IETF Logo Mail Archive

[Spasm] Different EAI options for carrying IDNs

Wei Chuang <weihaw@google.com> Sun, 07 May 2017 22:42 UTC

Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B80D126CF9 for <spasm@ietfa.amsl.com>; Sun, 7 May 2017 15:42:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIXLCjipfD8d for <spasm@ietfa.amsl.com>; Sun, 7 May 2017 15:42:26 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57DEF126C3D for <spasm@ietf.org>; Sun, 7 May 2017 15:42:26 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id k91so40586525ioi.1 for <spasm@ietf.org>; Sun, 07 May 2017 15:42:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=zLSwzLTluNqMS8rW0fZKO0ZURYQUrjurvgpbZ8lLYE4=; b=mzAUG0KJsEhvEkayVUd3W8NDNgodspjtp+hOW9uJyXs9Af/5XLcH+qdeHQpNSVM4Sj 60KNvYiUf4cig/n5MAnPchxaujYZ78nFQPJeEWR/v+XgU020q9sLdZ6ps36tc90imRuE 0M0mtJs2Pi5bqPQdjb3A+Qgn2G9AuGM/dxR5ikdz/3vxD6pj8Tvs5zJyMqsrMZamY6kN beF7vAAgSkr5RfNOc1j2Mh8vnYqASKa65xsVVzplma6zJhavhMlOVf4xxHtsWN+SbvTw fXMy2CjBeUf1ja7PobnJP3E/s/VbOPq73rErVX/21Gs65dB6dyeXftk8okWv1vjF+Ka5 eIqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=zLSwzLTluNqMS8rW0fZKO0ZURYQUrjurvgpbZ8lLYE4=; b=POq/VGps5O1TRU8dV2aaseR8npQ2q3v34ZKAXPqqI/BvbKrs7P+pTQiJC3CRAAHpeA uvn1UzLmdMJM4Hvnwdf5XrZk1E3yce/HhRSy/T5QDs1NrNpeu9MMTlYP6uOc/iC3o3sz Uk/ykncalKrqAgtJaW59NvEsrBWVxwLD5zTaSuC6DGXl68LqRU1lSaKycG3akvaJKRZ3 qAf7y8NM1u139Lp/nPgD7GaVXVfg6f2SbvZ9wOQv+YBFUfheBbnvUuiDco/+vlkBpVst AlZ/CizxGBeDJ7JqYWwbP2sVmLlDOkZ6cqgN1trKp8S5W0msCUU2eIIMjwcp/pc/maPW bEDg==
X-Gm-Message-State: AN3rC/5TAsan652dgar1V+jerEhZxzoGcEH4B7VB9OzmHmsjWuVsJGHT x6c4KNnK06r+9fFRtLxIp/GT8XZiiVh2YyO5jw==
X-Received: by 10.107.36.71 with SMTP id k68mr61484791iok.130.1494196945182; Sun, 07 May 2017 15:42:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.8.32 with HTTP; Sun, 7 May 2017 15:42:24 -0700 (PDT)
From: Wei Chuang <weihaw@google.com>
Date: Sun, 07 May 2017 15:42:24 -0700
Message-ID: <CAAFsWK3ydxV1RzpE9=Ex7Q5ddz9HL0BWAuubs8kxOraZQ4akTQ@mail.gmail.com>
To: SPASM <spasm@ietf.org>
Cc: Russ Housley <housley@vigilsec.com>, Viktor Dukhovni <ietf-dane@dukhovni.org>, Nico Williams <nico@cryptonector.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1140f7cc2a900e054ef6d6c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/hE7nHkzsXpUJ_p5pJ3uzUDI1rxU>
Subject: [Spasm] Different EAI options for carrying IDNs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 May 2017 22:42:28 -0000

Hi all,

To resolve the direction of the EAI draft, I've tried to summarize the
different
options from the earlier mail threads on draft-ietf-lamps-eai-addresses-09
and
highlight particular features that might help differentiate the
approaches.  In
particular there might have been confusion with the earlier Option 1, so
this
describes draft -09 take on it.  This then tries to summarize the two very
different approaches of carrying IDNs solely as A-label (Option 2) and
U-label
(Option 4).  This also describes the option of providing both SAN forms
rfc822Name and SmtpUTF8Name that was brought up in the thread as well
(Option 3).
I've tried CC'ing the folks who proposed these different options, in case
I've missed
anything in the summary.  Comments welcome, particularly about about a
preferred
direction.

-Wei

=====

Option 1 is described in the -09 draft.  When the local part of a email
address
SAN is non-ASCII, the SAN is in SmtpUTF8Name form which carries the IDNs as
U-Labels, otherwise the SAN is in rfc822Name which carries the IDNs as
A-label.
Name constraints always use rfc822Name as it only now represents hostname
and
domain only.

* FROM comparsion- no conversion for SmtpUTF8Name; conversion of FROM
U-Labels
  to A-label for comparison with rfc822Name; more frequent.
* Display- no conversion for SmtpUTF8Name; conversion of rfc822Name SAN
A-labels
  to U-label for display; more frequent.
* Name constraint- no conversion for rfc822Name SAN for path verification;
  conversion needed for SmptUTF8Name path verification where rfc822Name name
  constraint A-labels is converted to U-label; name constraints are very
  infrequently issued.
* Internationalization library needed for path verifier for name constraint
  conversion, FROM comparison and display.
* Lower byte overhead as rfc822Name more frequently used which is generally
  more compact.
* Fully backwards compatible.

Example SAN
  SmtpUTF8Name          医生@大学.com <http://xn--pss25c.com>
  rfc822Name            student@xn--pss25c.com

Example name constraint
  rfc822Name            xn--pss25c.com


Option 2 is described in Viktor and Russ's message, where IDNs are always
carried as A-Labels.  When the local part of a email address SAN is
non-ASCII,
the SAN is in SmtpUTF8Name form which carries the the IDNs as A-Labels,
otherwise the SAN is in rfc822Name which carries the IDNs as A-label.  Name
constraints always use rfc822Name as it only now represents hostname and
domain
only.

* FROM comparsion- conversion of FROM U-labels to A-labels for comparison
with
  rfc822Name and SmtpUTF8Name IDNs A-label; more frequent
* Display- conversion of rfc822Name and SmtpUTF8Name SAN IDNs A-labels to
  U-labels; more frequent
* Name constraint- No conversion of IDNs; name constraints are very
infrequently used.
* Internationalization library needed for FROM comparison and display.
* lower byte overhead as rfc822Name more frequently used which is generally
  more compact.
* Fully backwards compatible.

Example SAN
  SmtpUTF8Name          医生@xn--pss25c.com
  rfc822Name            student@xn--pss25c.com

Example name constraint
  rfc822Name            xn--pss25c.com


Option 3 is described in William’s message where both SAN forms rfc822Name
and
SmtpUTF8Name are present for a given email address and represent equivalent
information (except when local-part can't be represented as in rfc822Name
and
non-ASCII local-part).  SmtpUTF8Name carries the IDNs as U-Labels while
rfc822Name carries the IDNs as A-labels.  Name constraints presumably
always use
rfc822Name and it only now represents hostname and domain only.

* FROM comparsion- Select SmtpUTF8Name for comparison which does not need
IDN
  label conversion; more frequent.
* Display- Select SmtpUTF8Name for display which does not need IDN label
  conversion; more frequent.
* Name constraint- Select rfc822Name for path verification comparison which
does
  not need IDN label conversion; name constraints are very infrequently
used.
* Internationalization library not needed for conversion.
* Higher byte overhead as duplicate SAN are present.
* Fully backwards compatible.

Example SAN
  SmtpUTF8Name          医生@大学.com <http://xn--pss25c.com>
  SmtpUTF8Name          student@大学.com
  rfc822Name            student@xn--pss25c.com  (equivalent to above)

Example name constraint
  rfc822Name            xn--pss25c.com


Option 4 is alluded to in Russ's and Viktor's emails (as an idealized
Option 1)
and takes some elements of -08.  The SAN of up-to-date issuers SHOULD use
the
SmtpUTF8Name form which carries the the IDNs as U-Labels for all email
addresses, though rfc822Name SAN which carries the the IDNs as A-Labels may
be
present particularly from legacy issuers.  Name constraints MUST now present
both SmtpUTF8Name and rfc822Name forms (for backwards compatibility), and
still
only represents hostname and domain only.

* FROM comparsion- No conversion for SmtpUTF8Name (though required for
legacy);
  more frequent.
* Display- No conversion for SmtpUTF8Name (though required for legacy); more
  frequent.
* Name constraint- Select form needed hence no conversion (though required
for
  legacy); name constraints are very infrequently used.
* Internationalization library needed for legacy or backwards compatibility
  during FROM comparison or path verification.
* Moderately more byte overhead as SmtpUTF8Name has an extra OID vs
rfc822Name.
  Some penalty for duplicate name constraint though that is infrequent.
* Fully backwards compatible.

Example SAN
  SmtpUTF8Name          医生@大学.com <http://xn--pss25c.com>
  SmtpUTF8Name          student@大学.com

Example name constraint
  SmtpUTF8Name          大学.com <http://xn--pss25c.com>
  rfc822Name            xn--pss25c.com  (equivalent to above)

v2.23.0 | Report a Bug | By Email