Re: [Spasm] Different EAI options for carrying IDNs
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 09 May 2017 05:32 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E54E2127B52 for <spasm@ietfa.amsl.com>; Mon, 8 May 2017 22:32:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2R1zI7iv0Ms for <spasm@ietfa.amsl.com>; Mon, 8 May 2017 22:32:20 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 250B81294E2 for <spasm@ietf.org>; Mon, 8 May 2017 22:32:20 -0700 (PDT)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 336417A32F1 for <spasm@ietf.org>; Tue, 9 May 2017 05:32:19 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAAFsWK3ydxV1RzpE9=Ex7Q5ddz9HL0BWAuubs8kxOraZQ4akTQ@mail.gmail.com>
Date: Tue, 09 May 2017 01:32:18 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: spasm@ietf.org
Message-Id: <29B90E2A-42A1-41E8-9741-3B8405AE2EBB@dukhovni.org>
References: <CAAFsWK3ydxV1RzpE9=Ex7Q5ddz9HL0BWAuubs8kxOraZQ4akTQ@mail.gmail.com>
To: spasm@ietf.org
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/mq-PIx4dfygzmkaeoMTfnp-AWuc>
Subject: Re: [Spasm] Different EAI options for carrying IDNs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 05:32:22 -0000
> On May 7, 2017, at 6:42 PM, Wei Chuang <weihaw@google.com> wrote: > > To resolve the direction of the EAI draft, I've tried to summarize the different > options from the earlier mail threads on draft-ietf-lamps-eai-addresses-09 and > highlight particular features that might help differentiate the approaches. In > particular there might have been confusion with the earlier Option 1, so this > describes draft -09 take on it. This then tries to summarize the two very > different approaches of carrying IDNs solely as A-label (Option 2) and U-label > (Option 4). This also describes the option of providing both SAN forms > rfc822Name and SmtpUTF8Name that was brought up in the thread as well (Option 3). > I've tried CC'ing the folks who proposed these different options, in case I've missed > anything in the summary. Comments welcome, particularly about about a preferred > direction. This is clearly a difficult area to pin down without being *very* precise in one's language. Some of the alternatives described, that are attributed to me differ from what I actually attempted to propose. So whatever we ultimately agree on, it will be very important that the draft describe it clearly, in detail, with good examples, and with strategic redundancy (i.e. repetition) that it will be unlikely to be misconstrued. My preference at this point is I think roughly option 1. That is: 1. When the localpart is ASCII, store the SAN as an rfc822Name SAN with U-labels in the domain part encoded as A-labels. 1.1. The CA must make sure that the U-labels corresponding to any A-labels used are valid IDNA2008 U-labels (without application of any "mappings"). All A-labels must be lower-case ASCII. 1.2. When comparing against the reference identifier, decode the A-labels in the SAN back to U-labels (this just requires a punycode decoder, and does not require an IDN library). Likewise convert any A-labels in the From address back to U-labels. Then compare NR-LDH labels case-insensitively, but compare U-labels byte for byte. 1.3 The comparison with rc822Name constraints is case-insensitive as it has always been. 2. When the localpart is not ASCII, store the SAN as SMTPUtf8Name with U-labels replacing any A-labels in the domain part. 2.1. The CA must make sure that the U-labels are valid IDNA2008 U-labels (without application of any "mappings") 2.2. When comparing an SMTPUTF8Name SAN against the From address, decode any A-labels in the From address to U-labels. The compare the result with the SAN, comparing NR-LDH labels case insensitively, and U-labels byte for byte. 2.3 The comparison with rfc822Name constraints is done by decoding A-labels in the name constraint to U-labels and comparing with the labels in the SAN as above (case-insensitive for NR-LDH, verbatim for U-labels). Note that I am careful to avoid all U-label -> A-label conversions. Rather all conversions are from A-labels to U-labels, and trusted CAs are expected to only generate A-labels that decode to valid IDNA2008 U-labels. This avoids the whole question of IDNA2003 transitional form and all that. All that one needs is a punycode decoder. -- -- Viktor.
- [Spasm] Different EAI options for carrying IDNs Wei Chuang
- Re: [Spasm] Different EAI options for carrying ID… Russ Housley
- Re: [Spasm] Different EAI options for carrying ID… Viktor Dukhovni
- Re: [Spasm] Different EAI options for carrying ID… Dmitry Belyavsky
- Re: [Spasm] Different EAI options for carrying ID… Russ Housley