Re: [lamps] Spencer Dawkins' No Objection on draft-ietf-lamps-eai-addresses-15: (with COMMENT)

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Mon, 08 January 2018 15:56 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCD1B12706D; Mon, 8 Jan 2018 07:56:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LgodzYymtgho; Mon, 8 Jan 2018 07:56:52 -0800 (PST)
Received: from mail-yb0-x22d.google.com (mail-yb0-x22d.google.com [IPv6:2607:f8b0:4002:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C3E3126579; Mon, 8 Jan 2018 07:56:52 -0800 (PST)
Received: by mail-yb0-x22d.google.com with SMTP id j7so4688450ybl.3; Mon, 08 Jan 2018 07:56:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WZDvcBQbdOpgJ97BS0F1Uooy+bWQX5zInbygeAopaaY=; b=JrfYXhxJ1QN8qPsqhbezRcZBIqjQNbQruSO//6F7nhP49flQp2W/sw8NYbcTApjVTb /ddZRi+VlGOKXND6zApHlqKz3TzzpzYAGebGQ/8XWB6mUbYgmngc2k2wWfXXtyKBrso6 dtDF9FC52xoHPyqxuDhLCX7KWTaKtODcRdmt8GD6cbFnzw6ObQVkX323No6hWTOA1PHZ 9sQdnqJXYSH+8CTkc+RmMBXy2ahnPQPdESisogO982hNfYVupXE0FEBQiDXID0/NpkZH n01wso4pf3LavaM2kBolmDHLJMX5GbQkwbZgb1N7k5jwnctiOVMg6YNUnqtBS5Kbmmtv lYgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WZDvcBQbdOpgJ97BS0F1Uooy+bWQX5zInbygeAopaaY=; b=uFXP1PURzx3UY5kaZaP9s2tpZF6tr6raM8h7n+PVLd19FWEo1CHpeYdoKhocoPo9Iz sXKRtgVS+81haHX/ehQUWlbTzvFMzScuvEv8g6jmo6ipGoTpowjkuKV4S1Cnf6sMO5+c JIKU2kZe0i5Yi12w27PpEbzhLDsAvjucxo+Eqpx+j3BRx+nAP34hHO4uec66d7bOrRLh KsRK4SAisiTu22UoEGT0wjGYfjLo9tH9b6u33JxJsckJRS1uKLyKn9A2Z7l+CctEovLR AuBGW1vEU+69H2vOkshrbGPvhnFCGwimhhbKj2xhmpiHDxgQvsscudWMbSpapnZBvaHQ 7Xgw==
X-Gm-Message-State: AKGB3mJHIyG1n4IF9ndjn8fkfOZcPokU9OjN4ftJZlmTw90JayUIPjbs 2LIHROc9LbKyX3EwCZfy+QBwUGKB8TM6gXVS9/g=
X-Google-Smtp-Source: ACJfBotSRzNF8Xm5Tgo3BTbm6vDUk/kLFENE35wNQfU67N66EFNpDWAOdtWAY8tbmAdQ9iIGgja7+vhg1ZNigGYcaSQ=
X-Received: by 10.37.50.137 with SMTP id y131mr11394637yby.417.1515427011491; Mon, 08 Jan 2018 07:56:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.132.6 with HTTP; Mon, 8 Jan 2018 07:56:51 -0800 (PST)
In-Reply-To: <0dbab422-5208-50fc-6db3-4304599a8d24@isode.com>
References: <151439056144.29897.5203263014335278965.idtracker@ietfa.amsl.com> <0dbab422-5208-50fc-6db3-4304599a8d24@isode.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Mon, 8 Jan 2018 09:56:51 -0600
Message-ID: <CAKKJt-daCmXR+eK=9fOAWEAqZ9=ooNshiJ_3DpfLidux+idTfw@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: The IESG <iesg@ietf.org>, spasm@ietf.org, lamps-chairs@ietf.org, draft-ietf-lamps-eai-addresses@ietf.org, Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="001a1146bb3ab3fcca056245d8ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/iGc6qABtSuGxrQukyhRdIJ3Wssc>
Subject: Re: [lamps] Spencer Dawkins' No Objection on draft-ietf-lamps-eai-addresses-15: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2018 15:56:55 -0000

Hi, Alexey,

On Mon, Jan 8, 2018 at 9:11 AM, Alexey Melnikov <alexey.melnikov@isode.com>
wrote:

> Hi Spencer,
>
> Thank you for your comments.
>
>
> On 27/12/2017 16:02, Spencer Dawkins wrote:
>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> I know that you guys have been doing this longer than I've even been
>> thinking
>> about it, but I'm looking at
>>
>>    Due to operational reasons to be described shortly and name
>>     constraint compatibility reasons described in Section 6,
>>     SmtpUTF8Mailbox subjectAltName MUST only be used when the local-part
>>     of the email address contains non-ASCII characters.  When the local-
>>     part is ASCII, rfc822Name subjectAltName MUST be used instead of
>>     SmtpUTF8Mailbox.  This is compatible with legacy software that
>>     supports only rfc822Name (and not SmtpUTF8Mailbox).  The appropriate
>>     usage of rfc822Name and SmtpUTF8Mailbox is summarized in Table 1
>>     below.
>>
>> and, if I'm reading this correctly, the plan is
>>
>>          IF you don't NEED to send non-ASCII characters
>>                  use rfc822Name
>>                  and all implementations know what that means
>>                  and all implementations will work fine
>>          ELSE you DO have non-ASCII characters so
>>                  use SmtpUTF8Mailbox
>>                  and all the new implementations will work fine
>>                  and all the old implementations will barf
>>                  which is OK because they can't handle non-ASCII anyway
>>
> Almost. Old implementations will just ignore such values in certificates,
> which is fine, because they can't handle non-ASCII anyway.
>
>> Am I getting that right? Assuming so, I looked at the "operational
>> reasons to
>> be described shortly" and "name constraint compatibility reasons
>> described in
>> Section 6", and didn't see anything that was was quite that blunt.
>>
> My co-editor and I should double check that the text you quoted (at least
> the promise of explanation) is still accurate.
>
>> Assuming that you're sending SmtpUTF8Mailbox to an implementation that
>> doesn't
>> support it, and you figure that out, is there a well-understood fallback
>> that
>> could be either referenced or described in a sentence or two?
>>
> I think fallback will depend on how certificates with SmtpUTF8Mailbox are
> to be used. If they are used with S/MIME, then an email client that
> supports EAI and S/MIME also need to be updated to support EAI in S/MIME.
> As there is no algorithmic mapping defined between non-ASCII
> SmtpUTF8Mailbox and traditional ASCII-only email addresses, your mileage
> will vary.
>
> Similarly if this is used in TLS for user authentication, email server
> implementation need to be updated to recognize SmtpUTF8Mailbox in client
> TLS certificates.
>
> Does this help or did I misunderstand the type of fallback you are talking
> about?
>

This was helpful. Thanks. I trust that the right things will happen :-)

Spencer


>
> Best Regards,
> Alexey
>
> If the answer is "what an implementation does at that point is up to the
>> implementation, and different implementations may have different reasons
>> to
>> respond differently", that could be a fine answer, of course.
>>
>
>