Re: [Spasm] Spasm Digest, Vol 13, Issue 21
Wei Chuang <weihaw@google.com> Fri, 28 April 2017 14:00 UTC
Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F79E129C64 for <spasm@ietfa.amsl.com>; Fri, 28 Apr 2017 07:00:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hLOb8HAUZdV9 for <spasm@ietfa.amsl.com>; Fri, 28 Apr 2017 07:00:29 -0700 (PDT)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7A7C126B6D for <spasm@ietf.org>; Fri, 28 Apr 2017 06:57:19 -0700 (PDT)
Received: by mail-io0-x230.google.com with SMTP id r16so64336192ioi.2 for <spasm@ietf.org>; Fri, 28 Apr 2017 06:57:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=l2xUuy2MZ0rtshIjcMA8y8MH1w2fCMi4HgIhtcKWIPY=; b=sHsjgUMjU9Ii96vwMB1mi0xl7CZ2I6UAO56MzMY5tNxZQ+sz6t8KdPuOkevlZDwCrk 0LcxAdySE6YC6EkykyafATGkOGVJgkp6NaJ1CBHex5k/hgsqBtjzzu3lC6l0mQf4KJ6O JFzNr9sMZvVEmPMH0KRlfRv5wSQzk2JKicC7RPxBuFGbESMYea316gWZrSXBjvSwo5t5 YUDZiUs2QUu1uGtr5aE0+aCsazoIqoceV6UPSzfdV6QJgjsWuPBHbBIyVmq+e9CKtCws 2+TaVqJtPOJpB6hM/Q/9y+pilGF603CwkyprgQbJmffgMGOGJ2WOhCh4Ygq/YN7CU+5K TpnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=l2xUuy2MZ0rtshIjcMA8y8MH1w2fCMi4HgIhtcKWIPY=; b=HL6qdSritstIzBpblvC6x7aqS+bojS7F1zjrZvuPkNiGtVwsUh/71mac7/2ElGvOzo xKjRJzGvjiFUHdYt/uEWs4ygaebqqcHwn3uw7fY46P/kr630axEusVez89csmzHZk+CQ xJc2E5RA2FPjZ3WYRjOI35XmkWOQip2dk+8NRy3lr6GCPTYPRbY6I/nPmewgOoYp4MK6 5/3ygP1Up0oRTrjMs/PMOyjP8+X+24bAUM1arpWRadm2MUK9anO5lT49wkS9PBlvpfc1 avWMCieeL18sGKZNCf83AuYGMUcWWnXrL586+8KhdSqqnA0Gs03BGrv2d+r6eSXj2+Ji FgiA==
X-Gm-Message-State: AN3rC/7Rk0Zmrx+1L5cBeqxg0XKFSoD4SsSl8qACdMgkE5i6IGp83taP 76bRxdf1ORp8rPJK+fNVFMnNtebZF2VL
X-Received: by 10.107.36.71 with SMTP id k68mr12050939iok.130.1493387838682; Fri, 28 Apr 2017 06:57:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.168.98 with HTTP; Fri, 28 Apr 2017 06:57:17 -0700 (PDT)
In-Reply-To: <4B0879AB-0913-4232-AF06-C7E17538E74C@vigilsec.com>
References: <mailman.12.1493233203.16587.spasm@ietf.org> <A0D2106A-AF9F-4803-90FB-05565B7148B8@dukhovni.org> <BC920F8A-5624-4616-9DBD-CB11E4F29FC1@vigilsec.com> <20170427190314.GJ2856@localhost> <E3616585-D562-4D43-9AC2-CBCD86338DC9@vigilsec.com> <20170427214016.GK2856@localhost> <67321AE0-A036-4E86-BDA3-157C4340A84A@vigilsec.com> <20170427222534.GL2856@localhost> <4B0879AB-0913-4232-AF06-C7E17538E74C@vigilsec.com>
From: Wei Chuang <weihaw@google.com>
Date: Fri, 28 Apr 2017 06:57:17 -0700
Message-ID: <CAAFsWK2+-tyUacwjAcrsBzb+9VxwquSYqTbLa8zo0ZJZYA_bhg@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Nico Williams <nico@cryptonector.com>, SPASM <spasm@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1140f7cca941cd054e3a73a4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/mdwDc9gK5o-AIRhBOZBtxbbH6sg>
Subject: Re: [Spasm] Spasm Digest, Vol 13, Issue 21
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Apr 2017 14:00:31 -0000
On Thu, Apr 27, 2017 at 5:19 PM, Russ Housley <housley@vigilsec.com> wrote: > > > On Apr 27, 2017, at 6:25 PM, Nico Williams <nico@cryptonector.com> > wrote: > > > > On Thu, Apr 27, 2017 at 05:42:27PM -0400, Russ Housley wrote: > >> > >>> On Apr 27, 2017, at 5:40 PM, Nico Williams <nico@cryptonector.com> > wrote: > >>> > >>> On Thu, Apr 27, 2017 at 05:32:41PM -0400, Russ Housley wrote: > >>>>> Option 3: Always include both, rfc822Name with A-labels and > SmtpUTF8Name > >>>>> with U-labels. > >>>> > >>>> Putting data that is supposed to be “the same” in two different > >>>> formats in the certificate leads to failure cases where the relying > >>>> party does not agree that they are actually the same. I’d like to > >>>> avoid the possibility of such consistency concerns. > >>> > >>> Multiple SANs aren't supposed nor required to be different > >>> representations of the same notional name. > >> > >> But, that is what you are offering as option 3 whenever there is an > >> IDN in use, carry it in both U-Label and A-Label form. > > > > I don't understand your concern. > > > > Is it not the case that I could have a cert with multiple SANs of any > > one type? Of course I could. If I was sending email as > > <foo@bar.example> and presented to an MSA a certificate that has an > > rfc822Name SAN for <foo@bar.example> and also an rfc822Name SAN for > > <blah@bar.example> then why should the MSA complain that one of those > > SANs does not match?! Of course it should not. > > > > Now if I try to send email as <foo@bár.example> and present a > > certificate with a <foo@xn--br-mia.example> rfc822Name SAN and a > > <foo@bár.example> smtpUTF8Name SAN, it should be the same story. > > > > Option 3 has the advantage that the relying party has to do no > > conversions to find a matching SAN provided the referrent name is > > already canonical, whether using A-labels or U-labels (but not a mix, > > natch). But more than that, it means that for ASCII local-parts the CA > > doesn't have to know that some MSA for that domain still doesn't handle > > smtpUTF8Name, and if that happens to be the case this cert will work. > > I have a problem with you saying that the common practice for an email > address that includes an IDN is to put both the A-Lable for and the U-Label > for in the certificate. This leads to more checks than are needed to make > sure that both conform to the name constraints, and it might lead to other > surprises because some relying parties use on form while other relying > parties use the other. I’m just arguing for the normal practice to be the > use of one of the encodings, not both. > +1 Option 3, while agreed it has some nice properties, causes a lot more complexity and creates a lot more room for implementation and operational errors. You can see that complexity in the earlier draft -08 in the example section where we tried to enumerate most of the cases: https://tools.ietf.org/html/draft-ietf-lamps-eai-addresses-08 It called for special casing name constraints for backwards compatibility by the SmtpUTF8Name aware issuer. That draft also called for SmtpUTF8Name aware path verifiers to help "police" those name constraint. -Wei
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Viktor Dukhovni
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Viktor Dukhovni
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Wei Chuang
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Russ Housley
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Wei Chuang
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Viktor Dukhovni
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Nico Williams
- Re: [Spasm] Spasm Digest, Vol 13, Issue 21 Wei Chuang