IETF Logo Mail Archive

Re: [Spasm] New Internet-Draft: draft-housley-rfc5280-i18n-update-00.txt

Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 27 February 2017 14:23 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 824CE12A015 for <spasm@ietfa.amsl.com>; Mon, 27 Feb 2017 06:23:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.922
X-Spam-Level:
X-Spam-Status: No, score=-6.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b8B-oJqx5s2V for <spasm@ietfa.amsl.com>; Mon, 27 Feb 2017 06:23:00 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BED98129FF5 for <spasm@ietf.org>; Mon, 27 Feb 2017 06:23:00 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 599D6552CE; Mon, 27 Feb 2017 14:23:01 +0000 (UTC)
Received: from dhcp-10-40-1-102.brq.redhat.com ([10.40.3.156]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1REMwFn026136 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 27 Feb 2017 09:23:00 -0500
Message-ID: <1488205378.2987.28.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Russ Housley <housley@vigilsec.com>, Tim Ruehsen <tim.ruehsen@gmx.de>
Date: Mon, 27 Feb 2017 15:22:58 +0100
In-Reply-To: <46661456-29AE-4792-84B9-0A6C59767CB1@vigilsec.com>
References: <1544074.0Z1XjAZpMm@blitz-lx> <46661456-29AE-4792-84B9-0A6C59767CB1@vigilsec.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 27 Feb 2017 14:23:01 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_E4e15Jc_p6aceKWseFnXQIG-OI>
Cc: spasm@ietf.org
Subject: Re: [Spasm] New Internet-Draft: draft-housley-rfc5280-i18n-update-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2017 14:23:02 -0000

On Thu, 2017-01-19 at 10:21 -0500, Russ Housley wrote:
> On Jan 19, 2017, at 4:22 AM, Tim Ruehsen <tim.ruehsen@gmx.de> wrote:
> 
> > Hi,
> > 
> > as an implementer of IDN aware client software I am seeking for
> > clarification.
> > 
> > Punycode conversion of an IDN always comes with preprocessing
> > steps. These 
> > steps influence the resulting punycode in a way that a reverse
> > procedure 
> > (punycode decoding) doesn't result in the original IDN.
> > That leads to incompatibilities between IDNA2003 and IDNA2008,
> > addressed by 
> > Unicode technical report #46 (TR46)[1]. This technical report
> > defines two 
> > preprocessing procedures, namely 'transitional' and 'non-
> > transitional'.
> > 
> > Currently the open source client software (e.g. curl, wget) goes in
> > the 
> > direction of using TR46's 'non-transitional', which is very close
> > to IDNA2008 
> > + a few flaws fixed.
> > 
> > Maybe you could address this also in your draft, to clarify
> > implementation 
> > work.
> > 
> > Just a (often cited) example from the german locale:
> > 
> > IDNA2003 translates 'faß.de' to 'fass.de'. That is not revertable
> > by the means 
> > of IDNA2003. That means using IDN2003 to compare a certificates
> > validity would 
> > match 'faß.de' and 'fass.de', both have different owners... no
> > chance to do it 
> > right.
> > 
> > IDNA2008 fixes this and translates 'faß.de' to 'xn--fa-hia.de', but
> > doesn't 
> > address other peculiarities.
> > 
> > 
> > Having the above in mind, I would appreciate it if you clearly say:
> > 
> > 1. IDNs used in certs have to be punycode-encoded using TR46 non-
> > transitional 
> > processing (that is where we all want be to some time in the
> > future).
> 
> As you say, that would be equivalent to telling people to use
> IDNA2008 plus some stuff not agreed by the IETF consensus
> process.  Since this document will be an IETF consensus document
> (once approved), I think it better to stick to IDNA2088.

I think Tim's point here is that that the IDNA2008 doesn't define the
actual pre-processing steps needed prior to convert a unicode string to
punycode. If for example a non-ascii all caps string is encountered one
would have to pre-process it in order to use IDNA2008. This is not
something we can leave up to the implementer. We have to either use
TR46 or define what other preprocessing has to be used.

IDNA2003 for example maps "ÖBB.at" to "öbb.at", IDNA2008 doesn't define
what mapping is to be used. You can see that omission in the rationale
for the TR46, in the Mapping section 1.3.1 of: 
http://unicode.org/reports/tr46/

regards,
Nikos

v2.23.0 | Report a Bug | By Email