IETF Logo Mail Archive

Re: [Spasm] WG Last Call for draft-ietf-lamps-rfc5280-i18n-update-00

"Patrik Fältström " <paf@frobbit.se> Sun, 28 May 2017 12:49 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E458A1252BA for <spasm@ietfa.amsl.com>; Sun, 28 May 2017 05:49:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.098
X-Spam-Level:
X-Spam-Status: No, score=0.098 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lgN1T1UkQgTd for <spasm@ietfa.amsl.com>; Sun, 28 May 2017 05:49:06 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B036C1289C3 for <spasm@ietf.org>; Sun, 28 May 2017 05:49:06 -0700 (PDT)
Received: from [172.19.248.43] (unknown [104.153.224.169]) by mail.frobbit.se (Postfix) with ESMTPSA id E648B20386; Sun, 28 May 2017 14:48:58 +0200 (CEST)
From: Patrik Fältström <paf@frobbit.se>
To: spasm@ietf.org
Date: Sun, 28 May 2017 14:48:51 +0200
Message-ID: <A91638DD-0D52-468C-B35C-883A7D84BD5F@frobbit.se>
In-Reply-To: <1E16BF19-D366-4C75-96CA-023F8A9F0D63@vigilsec.com>
References: <17DEEA39-10D0-4894-BD57-250E91835E7C@vigilsec.com> <1E16BF19-D366-4C75-96CA-023F8A9F0D63@vigilsec.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_A39F8C7E-16FE-451D-9BD9-A2699AC0EF1B_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (2.0BETAr6082)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/U_ArDKqcHWpDzkyQz0FAsYIZg-w>
Subject: Re: [Spasm] WG Last Call for draft-ietf-lamps-rfc5280-i18n-update-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 May 2017 12:49:08 -0000

> This is the LAMPS WG Last Call for "Internationalization Updates to RFC 5280” <draft-ietf-lamps-rfc5280-i18n-update-00>.  Please review the document and send your comments to the list by 9 June 2017.
>
> Since I am the document author and the LAMPS WG Chair, our Area Director will be making the consensus call at the end of the WG Last Call.

I like the updates that makes the text more suitable for IDNA2008 than IDNA2003. That said, the Security Considerations Section is not updated accordingly. As A-labels and U-labels are 1:1 mapping to each other and it by definition is possible to map back and forth however much one wants, the text does not make sense.

I suggest the following change:

OLD:

Conforming CAs SHOULD ensure that IDNs are represented as valid A-labels.  This can be accomplished by taking a provided U-label, validating the code points, converting it to an A-label, back to an U-label, and then checking to see that the result is the same as the original U-label.  Failure to use valid A-labels may yield a name that cannot be correctly represented in the Domain Name System (DNS).

NEW:

Conforming CAs SHOULD ensure that IDNs are valid. This can be done by validating all code points according to IDNA2008 [RFC5892]. Failure to use valid A-labels may yield a name that cannot be correctly represented in the Domain Name System (DNS).

   Patrik

v2.23.0 | Report a Bug | By Email