Re: [Spasm] Spasm Digest, Vol 13, Issue 21
Wei Chuang <weihaw@google.com> Sun, 07 May 2017 00:43 UTC
Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A304E126CD6 for <spasm@ietfa.amsl.com>; Sat, 6 May 2017 17:43:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.802
X-Spam-Level:
X-Spam-Status: No, score=-0.802 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUmqtvQwptIx for <spasm@ietfa.amsl.com>; Sat, 6 May 2017 17:43:38 -0700 (PDT)
Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68731128792 for <spasm@ietf.org>; Sat, 6 May 2017 17:43:38 -0700 (PDT)
Received: by mail-it0-x22c.google.com with SMTP id o5so48890086ith.1 for <spasm@ietf.org>; Sat, 06 May 2017 17:43:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=MducKLimw01a66nKHKXCPUFSL1lxo2q+p6zi7cjEX2I=; b=tBsPehv/2reU4XCO69xP2smCGoXRoR+VzQ8x303TSSLXuyuT6apBLWxeEHfXhgOxp2 V9zxxqjeXB0g8kdOvse1hr1qKfBVZZqbgElbmCjN1babCnHGR1q/FnMesi0fcf06QnUE 3ZhmNjv1CpthL5YGetGeXnzV0cp/Mnae8ViKmxOGBFmzLTIlGqKunsHl44rxiip4QjnT bOIeb2lH2zGPpJ0KpZWQdL5LxqceSeQT6w+/zXLfTgmPASTavc82NJEf/hiwnH2YKizn yPWCC3eZEjKbdvN1Vwa26w6ltBV+OnSSBWJzq7bvwo9U2BHvmcT99YbHXzjQbHF15REQ 6p0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=MducKLimw01a66nKHKXCPUFSL1lxo2q+p6zi7cjEX2I=; b=hS7xwgtFDh/Q4zmt/VC5FQiZkBDnjdX8nf6U4oCnICkT2+4CDwQPEUgEVg4Bas+iGB 7rDCBbYZENposFSbVUqRAbj9iMxAsSEEswW5uN7vXMEL2d7XJMTsp72rq7XAd/rdtPe4 bDS5c/n5+urY7U0ZMIo/LA9n4YkONc4G0n3bhmRxdN3hNcMr1z8kix+Kw4gKJrw/ZODo rAHtjXdX5rq0KNGfsqE4BBl7OoqCjmnU0FobiqtNCgxtImRHm58Pr/nXVezr3KhzWlB/ hQNCELwLgFM+6Wz3d5sol7F7qEtGVLdeEXEhjgbAZK9ZKOOq4PXIPfvlqYJ2hpZ7CRgc J7DA==
X-Gm-Message-State: AN3rC/6tUVgL4lJPOknSn0Zm6/ulJmjkRMd7ZfIrE3oBCm3GO/ytO33n u5Oss/7PVPLSrckCspi47fdNuZMzJMHIRrY=
X-Received: by 10.36.91.13 with SMTP id g13mr14237444itb.119.1494117817273; Sat, 06 May 2017 17:43:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.8.32 with HTTP; Sat, 6 May 2017 17:43:36 -0700 (PDT)
In-Reply-To: <20170427191006.GB25754@mournblade.imrryr.org>
References: <mailman.12.1493233203.16587.spasm@ietf.org> <A0D2106A-AF9F-4803-90FB-05565B7148B8@dukhovni.org> <BC920F8A-5624-4616-9DBD-CB11E4F29FC1@vigilsec.com> <20170427191006.GB25754@mournblade.imrryr.org>
From: Wei Chuang <weihaw@google.com>
Date: Sat, 06 May 2017 17:43:36 -0700
Message-ID: <CAAFsWK0wVLPAxSdmikCHmhZyGNWCw7fu8V_0nq4jQLD3WscCsQ@mail.gmail.com>
To: SPASM <spasm@ietf.org>, Viktor Dukhovni <ietf-dane@dukhovni.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1144cda2c5e8b2054ee469e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/YSZVY_xOlEkYVQIz9XUgoPQLQmI>
Subject: Re: [Spasm] Spasm Digest, Vol 13, Issue 21
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 May 2017 00:43:40 -0000
On Thu, Apr 27, 2017 at 12:10 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Thu, Apr 27, 2017 at 08:38:45AM -0400, Russ Housley wrote: > > > Viktor has suggested that we consider the pros and cons of two ways of > > encoding the SubjectAltName when the left-hand side contains non-ASCII > > characters. > > To be clear, the issue is how to store the email identity (not name > constraints, but the email-valued subjectAltName) in the certificate > when the localpart (left-hand side if you like) DOES NOT contain > non-ASCII characters. Or, to doubly make sure we're on the same > page, and avoid a double-negative, when the localpart contains ONLY > 7-bit ASCII characters. > Agreed. Just to restate the others benefit, the -09 draft calls only for using SmtpUTFName when non-ASCII local-part is present and otherwise always using rfc822Name. > > Had the localpart contained non-ASCII UTF-8, as with: > > пользователь@духовный.org <http://xn--b1adqpd3ao5c.org> > > there would be no choice but to store the presented identifier in > the certificate as an SMTPUtf8Name subjectAltName element. > > > Option 1 is the way described in the current draft, where IDNs are > carried > > as U-Labels. > > Well, the "current" draft, Section 3, bottom of page 3, says the > opposite: > > Due to operational reasons described shortly and name constraint > compatibility reasons described in its section, SmtpUTF8Name > subjectAltName MUST only be used when the local part of the email > address contains UTF-8. When the local-part is ASCII, rfc822Name > subjectAltName MUST be used instead of SmtpUTF8Name. The use of > rfc822Name rather than SmtpUTF8Name is currently more likely to be > supported. Also use of SmtpUTF8Name incurs higher byte > representation overhead due to encoding with otherName and the > additional OID needed. This may be offset if domain requires non- > ASCII characters as SmtpUTF8Name supports U-label whereas rfc822Name > supports A-label. > > [ The comment about encoding overhead makes no clear case in either > direction, is irrelevant, mand should be deleted ] > Will do. > > The draft seems to suggest that email addresses with ASCII localparts > should be converted to A-label form, but fails to then explain all > the associated steps needed to be performed by CAs and relying > parties. > In paragraph 2 of that section 6, it calls for using section 5 including any setup specified there. Section 5 says with SHOULD to convert to U-label. It does note that that RFC5280 calls for converting to A-label which could be used instead. > > > Victor gave this example: > > all ASCII: > > > > ietf-dane@духовный.org > > > > With Option 1, U-Labels need to be converted to A-Labels when a name > > constraints extension is present that constrains the rfc822Name. > > In Chicago, IIRC the consensus was to convert the A-labels in > rfc822Name name constraints to U-label form for comparison against > the non-converted email address. Not conversion of the address to > A-labels for comparison with rfc822Name constraints. Of course > the two implementation strategies can be functionally equivalent > (absent "mappings" in the U->A direction). > Agreed the drafts calls for conversion to U-label with SHOULD. If this recommendation (as noted immediately above) needs to change, we'd like to hear about it. > > > Option 2 is the way described in Viktor�s message, where IDNs are carried > > as A-Labels. > > And the in the *current* draft, not described in sufficient detail. > > > Victor gave this example, even though the left-hand-side is all ASCII: > > s/even though/precisely when/ > > > ietf-dane@xn--b1adqpd3ao5c.org > > > > With Option 2, U-Labels need to be converted to A-Labels no conversion is > > needed when a name constraints extension is present that constrains the > > rfc822Name. > > Indeed the domains in the SAN and the rfc822Name constraint can > just be compared in a case-insensitive manner. > > > However, A-Labels need to be converted to U-Labels to compare > > the SmtpUTF8Name to the email address that appears in the FROM field of > > a message. > > Right, and possibly the domain in the RFC2822.From header may need > mappings to be normalized to a valid UTF-8 domain. This is up to > the application. > > > From my perspective, doing conversion only to enforce name constraints is > > the more desirable of the two. What do others think? > > I am slightly in favour of storing A-labels in an rfc822Name SAN > whenever the localpart (when all ASCII) permits. This is more > consistent with how IDNA domains already appear in DNS-ID, and > is more likely to interoperate in mixed-mode use-case when a > sender has both user@<utf-8-fqdn> and user@<a-label-fqdn> > email addresses routed to the same mailbox, and uses the a-label > form as needed. > > That said, pick one or the other, but just be clear about which, > and describe the consequences in the draft in more detail. > Perhaps this part of the thread needs to be pulled out into its own discussion on the merits of one representation versus another (as opposed to issues in the draft). -Wei
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Viktor Dukhovni
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Viktor Dukhovni
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Wei Chuang
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Wei Chuang
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Viktor Dukhovni
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Wei Chuang