IETF Logo Mail Archive

Re: [Spasm] Different EAI options for carrying IDNs

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 09 May 2017 05:32 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E54E2127B52 for <spasm@ietfa.amsl.com>; Mon, 8 May 2017 22:32:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2R1zI7iv0Ms for <spasm@ietfa.amsl.com>; Mon, 8 May 2017 22:32:20 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 250B81294E2 for <spasm@ietf.org>; Mon, 8 May 2017 22:32:20 -0700 (PDT)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 336417A32F1 for <spasm@ietf.org>; Tue, 9 May 2017 05:32:19 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAAFsWK3ydxV1RzpE9=Ex7Q5ddz9HL0BWAuubs8kxOraZQ4akTQ@mail.gmail.com>
Date: Tue, 09 May 2017 01:32:18 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: spasm@ietf.org
Message-Id: <29B90E2A-42A1-41E8-9741-3B8405AE2EBB@dukhovni.org>
References: <CAAFsWK3ydxV1RzpE9=Ex7Q5ddz9HL0BWAuubs8kxOraZQ4akTQ@mail.gmail.com>
To: spasm@ietf.org
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/mq-PIx4dfygzmkaeoMTfnp-AWuc>
Subject: Re: [Spasm] Different EAI options for carrying IDNs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 05:32:22 -0000

> On May 7, 2017, at 6:42 PM, Wei Chuang <weihaw@google.com> wrote:
> 
> To resolve the direction of the EAI draft, I've tried to summarize the different
> options from the earlier mail threads on draft-ietf-lamps-eai-addresses-09 and
> highlight particular features that might help differentiate the approaches.  In
> particular there might have been confusion with the earlier Option 1, so this
> describes draft -09 take on it.  This then tries to summarize the two very
> different approaches of carrying IDNs solely as A-label (Option 2) and U-label
> (Option 4).  This also describes the option of providing both SAN forms
> rfc822Name and SmtpUTF8Name that was brought up in the thread as well (Option 3). 
> I've tried CC'ing the folks who proposed these different options, in case I've missed
> anything in the summary.  Comments welcome, particularly about about a preferred
> direction.

This is clearly a difficult area to pin down without being *very* precise in
one's language.  Some of the alternatives described, that are attributed to
me differ from what I actually attempted to propose.  So whatever we ultimately
agree on, it will be very important that the draft describe it clearly, in detail,
with good examples, and with strategic redundancy (i.e. repetition) that it will
be unlikely to be misconstrued.

My preference at this point is I think roughly option 1.  That is:

1.  When the localpart is ASCII, store the SAN as an rfc822Name SAN with
    U-labels in the domain part encoded as A-labels.

    1.1.  The CA must make sure that the U-labels corresponding to any A-labels
    used are valid IDNA2008 U-labels (without application of any "mappings").
    All A-labels must be lower-case ASCII.

    1.2.  When comparing against the reference identifier, decode the A-labels
    in the SAN back to U-labels (this just requires a punycode decoder,
    and does not require an IDN library).  Likewise convert any A-labels
    in the From address back to U-labels.  Then compare NR-LDH labels
    case-insensitively, but compare U-labels byte for byte.

    1.3  The comparison with rc822Name constraints is case-insensitive as
         it has always been.

2.  When the localpart is not ASCII, store the SAN as SMTPUtf8Name with
    U-labels replacing any A-labels in the domain part.

    2.1.  The CA must make sure that the U-labels are valid IDNA2008 U-labels
          (without application of any "mappings")

    2.2.  When comparing an SMTPUTF8Name SAN against the From address, decode
          any A-labels in the From address to U-labels.  The compare the result
          with the SAN, comparing NR-LDH labels case insensitively, and U-labels
          byte for byte.

    2.3   The comparison with rfc822Name constraints is done by decoding A-labels
          in the name constraint to U-labels and comparing with the labels in the
          SAN as above (case-insensitive for NR-LDH, verbatim for U-labels).

Note that I am careful to avoid all U-label -> A-label conversions.  Rather all
conversions are from A-labels to U-labels, and trusted CAs are expected to only
generate A-labels that decode to valid IDNA2008 U-labels.  This avoids the whole
question of IDNA2003 transitional form and all that.  All that one needs is a
punycode decoder.

-- 
-- 
	Viktor.

v2.23.0 | Report a Bug | By Email