[Spasm] Different EAI options for carrying IDNs
Wei Chuang <weihaw@google.com> Sun, 07 May 2017 22:42 UTC
Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B80D126CF9 for <spasm@ietfa.amsl.com>; Sun, 7 May 2017 15:42:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIXLCjipfD8d for <spasm@ietfa.amsl.com>; Sun, 7 May 2017 15:42:26 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57DEF126C3D for <spasm@ietf.org>; Sun, 7 May 2017 15:42:26 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id k91so40586525ioi.1 for <spasm@ietf.org>; Sun, 07 May 2017 15:42:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=zLSwzLTluNqMS8rW0fZKO0ZURYQUrjurvgpbZ8lLYE4=; b=mzAUG0KJsEhvEkayVUd3W8NDNgodspjtp+hOW9uJyXs9Af/5XLcH+qdeHQpNSVM4Sj 60KNvYiUf4cig/n5MAnPchxaujYZ78nFQPJeEWR/v+XgU020q9sLdZ6ps36tc90imRuE 0M0mtJs2Pi5bqPQdjb3A+Qgn2G9AuGM/dxR5ikdz/3vxD6pj8Tvs5zJyMqsrMZamY6kN beF7vAAgSkr5RfNOc1j2Mh8vnYqASKa65xsVVzplma6zJhavhMlOVf4xxHtsWN+SbvTw fXMy2CjBeUf1ja7PobnJP3E/s/VbOPq73rErVX/21Gs65dB6dyeXftk8okWv1vjF+Ka5 eIqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=zLSwzLTluNqMS8rW0fZKO0ZURYQUrjurvgpbZ8lLYE4=; b=POq/VGps5O1TRU8dV2aaseR8npQ2q3v34ZKAXPqqI/BvbKrs7P+pTQiJC3CRAAHpeA uvn1UzLmdMJM4Hvnwdf5XrZk1E3yce/HhRSy/T5QDs1NrNpeu9MMTlYP6uOc/iC3o3sz Uk/ykncalKrqAgtJaW59NvEsrBWVxwLD5zTaSuC6DGXl68LqRU1lSaKycG3akvaJKRZ3 qAf7y8NM1u139Lp/nPgD7GaVXVfg6f2SbvZ9wOQv+YBFUfheBbnvUuiDco/+vlkBpVst AlZ/CizxGBeDJ7JqYWwbP2sVmLlDOkZ6cqgN1trKp8S5W0msCUU2eIIMjwcp/pc/maPW bEDg==
X-Gm-Message-State: AN3rC/5TAsan652dgar1V+jerEhZxzoGcEH4B7VB9OzmHmsjWuVsJGHT x6c4KNnK06r+9fFRtLxIp/GT8XZiiVh2YyO5jw==
X-Received: by 10.107.36.71 with SMTP id k68mr61484791iok.130.1494196945182; Sun, 07 May 2017 15:42:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.8.32 with HTTP; Sun, 7 May 2017 15:42:24 -0700 (PDT)
From: Wei Chuang <weihaw@google.com>
Date: Sun, 07 May 2017 15:42:24 -0700
Message-ID: <CAAFsWK3ydxV1RzpE9=Ex7Q5ddz9HL0BWAuubs8kxOraZQ4akTQ@mail.gmail.com>
To: SPASM <spasm@ietf.org>
Cc: Russ Housley <housley@vigilsec.com>, Viktor Dukhovni <ietf-dane@dukhovni.org>, Nico Williams <nico@cryptonector.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1140f7cc2a900e054ef6d6c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/hE7nHkzsXpUJ_p5pJ3uzUDI1rxU>
Subject: [Spasm] Different EAI options for carrying IDNs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 May 2017 22:42:28 -0000
Hi all, To resolve the direction of the EAI draft, I've tried to summarize the different options from the earlier mail threads on draft-ietf-lamps-eai-addresses-09 and highlight particular features that might help differentiate the approaches. In particular there might have been confusion with the earlier Option 1, so this describes draft -09 take on it. This then tries to summarize the two very different approaches of carrying IDNs solely as A-label (Option 2) and U-label (Option 4). This also describes the option of providing both SAN forms rfc822Name and SmtpUTF8Name that was brought up in the thread as well (Option 3). I've tried CC'ing the folks who proposed these different options, in case I've missed anything in the summary. Comments welcome, particularly about about a preferred direction. -Wei ===== Option 1 is described in the -09 draft. When the local part of a email address SAN is non-ASCII, the SAN is in SmtpUTF8Name form which carries the IDNs as U-Labels, otherwise the SAN is in rfc822Name which carries the IDNs as A-label. Name constraints always use rfc822Name as it only now represents hostname and domain only. * FROM comparsion- no conversion for SmtpUTF8Name; conversion of FROM U-Labels to A-label for comparison with rfc822Name; more frequent. * Display- no conversion for SmtpUTF8Name; conversion of rfc822Name SAN A-labels to U-label for display; more frequent. * Name constraint- no conversion for rfc822Name SAN for path verification; conversion needed for SmptUTF8Name path verification where rfc822Name name constraint A-labels is converted to U-label; name constraints are very infrequently issued. * Internationalization library needed for path verifier for name constraint conversion, FROM comparison and display. * Lower byte overhead as rfc822Name more frequently used which is generally more compact. * Fully backwards compatible. Example SAN SmtpUTF8Name 医生@大学.com <http://xn--pss25c.com> rfc822Name student@xn--pss25c.com Example name constraint rfc822Name xn--pss25c.com Option 2 is described in Viktor and Russ's message, where IDNs are always carried as A-Labels. When the local part of a email address SAN is non-ASCII, the SAN is in SmtpUTF8Name form which carries the the IDNs as A-Labels, otherwise the SAN is in rfc822Name which carries the IDNs as A-label. Name constraints always use rfc822Name as it only now represents hostname and domain only. * FROM comparsion- conversion of FROM U-labels to A-labels for comparison with rfc822Name and SmtpUTF8Name IDNs A-label; more frequent * Display- conversion of rfc822Name and SmtpUTF8Name SAN IDNs A-labels to U-labels; more frequent * Name constraint- No conversion of IDNs; name constraints are very infrequently used. * Internationalization library needed for FROM comparison and display. * lower byte overhead as rfc822Name more frequently used which is generally more compact. * Fully backwards compatible. Example SAN SmtpUTF8Name 医生@xn--pss25c.com rfc822Name student@xn--pss25c.com Example name constraint rfc822Name xn--pss25c.com Option 3 is described in William’s message where both SAN forms rfc822Name and SmtpUTF8Name are present for a given email address and represent equivalent information (except when local-part can't be represented as in rfc822Name and non-ASCII local-part). SmtpUTF8Name carries the IDNs as U-Labels while rfc822Name carries the IDNs as A-labels. Name constraints presumably always use rfc822Name and it only now represents hostname and domain only. * FROM comparsion- Select SmtpUTF8Name for comparison which does not need IDN label conversion; more frequent. * Display- Select SmtpUTF8Name for display which does not need IDN label conversion; more frequent. * Name constraint- Select rfc822Name for path verification comparison which does not need IDN label conversion; name constraints are very infrequently used. * Internationalization library not needed for conversion. * Higher byte overhead as duplicate SAN are present. * Fully backwards compatible. Example SAN SmtpUTF8Name 医生@大学.com <http://xn--pss25c.com> SmtpUTF8Name student@大学.com rfc822Name student@xn--pss25c.com (equivalent to above) Example name constraint rfc822Name xn--pss25c.com Option 4 is alluded to in Russ's and Viktor's emails (as an idealized Option 1) and takes some elements of -08. The SAN of up-to-date issuers SHOULD use the SmtpUTF8Name form which carries the the IDNs as U-Labels for all email addresses, though rfc822Name SAN which carries the the IDNs as A-Labels may be present particularly from legacy issuers. Name constraints MUST now present both SmtpUTF8Name and rfc822Name forms (for backwards compatibility), and still only represents hostname and domain only. * FROM comparsion- No conversion for SmtpUTF8Name (though required for legacy); more frequent. * Display- No conversion for SmtpUTF8Name (though required for legacy); more frequent. * Name constraint- Select form needed hence no conversion (though required for legacy); name constraints are very infrequently used. * Internationalization library needed for legacy or backwards compatibility during FROM comparison or path verification. * Moderately more byte overhead as SmtpUTF8Name has an extra OID vs rfc822Name. Some penalty for duplicate name constraint though that is infrequent. * Fully backwards compatible. Example SAN SmtpUTF8Name 医生@大学.com <http://xn--pss25c.com> SmtpUTF8Name student@大学.com Example name constraint SmtpUTF8Name 大学.com <http://xn--pss25c.com> rfc822Name xn--pss25c.com (equivalent to above)
- [Spasm] Different EAI options for carrying IDNs Wei Chuang
- Re: [Spasm] Different EAI options for carrying ID… Russ Housley
- Re: [Spasm] Different EAI options for carrying ID… Viktor Dukhovni
- Re: [Spasm] Different EAI options for carrying ID… Dmitry Belyavsky
- Re: [Spasm] Different EAI options for carrying ID… Russ Housley