IETF Logo Mail Archive

Re: [lamps] Suresh Krishnan's No Objection on draft-ietf-lamps-eai-addresses-15: (with COMMENT)

Eric Rescorla <ekr@rtfm.com> Sat, 24 February 2018 20:13 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BFF21241F3 for <spasm@ietfa.amsl.com>; Sat, 24 Feb 2018 12:13:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nj9LhcIO06rd for <spasm@ietfa.amsl.com>; Sat, 24 Feb 2018 12:13:42 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B73B120454 for <spasm@ietf.org>; Sat, 24 Feb 2018 12:13:42 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id y137so14817712qka.4 for <spasm@ietf.org>; Sat, 24 Feb 2018 12:13:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K6q7P2OyYlGWknTGsorvdTTStsJo5Xk1tuD03bDESwg=; b=Ai0TGEge+9hnFB94hCRcHrRTSLFwev9oOP3nJCvmzie+JTmGe248h/7KcvVa7hf/xO 93Y9Nz/2ZqHYu1lczyOENdeOnqb0Ea0uRIsHNrNaUB6tF7aVEbBCm4/mwtOOcBmhZtIK E+MPE59P1NLSObgYqPeO04sF+lHiMtet9lTNA5aZSk8VMDFBciyHlkL5iTd4gGvxmkAP MrVLf62uT4juOlWhwnoaRH5xefohwyw24mbHQVnzSJcPOOOT/5Zcsg3d17oM2wvNR9TZ LTOvp7kd2KKQYnEQvYNXwF6HQRZzyCzuiDdxtejgmA8ANuA30/Q2sCxIsT8xMoXKKYTc JocA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K6q7P2OyYlGWknTGsorvdTTStsJo5Xk1tuD03bDESwg=; b=GrkxBU/aijMl3S7SNvtBttwHZuAilIVW9yv70x3+y0tbLE6StGey/wizhlZYQB41tv uyyU2Pz+5B0PXZHxAiZKUSgQE+Snpb02PJz7k9PimlSDqem3kir3kBfa35X791vSEjtn xFDURIUZBBdOYnoinvqWpne4ewOy/2+sI6trVshN+wXpbiT7y6iT4G0s/MFh6hSp6Bpu tikhIyW2hz3Rgqk+6iZQzUD/d+QzrB+ImmAezFvNHeVS553yhrL682GsIfB/j7ggCOxH aGBwqDrpKtl2ix9HQfC7QatDx987wqPS+a0JLOP6H48766LRq7b3zzVp+ZjrD7oet1Nw w37Q==
X-Gm-Message-State: APf1xPAfB0Xro+tBf8VOVmNcZ6HNx7PIFlL1GvflLKBALaEAsLKF0u5x tj3sSz7wUnSU+e9WTxal7h7F9X/bDmLyEg5NVA76LLqm
X-Google-Smtp-Source: AG47ELv5VotfQfO3IGXbxh0CINkdrMxcuIeU+/dA7kXE/KoIKbdlghmJ/o7l52cmyJnzy7VxBaapmugfX0Qd1OsgwHM=
X-Received: by 10.55.43.220 with SMTP id r89mr9266294qkr.152.1519503221132; Sat, 24 Feb 2018 12:13:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.37.176 with HTTP; Sat, 24 Feb 2018 12:13:00 -0800 (PST)
In-Reply-To: <C8F2790D-2EF9-4380-82D0-240D9CCC526D@vigilsec.com>
References: <151564026499.22453.4457143592887035396.idtracker@ietfa.amsl.com> <1515687117.1257366.1232046744.30F6CC88@webmail.messagingengine.com> <39EBFE0E-F7D5-4257-9254-CEC8D15C4435@kaloom.com> <1518431987.1831236.1267758584.2A4EF883@webmail.messagingengine.com> <31F17EFC-2DE2-4614-BAC7-6822E7C152C5@kaloom.com> <C8F2790D-2EF9-4380-82D0-240D9CCC526D@vigilsec.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 24 Feb 2018 12:13:00 -0800
Message-ID: <CABcZeBOQ4tLTq3NaZn46-Jf5wCPyoJruNxQT+nLpnL84h1rN=w@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Suresh Krishnan <suresh@kaloom.com>, Alexey Melnikov <aamelnikov@fastmail.fm>, Wei Chuang <weihaw@google.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="001a1149442cbb1aba0565fae96e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/jUoQLEtJBTGhzpGsvc1md7FlHc0>
Subject: Re: [lamps] Suresh Krishnan's No Objection on draft-ietf-lamps-eai-addresses-15: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Feb 2018 20:13:43 -0000

I tend to agree with Suresh that a reference here would help. Could we just
have something like
"See [] for more on security issues with Unicode"


On Fri, Feb 16, 2018 at 9:24 AM, Russ Housley <housley@vigilsec.com> wrote:

> The document already covers that:
>
> 7.  Security Considerations
>
>   Use of SmtpUTF8Mailbox for certificate subjectAltName (and
>   issuerAltName) will incur many of the same security considerations as
>   in Section 8 in [RFC5280], but introduces a new issue by permitting
>   non-ASCII characters in the email address local-part.  This issue, as
>   mentioned in Section 4.4 of [RFC5890] and in Section 4 of [RFC6532],
>   is that use of Unicode introduces the risk of visually similar and
>   identical characters which can be exploited to deceive the recipient.
>   The former document references some means to mitigate against these
>   attacks.
>
> I looked at RFC 6943. While it is a good document, I don't see an obvious
> way of referencing it. There is so much material there unrelated to
> Internationalization, so it is difficult to find a useful way of
> referencing it. If you have some specific suggestions, please let me know.
>
>
> I thought of putting in a reference to Section 4.2. of RFC6943 could be
> useful especially since I personally found the reference to [WEBER] there
> very useful to understand the potential attacks. That said, maybe that is
> only because I am a total outsider to this space and these could be well
> understood attacks in the community that is the target of the draft. I am
> fine to proceed without adding a reference. Thanks for checking to see if
> this is covered.
>
>
> Where are we in resolving this comment.  It seems to be the only thing
> keeping this document from the RFC Editor Queue.
>
> Russ
>
>

v2.23.0 | Report a Bug | By Email