IETF Logo Mail Archive

Re: [Spasm] Name Constraints on Email Addresses

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 03 April 2017 00:12 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB43E129562 for <spasm@ietfa.amsl.com>; Sun, 2 Apr 2017 17:12:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6N2vbOu167A3 for <spasm@ietfa.amsl.com>; Sun, 2 Apr 2017 17:12:31 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A25912955E for <spasm@ietf.org>; Sun, 2 Apr 2017 17:12:31 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 35B8D7A330D; Mon, 3 Apr 2017 00:12:30 +0000 (UTC)
Date: Mon, 03 Apr 2017 00:12:30 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: SPASM <spasm@ietf.org>
Message-ID: <20170403001229.GL25754@mournblade.imrryr.org>
Reply-To: spasm@ietf.org
References: <30C54B1B-1C86-418D-B039-8B8047F80622@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <30C54B1B-1C86-418D-B039-8B8047F80622@vigilsec.com>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/iY4mdV2MCy-LJ4DevBPHqBK7hr8>
Subject: Re: [Spasm] Name Constraints on Email Addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2017 00:12:34 -0000

On Sun, Apr 02, 2017 at 12:25:36PM -0400, Russ Housley wrote:

> At the LAMPS WG session is Chicago, we discussed the concerns raised during
> IETF Last Call on draft-ietf-lamps-eai-addresses.  The discussion proposed
> a different way forward for constraints on email addresses.  The suggestion
> has two parts.  First, an update to RFC 5280, Section 4.2.1.10.  Second,
> have the constraints against the rfc822Name apply to the SmtpUTF8Name by
> mapping any A-Labels that paper in the constraint to U-Labels.  No
> SmtpUTF8Name constraints are ever needed.

The proposed interpretation of rfc822Name constraints as SMTPUtf8Name
constraints will of course entail not only decoding A-labels from
to U-labels, but also an identity mapping on NR-LDH labels.

The proposed direction of the mapping (decoding constraints to
UTF-8, rather than encoding SMTPUtf8 subjectAltNames to A-labels)
is crucial and correct.  Decoding from punycode to UTF-8 is a very
mechanical process that does not involve any input normalization,
or differences in the rules beteen IDNA2003 and IDNA2008.

In particular, I think we can add a punycode *decoder* to OpenSSL,
without introducing any dependencies on external libraries.  Adding
an encoder would probably require libicu or similar, and would be
a significant burden.

Well, we could perhaps be able to continue to express mailbox
constraints for ASCII localparts, but it is hardly worth it.

> It was observed that the conversion of an A-Lable to a U-Label and back
> to an A-Label may not alway give the same string.  Perhaps we could say:
> Conforming CAs SHOULD only include A-Labels in the rfc822Name constraint
> that result in the same result when converted to a U-Label and back again
> to an A-Label.

It suffices for the domain names that will appear in SMTPUtf8Name
subjectAltName elements of the certificate to match the decoded
rfc822Name constraints.

The real complexity is in whatever mapping, if any, the application
has to do to construct a "canonical" reference identifier from the
sender address of the message.  The applications I use (at least
all the browsers and the Postfix MTA) perform the mappings from
UTS#46 (<http://unicode.org/reports/tr46/#Mapping>) thereby producing
the same A-label form for many case-variants of UTF-8 strings.
Thus, for example:

    $ posttls-finger -c -Lsummary духовный.org 
    posttls-finger: духовный.org asciified to xn--b1adqpd3ao5c.org
    posttls-finger: Verified TLS connection established to smtp.imrryr.org[108.5.242.66]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

    $ posttls-finger -c -Lsummary Духовный.org 
    posttls-finger: Духовный.org asciified to xn--b1adqpd3ao5c.org
    posttls-finger: Verified TLS connection established to smtp.imrryr.org[108.5.242.66]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

In OpenSSL I don't think that the library can reasonably be expected
to perform the UTS#46 mappings.  Instead, the application will be
responsible for applying any such mapping to hand the library an
email address whose domain part is already suitably mapped.

Would it be appropriate for the draft to align to real-world practice
and converge on UTS#46 mapping of U-labels?

> The represent a significant change in direction for this document.  Please
> speak promptly is you disagree with this new direction.

Looks good to me.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email