IETF Logo Mail Archive

Re: [Spasm] Spasm Digest, Vol 13, Issue 21

Wei Chuang <weihaw@google.com> Sun, 07 May 2017 00:43 UTC

Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A304E126CD6 for <spasm@ietfa.amsl.com>; Sat, 6 May 2017 17:43:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.802
X-Spam-Level:
X-Spam-Status: No, score=-0.802 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUmqtvQwptIx for <spasm@ietfa.amsl.com>; Sat, 6 May 2017 17:43:38 -0700 (PDT)
Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68731128792 for <spasm@ietf.org>; Sat, 6 May 2017 17:43:38 -0700 (PDT)
Received: by mail-it0-x22c.google.com with SMTP id o5so48890086ith.1 for <spasm@ietf.org>; Sat, 06 May 2017 17:43:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=MducKLimw01a66nKHKXCPUFSL1lxo2q+p6zi7cjEX2I=; b=tBsPehv/2reU4XCO69xP2smCGoXRoR+VzQ8x303TSSLXuyuT6apBLWxeEHfXhgOxp2 V9zxxqjeXB0g8kdOvse1hr1qKfBVZZqbgElbmCjN1babCnHGR1q/FnMesi0fcf06QnUE 3ZhmNjv1CpthL5YGetGeXnzV0cp/Mnae8ViKmxOGBFmzLTIlGqKunsHl44rxiip4QjnT bOIeb2lH2zGPpJ0KpZWQdL5LxqceSeQT6w+/zXLfTgmPASTavc82NJEf/hiwnH2YKizn yPWCC3eZEjKbdvN1Vwa26w6ltBV+OnSSBWJzq7bvwo9U2BHvmcT99YbHXzjQbHF15REQ 6p0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=MducKLimw01a66nKHKXCPUFSL1lxo2q+p6zi7cjEX2I=; b=hS7xwgtFDh/Q4zmt/VC5FQiZkBDnjdX8nf6U4oCnICkT2+4CDwQPEUgEVg4Bas+iGB 7rDCBbYZENposFSbVUqRAbj9iMxAsSEEswW5uN7vXMEL2d7XJMTsp72rq7XAd/rdtPe4 bDS5c/n5+urY7U0ZMIo/LA9n4YkONc4G0n3bhmRxdN3hNcMr1z8kix+Kw4gKJrw/ZODo rAHtjXdX5rq0KNGfsqE4BBl7OoqCjmnU0FobiqtNCgxtImRHm58Pr/nXVezr3KhzWlB/ hQNCELwLgFM+6Wz3d5sol7F7qEtGVLdeEXEhjgbAZK9ZKOOq4PXIPfvlqYJ2hpZ7CRgc J7DA==
X-Gm-Message-State: AN3rC/6tUVgL4lJPOknSn0Zm6/ulJmjkRMd7ZfIrE3oBCm3GO/ytO33n u5Oss/7PVPLSrckCspi47fdNuZMzJMHIRrY=
X-Received: by 10.36.91.13 with SMTP id g13mr14237444itb.119.1494117817273; Sat, 06 May 2017 17:43:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.8.32 with HTTP; Sat, 6 May 2017 17:43:36 -0700 (PDT)
In-Reply-To: <20170427191006.GB25754@mournblade.imrryr.org>
References: <mailman.12.1493233203.16587.spasm@ietf.org> <A0D2106A-AF9F-4803-90FB-05565B7148B8@dukhovni.org> <BC920F8A-5624-4616-9DBD-CB11E4F29FC1@vigilsec.com> <20170427191006.GB25754@mournblade.imrryr.org>
From: Wei Chuang <weihaw@google.com>
Date: Sat, 06 May 2017 17:43:36 -0700
Message-ID: <CAAFsWK0wVLPAxSdmikCHmhZyGNWCw7fu8V_0nq4jQLD3WscCsQ@mail.gmail.com>
To: SPASM <spasm@ietf.org>, Viktor Dukhovni <ietf-dane@dukhovni.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1144cda2c5e8b2054ee469e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/YSZVY_xOlEkYVQIz9XUgoPQLQmI>
Subject: Re: [Spasm] Spasm Digest, Vol 13, Issue 21
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 May 2017 00:43:40 -0000

On Thu, Apr 27, 2017 at 12:10 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Thu, Apr 27, 2017 at 08:38:45AM -0400, Russ Housley wrote:
>
> > Viktor has suggested that we consider the pros and cons of two ways of
> > encoding the SubjectAltName when the left-hand side contains non-ASCII
> > characters.
>
> To be clear, the issue is how to store the email identity (not name
> constraints, but the email-valued subjectAltName) in the certificate
> when the localpart (left-hand side if you like) DOES NOT contain
> non-ASCII characters.  Or, to doubly make sure we're on the same
> page, and avoid a double-negative, when the localpart contains ONLY
> 7-bit ASCII characters.
>

Agreed.  Just to restate the others benefit, the -09 draft calls only for
using SmtpUTFName when non-ASCII local-part is present and otherwise always
using rfc822Name.


>
> Had the localpart contained non-ASCII UTF-8, as with:
>
>     пользователь@духовный.org <http://xn--b1adqpd3ao5c.org>
>
> there would be no choice but to store the presented identifier in
> the certificate as an SMTPUtf8Name subjectAltName element.
>
> > Option 1 is the way described in the current draft, where IDNs are
> carried
> > as U-Labels.
>
> Well, the "current" draft, Section 3, bottom of page 3, says the
> opposite:
>
>    Due to operational reasons described shortly and name constraint
>    compatibility reasons described in its section, SmtpUTF8Name
>    subjectAltName MUST only be used when the local part of the email
>    address contains UTF-8.  When the local-part is ASCII, rfc822Name
>    subjectAltName MUST be used instead of SmtpUTF8Name.  The use of
>    rfc822Name rather than SmtpUTF8Name is currently more likely to be
>    supported.  Also use of SmtpUTF8Name incurs higher byte
>    representation overhead due to encoding with otherName and the
>    additional OID needed.  This may be offset if domain requires non-
>    ASCII characters as SmtpUTF8Name supports U-label whereas rfc822Name
>    supports A-label.
>
> [ The comment about encoding overhead makes no clear case in either
>   direction, is irrelevant, mand should be deleted ]
>

Will do.


>
> The draft seems to suggest that email addresses with ASCII localparts
> should be converted to A-label form, but fails to then explain all
> the associated steps needed to be performed by CAs and relying
> parties.
>

In paragraph 2 of that section 6, it calls for using section 5 including
any setup specified there.  Section 5 says with SHOULD to convert to
U-label.  It does note that that RFC5280 calls for converting to A-label
which could be used instead.


>
> > Victor gave this example:
> > all ASCII:
> >
> >       ietf-dane@духовный.org
> >
> > With Option 1, U-Labels need to be converted to A-Labels when a name
> > constraints extension is present that constrains the rfc822Name.
>
> In Chicago, IIRC the consensus was to convert the A-labels in
> rfc822Name name constraints to U-label form for comparison against
> the non-converted email address.  Not conversion of the address to
> A-labels for comparison with rfc822Name constraints.  Of course
> the two implementation strategies can be functionally equivalent
> (absent "mappings" in the U->A direction).
>

Agreed the drafts calls for conversion to U-label with SHOULD.  If this
recommendation (as noted immediately above) needs to change, we'd like to
hear about it.


>
> > Option 2 is the way described in Viktor�s message, where IDNs are carried
> > as A-Labels.
>
> And the in the *current* draft, not described in sufficient detail.
>
> > Victor gave this example, even though the left-hand-side is all ASCII:
>
>         s/even though/precisely when/
>
> >       ietf-dane@xn--b1adqpd3ao5c.org
> >
> > With Option 2, U-Labels need to be converted to A-Labels no conversion is
> > needed when a name constraints extension is present that constrains the
> > rfc822Name.
>
> Indeed the domains in the SAN and the rfc822Name constraint can
> just be compared in a case-insensitive manner.
>
> > However, A-Labels need to be converted to U-Labels to compare
> > the SmtpUTF8Name to the email address that appears in the FROM field of
> > a message.
>
> Right, and possibly the domain in the RFC2822.From header may need
> mappings to be normalized to a valid UTF-8 domain.  This is up to
> the application.
>
> > From my perspective, doing conversion only to enforce name constraints is
> > the more desirable of the two.  What do others think?
>
> I am slightly in favour of storing A-labels in an rfc822Name SAN
> whenever the localpart (when all ASCII) permits.  This is more
> consistent with how IDNA domains already appear in DNS-ID, and
> is more likely to interoperate in mixed-mode use-case when a
> sender has both user@<utf-8-fqdn> and user@<a-label-fqdn>
> email addresses routed to the same mailbox, and uses the a-label
> form as needed.
>
> That said, pick one or the other, but just be clear about which,
> and describe the consequences in the draft in more detail.
>

Perhaps this part of the thread needs to be pulled out into its own
discussion on the merits of one representation versus another (as opposed
to issues in the draft).

-Wei

v2.23.0 | Report a Bug | By Email