[Uta] Security consideration for IDNs in draft-ietf-uta-rfc6125bis
Corey Bonnell <Corey.Bonnell@digicert.com> Tue, 26 July 2022 21:57 UTC
Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B13AC16ECA1 for <uta@ietfa.amsl.com>; Tue, 26 Jul 2022 14:57:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.687
X-Spam-Level:
X-Spam-Status: No, score=-2.687 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GIuBDN3wkjJG for <uta@ietfa.amsl.com>; Tue, 26 Jul 2022 14:57:46 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2107.outbound.protection.outlook.com [40.107.93.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6303BC13C22A for <uta@ietf.org>; Tue, 26 Jul 2022 14:57:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Po/IoYSj8xR5p0VVWtiu//1wpB8F2lNITDBxrA5FpkYsM6jS2T61oGJ54WtaRY7wzuBXKYRA/bffF/BhYrn9VJV2xzfxhpyVjsD8gVlt6mwfga/YUdgncxSLksKjVWrsdbtL9yWokVb9Ft9k9KodDFFF//8FPug5opdiA2MAbrjLwST31HPo5UWUx5zBsfR/8OGo6eof/+2IuEaBpkYQi049bi6V2rX7PXjqIiU0iqPUGUwPGlm964iDc3vp3QLt78i36PiaFO+HULfbbCjM74knInB097jI4MCH4F5StL6lTN19/y4FbUaLUvt0eSXHtbJYA1KWrC0BRWOFh5JTWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BSAoR5yqLSRQZxr8QXetMQ6eY/mUburkxFsKEyPCTyU=; b=DpuGp0x6bhG+ToAYoJ++3+li45PBQaOi49vQA6Vyb52IZwyG7eetCt2QzlCfi4eRBBNr91bGezFDVMcyX4gnzFVt/GdkwoVt2tcFErCqtTc/Fmx4TQo+IE3q6xMfIJCYus9oulvzQIjJy6yCXeUBQjllAWVC9HVZN8ulRjL0pDBYJzpVhgR+9KR32NR5FMIEHHzLqGp8tbbQ1PzkIyJN0tvNsdB/2YTOaL+TZdVSLPjnuKQLQ4UNw7uAlZ/tW/YC6MbL9Vrg5yutcpOtJ7oxgMUDjwNuVD075fPnno4xPROKwGJp9FQ7D2+dQ81d7/E7Dne4dtyb5WrRAegXte2QNg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BSAoR5yqLSRQZxr8QXetMQ6eY/mUburkxFsKEyPCTyU=; b=Xsqeo3gP7v3SEiz8UX03trcAYEyHvvgMJTwilufLF32UgceHU/n72BDi2tcjL162ljRVnsfu/lgOnpSERYxHTQWpRggIvG9k9XC/26i2Uwv/Yc5mRd4FSx7bJ/Mc3vEGrt3QjsqdU+NntWrrFbrVZLl9qpBYDu+ilTzg6V9qvyr397mpq3so/6BBDV1Q1Ylrp9Mp8bpAyW7KVN8ZtODo4IybvjGgksGxvQcayBdtc6gp54M0EwQphxw7/adz38iQM4wgZ6xNGR2PhGEChbQGTl5XPWT3F6G3VDQRYgPYnA3Jg80tUBGswFCqAiRXLZFQ94nvD++qIUYb+rtQpcB7Mw==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by BY5PR14MB4033.namprd14.prod.outlook.com (2603:10b6:a03:209::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.19; Tue, 26 Jul 2022 21:56:40 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::f073:6195:1e12:682b]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::f073:6195:1e12:682b%3]) with mapi id 15.20.5458.025; Tue, 26 Jul 2022 21:56:40 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: "uta@ietf.org" <uta@ietf.org>
Thread-Topic: Security consideration for IDNs in draft-ietf-uta-rfc6125bis
Thread-Index: AdihN8iqKQXu4f0ASoWi9mdjZx6cRA==
Date: Tue, 26 Jul 2022 21:56:40 +0000
Message-ID: <DM6PR14MB21864151419B811F61507A4F92949@DM6PR14MB2186.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 74da5524-fd18-49f0-6c0e-08da6f51b88f
x-ms-traffictypediagnostic: BY5PR14MB4033:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TPqYcyyzwbsbFP7pMWxsiknIa84cD6W1daQ3L1VHm7bhcOekw2EkLqPPJxKiKM3OiO5DMTeFIWfoGftpJOqOqU3PXH9Wi/OdPoQ8kMIpiSXbpjLyoM6EUoYYIiukk0IVqOLgROQe7p3+44VkXpwq89pHW/nQYkv4ZUWE/1hJghU4vZSkk7s4njOXgwtw11gsnVA0e24Ep07PbQC8VMpA/CZpILRdS8tWCwtoBjMPjl5ad5L7dTWQyfDDAkw2JIF7Vhzv+Lp4JbRE0uPq8NPL+fAATybBGgHl+BRl/DN7Myl8AEz5RO+TnU3h18Qaj0QOlXi7lQw8iEZaGaf448j5qlhMbt+XS+t7oXcytWIwp24o2o3nrCarUyoIyLSDrTSsPAtRxuDN57YjPA3EN0OF8DAe221ptvWf7bb2jVTZvKDvzhy3qsyLzNNKi+3M8cQe8mgDAQ3qeKBWIjY4Vi3vIrDHAQ5ji+VHnLjrkrOnagpiKtuQdMCJ6b2ntrZ3Ze7f+TILJK5Y766E4ZFpZOOOmhctgekrWN+frPH/p1O2U/JMN1JDPgoJ9yzECc7Dr8VAq2cpgUAc0evvFYbY937EApnBLVERkNBVnJ0a3oYZ+MezSa6YwdJgq9TjDummZrSGGgWBHSqBq1NbAW5YXDa4ic+5fx19e24ihj/VG57DuQZEo2Mlm3KGm/Z+TYPSbDMzj/vuk4cZpw0OJzf6s/4F5YAfgpvmvtMLXiZxdUNQEwETPKOzkpWaSJbQvjesvY/Z1mEgvC2ZhTo8vDqhbTtVUT7NAryjuU/IuxfyE4lguHQGg8zL8j2noAW9UoFq0LCvgdbHjmdl9vbJdCAsqs//gQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(396003)(346002)(136003)(376002)(366004)(39850400004)(8676002)(6506007)(64756008)(7696005)(66946007)(66556008)(2906002)(66446008)(66476007)(86362001)(41300700001)(71200400001)(5660300002)(166002)(76116006)(99936003)(52536014)(8936002)(33656002)(26005)(9686003)(478600001)(55016003)(38070700005)(9326002)(966005)(316002)(122000001)(83380400001)(6916009)(186003)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 3rGFP9kuFf0yd12KTMNXw9H4bA6qAPf2opNgVvHJ1Hj09ZYfChmRP7kvyHBmeg7xMoBjbHCr9dgVfVBZvpbVmm723hQiKoEykb7sQCYkQOcpVLn+uINvRM/064LNEjk13BrkY/v5yjDSw63LPjgniBDKEajEryL/dS3eufjV6OMYKPfF2lvTj78K0q+PPAjtgX3UCGFpVT1xS2xCtvQ/co+xjTJyjCNH51t7GkYlIFXar7hlyHOd0brbAuqOd+XuCDnSNI55C3zNwko3ZAnYe0tKFMoaozkGZiE1Ue78PDk3xIM/q9O8PH+WcGv0LV8FE9MdTKzVVVBFSr+dH8qg+fnojsrguzztF87jA43PrZlppnl2TQ73ICVMw7t5gqofroI/9yKYqx+SgmpBc19AXzs56bBSRvTC7fvZA4R2rPpBgOm5ggnng+tecffaBW0BiZoNvaLqrf+51AKag1SXaIUJzafK+/OOOdKaVMv6sIoKZ5/u2Y9s1Ce1NwOU+bxMVYae8Vzm0AwjomBao1vEPRPwSiJV4+iY3ONqIvWcpqR2LtRw5oreisJkF/Dsr6dpvhX3qwbne46tGzt03cGyXqFMgs1htxAQtdQ3YobbSwf9a+R9dqver+TC9isgaK/b6dMD7nPMOisT9jGK6givOmqmIBAruC1avtxyvE8OwnWJ/IdGJMiow9bi+KMNUrSoH2tkvCgr4DY0NguE7Fz6xWELix5z4NVjKMoqjXI5iiUAIePO5G5/hR7rSGrMGbhq19bg+aJLvKrvvzgISHFrSCGJXYHRXRToyr4RxY6F2dIO3OIxN6hVJ7lELynKbezTDKoy68mgze2KuP2MhF0lUkId9thoM8fTMEKZ7WyWftVnd3jDuZ5cr9pxfgRuK2jFdQdP/uKvetlI4ap1fd+NShNEoocGx8FLheq2t5yua+GgNr6FOMvve3DeuDmZ3j+iZGYRevMPsEE7XRwC3/WlRce9stONQbwbxSyheSHX56RkS4Y+mx58V75OzxwWYnQltyApbBlx5I29GFvy9fkK4H8kSn928kyHRahRHxjLtholJEz2grHKPuxm+OTH6FU2IXBZ6nj+kuKxn+en80dEHyZvOA1JvE0HA7oxvGvIdc+wTLRV+yHSywMo2YtE+t6GdmReQgKT+Qd+7f3W7KX3UdzuqyciEaN4TzgT7P6Y3wqEIdDt+RIw3Y5oGgHVdHOXGRaKMtwm3wEksULXQ8bpf9F67ft19dIrTwHibY/q1DRmY6P66bgRtRe4xzKpmdA1d0tTogPkrXqC2eaf9QYsNtrdozKqQFMV4KPt/OmZfH+Pe9mj3yVyfnv6znMfmQkBhR9Y8gpueMPGx20PwJUGIHrhA6Ju6inxRYZ6PWqcNVvDSp3+x06w46uW77JF56fpxFi+TPD52mDYs1SeoPM5MiciDikX4dgLUWFcin4V7L2MmOOjnIaBHtxYZr7oMwvo0uO3Z2CkJCPcoPMbJ/mP8xJKNAlMjoMYEwZu4vX2XQm18niJoQmbM6Z+yO+1q6gTPmv0n5PoIP+5SW54tR4BquWKuAl80xX28o/A+Eo3bTVM0JCV63wbio5WnulSGCqY
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0155_01D8A119.0E2E0160"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 74da5524-fd18-49f0-6c0e-08da6f51b88f
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2022 21:56:40.5318 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SwJcCUPKggZbs50VwP0ZpOd7QhC410aQn18tCjG/RUMke/YDWpkksgNXEiow3BTJkfzXdZYrBi3bix0+qCCUXFi0RrU+1UZN53yhRDRcEeI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR14MB4033
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/6xNT9jYL32a4nG5YDzqVToV6XXs>
Subject: [Uta] Security consideration for IDNs in draft-ietf-uta-rfc6125bis
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 21:57:50 -0000
Hello, Apologies for not flagging this sooner, but I did want to raise this while a revised I-D is needed for addressing IP-IDs so perhaps this could be addressed as well. Section 7.2 [1] contains the following guidance: "Allowing internationalized domain names can lead to visually similar characters, also referred to as "confusables", being included within certificates. For discussion, see for example [IDNA-DEFS <https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#IDNA-DEFS > ], Section 4.4 <https://rfc-editor.org/rfc/rfc5890#section-4.4> and [UTS-39 <https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#UTS-39> ]." This document obsoletes the use of CN-IDs which may contain U-Labels as a source of presented identifiers. All types of identifiers specified in the document (DNS-ID, SRV-ID, and URI-ID) will have IDNs encoded as A-labels in certificates due to the limited character repertoire of IA5String, so it is not possible to encode the U-label representation of IDNs in the SAN for these types. Given this, I'm unsure of the value of having this consideration included, especially since the document describes an automated process of matching identifiers where the presence of "confusables" in the U-label representation of such identifiers has no bearing. Unless I'm missing something, I think this consideration should be removed. Thanks, Corey [1] https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#section-7. 2
- Re: [Uta] Security consideration for IDNs in draf… Salz, Rich
- [Uta] Security consideration for IDNs in draft-ie… Corey Bonnell
- Re: [Uta] Security consideration for IDNs in draf… Peter Saint-Andre
- Re: [Uta] Security consideration for IDNs in draf… Salz, Rich