IETF Logo Mail Archive

Re: [Spasm] Different EAI options for carrying IDNs

Dmitry Belyavsky <beldmit@gmail.com> Tue, 09 May 2017 07:38 UTC

Return-Path: <beldmit@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA3B6129401 for <spasm@ietfa.amsl.com>; Tue, 9 May 2017 00:38:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LaOMDRISXP4K for <spasm@ietfa.amsl.com>; Tue, 9 May 2017 00:38:05 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70FF9127180 for <spasm@ietf.org>; Tue, 9 May 2017 00:38:05 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id w10so77708116oif.0 for <spasm@ietf.org>; Tue, 09 May 2017 00:38:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=6jkQAP1l7biQr6Aoo/6fgyONLyy7f4gmzfmLDpV6gLk=; b=ae6/YEyHiOZXe9SHe0ft/MZ9X15DrFXhEu0yA6+ozy0bWiI9UrU5cPpzhF9D2xHPPQ +WylOwS/oDOEhudMEQ49xaELFK86kveaY2RYcNI0pVOFO0jeJh4o+PQTVy0xDucwTIaQ PooHITwcp68zwT7MPRy9FgClk2IF4TODQ13KkcBCvSV+DyNQyP7ZYJGzkDRVZvcNMz90 5M9Hk3KV2OGXHSzefqSzbwyWsCvWoJCnLqEpU5aOmdEgdf1+kk+9m+Butw1ThZ9oqEB6 keylaTAnc2idBb/j/UZOtCrEorUBeSyDCu4Qt+zAyO1dzvgoR+/+BFf5GvU+oKMV7Viq stwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=6jkQAP1l7biQr6Aoo/6fgyONLyy7f4gmzfmLDpV6gLk=; b=KX2aTkCQMJGZl712XYvLmE3umgPdj995MuavXOAqF9oONDyiQhpHddSidTRA09/vWQ 5+o+79yzvtjyWjwLak46ZEU7WRLjBZg/tf0TXCKvqm9ckJg/pV2Gyx7heB3jkQ81Oftd LNHVFku8Or+DRDI96bQkqGj5AOotC9S43y9Q7l4Oz+J8SWRY24EaROjGWeh6+rkbJVDs EXV3DXqp2qRL+G1u9TeDWK0MRZKfJL+41tIFniTXvbXWQRwzVySE2JAEp7xEuKH1AYs7 LoAjl+w3E1xIDH7mm8xxMX4niAYVwe999Fof0xsT75BUatem4F810Z4V8No4wmoTwrtv VabQ==
X-Gm-Message-State: AN3rC/7zDkDXDj1KgvRz464pANad54IBCZy2rh0quaDc/1phcnCO81pQ gvGCW35vw9cCDhXrmwEhlrP0vGPJfQ==
X-Received: by 10.157.33.98 with SMTP id l31mr26162648otd.245.1494315484776; Tue, 09 May 2017 00:38:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.244.22 with HTTP; Tue, 9 May 2017 00:38:04 -0700 (PDT)
In-Reply-To: <29B90E2A-42A1-41E8-9741-3B8405AE2EBB@dukhovni.org>
References: <CAAFsWK3ydxV1RzpE9=Ex7Q5ddz9HL0BWAuubs8kxOraZQ4akTQ@mail.gmail.com> <29B90E2A-42A1-41E8-9741-3B8405AE2EBB@dukhovni.org>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Tue, 09 May 2017 10:38:04 +0300
Message-ID: <CADqLbzKY7Fqmj5JO8tPksho5jCZQin5f3PK6YdgQ9==Ct5uRXQ@mail.gmail.com>
To: spasm@ietf.org
Content-Type: multipart/alternative; boundary="001a113ac6a6a72be0054f126ffc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/x3XcxME5VMpIbUqD331z_1GBQbI>
Subject: Re: [Spasm] Different EAI options for carrying IDNs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 07:38:08 -0000

Dear Victor,

On Tue, May 9, 2017 at 8:32 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> > On May 7, 2017, at 6:42 PM, Wei Chuang <weihaw@google.com> wrote:
> >
> > To resolve the direction of the EAI draft, I've tried to summarize the
> different
> > options from the earlier mail threads on draft-ietf-lamps-eai-addresses-09
> and
> > highlight particular features that might help differentiate the
> approaches.  In
> > particular there might have been confusion with the earlier Option 1, so
> this
> > describes draft -09 take on it.  This then tries to summarize the two
> very
> > different approaches of carrying IDNs solely as A-label (Option 2) and
> U-label
> > (Option 4).  This also describes the option of providing both SAN forms
> > rfc822Name and SmtpUTF8Name that was brought up in the thread as well
> (Option 3).
> > I've tried CC'ing the folks who proposed these different options, in
> case I've missed
> > anything in the summary.  Comments welcome, particularly about about a
> preferred
> > direction.
>
> This is clearly a difficult area to pin down without being *very* precise
> in
> one's language.  Some of the alternatives described, that are attributed to
> me differ from what I actually attempted to propose.  So whatever we
> ultimately
> agree on, it will be very important that the draft describe it clearly, in
> detail,
> with good examples, and with strategic redundancy (i.e. repetition) that
> it will
> be unlikely to be misconstrued.
>
> My preference at this point is I think roughly option 1.  That is:
>
> 1.  When the localpart is ASCII, store the SAN as an rfc822Name SAN with
>     U-labels in the domain part encoded as A-labels.
>
>     1.1.  The CA must make sure that the U-labels corresponding to any
> A-labels
>     used are valid IDNA2008 U-labels (without application of any
> "mappings").
>     All A-labels must be lower-case ASCII.
>
>     1.2.  When comparing against the reference identifier, decode the
> A-labels
>     in the SAN back to U-labels (this just requires a punycode decoder,
>     and does not require an IDN library).  Likewise convert any A-labels
>     in the From address back to U-labels.  Then compare NR-LDH labels
>     case-insensitively, but compare U-labels byte for byte.
>
>     1.3  The comparison with rc822Name constraints is case-insensitive as
>          it has always been.
>
> 2.  When the localpart is not ASCII, store the SAN as SMTPUtf8Name with
>     U-labels replacing any A-labels in the domain part.
>
>     2.1.  The CA must make sure that the U-labels are valid IDNA2008
> U-labels
>           (without application of any "mappings")
>
>     2.2.  When comparing an SMTPUTF8Name SAN against the From address,
> decode
>           any A-labels in the From address to U-labels.  The compare the
> result
>           with the SAN, comparing NR-LDH labels case insensitively, and
> U-labels
>           byte for byte.
>
>     2.3   The comparison with rfc822Name constraints is done by decoding
> A-labels
>           in the name constraint to U-labels and comparing with the labels
> in the
>           SAN as above (case-insensitive for NR-LDH, verbatim for
> U-labels).
>
> Note that I am careful to avoid all U-label -> A-label conversions.
> Rather all
> conversions are from A-labels to U-labels, and trusted CAs are expected to
> only
> generate A-labels that decode to valid IDNA2008 U-labels.  This avoids the
> whole
> question of IDNA2003 transitional form and all that.  All that one needs
> is a
> punycode decoder.
>

Are you ready to link openssl with punycode decoder or implement the
necessary functions in it?

Doesn't the Option 2 fit better? In that case the punycode decoder is
linked with applications
where we need it for visualization purpose, not with the library itself.

Thank you!

-- 
SY, Dmitry Belyavsky

v2.23.0 | Report a Bug | By Email