that at this time, I have no substantial issues with the -12 draft. Hi Viktor, EAI addresses need an LDAP attribute, since the current LDAP attributes (mail and emailAddress (RFC 5280)) don’t support UTF-8. I expressed interest in fixing this, but the LDAP maintainers have mostly evaporated. :( Still interested in a draft for that, however. I agree with the direction of draft-ietf-lamps-eai-addresses that the subject DN should not be checked and should not be used for address matching. There is some risk that a UTF-8 e-mail address attribute that is not checked, could pose a phishing risk if presented to the user. However, that is no different from a CN or other displayed attribute that happens to contain an e-mail address. I do not consider that risk to be significant (in light of the alternatives). Sean
- [Spasm] WG Last Call for draft-ietf-lamps-eai-add… Russ Housley
- [lamps] draft-ietf-lamps-eai-addresses-10 full re… Viktor Dukhovni
- [lamps] draft-ietf-lamps-eai-addresses-10 full re… Viktor Dukhovni
- Re: [lamps] draft-ietf-lamps-eai-addresses-10 ful… Wei Chuang
- Re: [lamps] draft-ietf-lamps-eai-addresses-10 ful… Wei Chuang
- Re: [lamps] WG Last Call for draft-ietf-lamps-eai… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-eai… Viktor Dukhovni
- Re: [lamps] WG Last Call for draft-ietf-lamps-eai… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-eai… Sean Leonard