Re: [Spasm] Spasm Digest, Vol 14, Issue 6
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 09 May 2017 16:17 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D1031294AC for <spasm@ietfa.amsl.com>; Tue, 9 May 2017 09:17:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 89qHNilJWT8x for <spasm@ietfa.amsl.com>; Tue, 9 May 2017 09:17:57 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A63FC12948B for <spasm@ietf.org>; Tue, 9 May 2017 09:17:57 -0700 (PDT)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id C45677A32F1 for <spasm@ietf.org>; Tue, 9 May 2017 16:17:56 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <mailman.1543.1494315488.3775.spasm@ietf.org>
Date: Tue, 09 May 2017 12:17:55 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: spasm@ietf.org
Message-Id: <4330546C-6FCD-40FF-9412-2D51F203B431@dukhovni.org>
References: <mailman.1543.1494315488.3775.spasm@ietf.org>
To: spasm@ietf.org
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/UIaAIqGIn4WU6bE8_rNwCxxWQWw>
Subject: Re: [Spasm] Spasm Digest, Vol 14, Issue 6
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 16:17:59 -0000
> On May 9, 2017, at 3:38 AM, spasm-request@ietf.org wrote: > > Are you ready to link openssl with punycode decoder or implement the necessary functions in it? Thanks for your post. Yes, a punycode decoder does not require external libraries, we can just import a compact punycode decoder (for one-way A-label to U-label conversion) implementation directly into OpenSSL without introducing a dependency on any external libraries. This requires no Unicode property tables, just some math that can be added to libcrypto. > Doesn't the Option 2 fit better? In that case the punycode decoder is linked with applications > where we need it for visualization purpose, not with the library itself. If option 2 is to always encode domains in A-label form, even in SMTPUtf8Name SAN elements, then that's fine too. We might then ask users to prepare the email address for verification in that form, and indeed avoid all conversions in the X.509 verification stack, leaving just the job of preparing the "reference identifier" as: possibly-unicode-localpart@nr-ldh.and.or.a-labels which is then compared against rfc822Name SANs or SMTPUtf8Name SANs depending on the localpart. So that's equally (or perhaps slightly more) acceptable for me. This leaves the application in the driver's seat with respect to any "mappings" that might or might not be relevant to the original U-labels in the reference identifier. The reason my previous post suggested U-labels in the domain parts of SMTPUtf8Name SANs, was that it is acceptable to em, and I did not expect much support for A-labels in that context. Perhaps I misjudged the likely rough consensus, and perhaps others too would have preferred consistency across encodings of domains in name constraints and SANs over "unicode purity" in the SMTPUtf8Name SAN, but might also be too shy to say so. Bottom line, I can deal with either choice, but personally prefer consistency of the representation of domains. That is, use DNS wire-form of the domainpart in rfc822Name constraints, rfc822Name SANs and SMTPUtf8Name SANs. -- Viktor.
- Re: [Spasm] Spasm Digest, Vol 14, Issue 6 Viktor Dukhovni