[Trans] Angle brackets in the PRIVATE option (Ticket #1)

Rick Andrews <Rick_Andrews@symantec.com> Fri, 28 March 2014 16:46 UTC

Return-Path: <Rick_Andrews@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2233A1A068F for <trans@ietfa.amsl.com>; Fri, 28 Mar 2014 09:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.51
X-Spam-Level:
X-Spam-Status: No, score=-3.51 tagged_above=-999 required=5 tests=[BAYES_50=0.8, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MCCJ4HrEO2eW for <trans@ietfa.amsl.com>; Fri, 28 Mar 2014 09:46:51 -0700 (PDT)
Received: from ecl1mtaoutpex02.symantec.com (ecl1mtaoutpex02.symantec.com [166.98.1.210]) by ietfa.amsl.com (Postfix) with ESMTP id 360951A00FB for <trans@ietf.org>; Fri, 28 Mar 2014 09:46:51 -0700 (PDT)
X-AuditID: a66201d2-b7ff38e0000033b1-bc-5335a7762c77
Received: from ecl1mtahubpin01.ges.symantec.com (ecl1mtahubpin01.ges.symantec.com [10.48.69.201]) by ecl1mtaoutpex02.symantec.com (Symantec Brightmail Gateway out) with SMTP id 1E.0B.13233.677A5335; Fri, 28 Mar 2014 16:46:46 +0000 (GMT)
Received: from [155.64.220.139] (helo=TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM) by ecl1mtahubpin01.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Rick_Andrews@symantec.com>) id 1WTZva-0007eG-5N; Fri, 28 Mar 2014 16:46:46 +0000
Received: from TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM ([155.64.220.147]) by TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM ([155.64.220.139]) with mapi; Fri, 28 Mar 2014 09:46:42 -0700
From: Rick Andrews <Rick_Andrews@symantec.com>
To: "trans@ietf.org" <trans@ietf.org>, "Rob Stradling (rob.stradling@comodo.com)" <rob.stradling@comodo.com>
Date: Fri, 28 Mar 2014 09:46:41 -0700
Thread-Topic: Angle brackets in the PRIVATE option (Ticket #1)
Thread-Index: Ac9KpUYqTIX6wT5IS8KRbMVjjRLCIw==
Message-ID: <544B0DD62A64C1448B2DA253C011414607C85F3902@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_544B0DD62A64C1448B2DA253C011414607C85F3902TUS1XCHEVSPIN_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjkeLIzCtJLcpLzFFi42LhMnA9qVu23DTY4ESbsMWixsWsFmsfX2Rx YPK4tGQ2o8eSJT+ZApiiuGxSUnMyy1KL9O0SuDJWNx9kKtgsVLHq9FamBsZj/F2MHBwSAiYS my5ydzFyApliEhfurWcDsYUE3jFK3Hkc3MXIBWS/YpQ4f/80I0RiFaPE8m4eEJtNQE9iy+Mr 7CC2iECexMbbj5hAbBYBVYlNC9eC2cIClhLXejcwQdTYSUz4fZIVwtaTePR6NZjNKxAlsfrG D7A5jEBHfD+1BqyeWUBc4taT+UwQxwlILNlznhnCFpV4+fgfK0S9qMSd9vWMEPX5EgdfdzFC zBSUODnzCcsERuFZSEbNQlI2C0kZRFxHYsHuT2wQtrbEsoWvmWHsMwceMyGLL2BkX8Uok5qc Y5hbkphfWlKQWmFgpFdcmZsIjKNkveT83E2MwFhalsR4aQfj/cO6hxgFOBiVeHifLzINFmJN LAOqPMQowcGsJMKbNREoxJuSWFmVWpQfX1Sak1p8iFGag0VJnDfio2GwkEB6YklqdmpqQWoR TJaJg1OqgZFxc/efyp9TLJZ8SuLSUzXYyPC8VpfzWmTu66nGzIe+CNZucFvDsfuT7ZPjN1a9 tZjYb3xj8bLkRWwTWeYzJD1u3PBfzqvlrn9K5G/xsPsvXy+7eDqwK+HX0ebpvqv2Pvc7IHPs 4G3+Rok9rgF/C4M3XL+gn7pAtd1L9XY5xw1jqxpVhdUf5MuUWIozEg21mIuKEwH8enxOoQIA AA==
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/rbIkUriKuRw2nFq1gF8H6c9F1K0
Subject: [Trans] Angle brackets in the PRIVATE option (Ticket #1)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 16:46:53 -0000

We see another potential issue with the proposed PRIVATE option. Rob's current proposal would have us replace a domain label with the literal string "<PRIVATE>" (without the quotes). However, we try to encode DN components as PrintableString where possible, and angle brackets are not part of the PrintableString set (the lowercase letters 'a' through 'z', uppercase letters 'A' through 'Z', the digits '0' through '9', eleven special characters ' = ( ) + , - . / : ? and space).

As a result, the type of the DN component would be PrintableString in the real cert but utf8String in the pre-certificate, and that would cause problems. I suggest using parentheses instead of angle brackets.

-Rick