Re: [lamps] Suresh Krishnan's No Objection on draft-ietf-lamps-eai-addresses-15: (with COMMENT)

Eric Rescorla <> Sat, 24 February 2018 20:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9BFF21241F3 for <>; Sat, 24 Feb 2018 12:13:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nj9LhcIO06rd for <>; Sat, 24 Feb 2018 12:13:42 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0B73B120454 for <>; Sat, 24 Feb 2018 12:13:42 -0800 (PST)
Received: by with SMTP id y137so14817712qka.4 for <>; Sat, 24 Feb 2018 12:13:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K6q7P2OyYlGWknTGsorvdTTStsJo5Xk1tuD03bDESwg=; b=Ai0TGEge+9hnFB94hCRcHrRTSLFwev9oOP3nJCvmzie+JTmGe248h/7KcvVa7hf/xO 93Y9Nz/2ZqHYu1lczyOENdeOnqb0Ea0uRIsHNrNaUB6tF7aVEbBCm4/mwtOOcBmhZtIK E+MPE59P1NLSObgYqPeO04sF+lHiMtet9lTNA5aZSk8VMDFBciyHlkL5iTd4gGvxmkAP MrVLf62uT4juOlWhwnoaRH5xefohwyw24mbHQVnzSJcPOOOT/5Zcsg3d17oM2wvNR9TZ LTOvp7kd2KKQYnEQvYNXwF6HQRZzyCzuiDdxtejgmA8ANuA30/Q2sCxIsT8xMoXKKYTc JocA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K6q7P2OyYlGWknTGsorvdTTStsJo5Xk1tuD03bDESwg=; b=GrkxBU/aijMl3S7SNvtBttwHZuAilIVW9yv70x3+y0tbLE6StGey/wizhlZYQB41tv uyyU2Pz+5B0PXZHxAiZKUSgQE+Snpb02PJz7k9PimlSDqem3kir3kBfa35X791vSEjtn xFDURIUZBBdOYnoinvqWpne4ewOy/2+sI6trVshN+wXpbiT7y6iT4G0s/MFh6hSp6Bpu tikhIyW2hz3Rgqk+6iZQzUD/d+QzrB+ImmAezFvNHeVS553yhrL682GsIfB/j7ggCOxH aGBwqDrpKtl2ix9HQfC7QatDx987wqPS+a0JLOP6H48766LRq7b3zzVp+ZjrD7oet1Nw w37Q==
X-Gm-Message-State: APf1xPAfB0Xro+tBf8VOVmNcZ6HNx7PIFlL1GvflLKBALaEAsLKF0u5x tj3sSz7wUnSU+e9WTxal7h7F9X/bDmLyEg5NVA76LLqm
X-Google-Smtp-Source: AG47ELv5VotfQfO3IGXbxh0CINkdrMxcuIeU+/dA7kXE/KoIKbdlghmJ/o7l52cmyJnzy7VxBaapmugfX0Qd1OsgwHM=
X-Received: by with SMTP id r89mr9266294qkr.152.1519503221132; Sat, 24 Feb 2018 12:13:41 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Sat, 24 Feb 2018 12:13:00 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <>
From: Eric Rescorla <>
Date: Sat, 24 Feb 2018 12:13:00 -0800
Message-ID: <>
To: Russ Housley <>
Cc: Suresh Krishnan <>, Alexey Melnikov <>, Wei Chuang <>, "" <>
Content-Type: multipart/alternative; boundary="001a1149442cbb1aba0565fae96e"
Archived-At: <>
Subject: Re: [lamps] Suresh Krishnan's No Objection on draft-ietf-lamps-eai-addresses-15: (with COMMENT)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 24 Feb 2018 20:13:43 -0000

I tend to agree with Suresh that a reference here would help. Could we just
have something like
"See [] for more on security issues with Unicode"

On Fri, Feb 16, 2018 at 9:24 AM, Russ Housley <> wrote:

> The document already covers that:
> 7.  Security Considerations
>   Use of SmtpUTF8Mailbox for certificate subjectAltName (and
>   issuerAltName) will incur many of the same security considerations as
>   in Section 8 in [RFC5280], but introduces a new issue by permitting
>   non-ASCII characters in the email address local-part.  This issue, as
>   mentioned in Section 4.4 of [RFC5890] and in Section 4 of [RFC6532],
>   is that use of Unicode introduces the risk of visually similar and
>   identical characters which can be exploited to deceive the recipient.
>   The former document references some means to mitigate against these
>   attacks.
> I looked at RFC 6943. While it is a good document, I don't see an obvious
> way of referencing it. There is so much material there unrelated to
> Internationalization, so it is difficult to find a useful way of
> referencing it. If you have some specific suggestions, please let me know.
> I thought of putting in a reference to Section 4.2. of RFC6943 could be
> useful especially since I personally found the reference to [WEBER] there
> very useful to understand the potential attacks. That said, maybe that is
> only because I am a total outsider to this space and these could be well
> understood attacks in the community that is the target of the draft. I am
> fine to proceed without adding a reference. Thanks for checking to see if
> this is covered.
> Where are we in resolving this comment.  It seems to be the only thing
> keeping this document from the RFC Editor Queue.
> Russ