IETF Logo Mail Archive

Re: [Uta] Browser behavior in draft-ietf-uta-rfc6125bis

Peter Saint-Andre <stpeter@stpeter.im> Fri, 27 January 2023 23:06 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64475C14CE33 for <uta@ietfa.amsl.com>; Fri, 27 Jan 2023 15:06:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b="WciWBpXp"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="CRDYN24c"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SyUa8jTeEq4W for <uta@ietfa.amsl.com>; Fri, 27 Jan 2023 15:06:29 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8ABD8C14F74A for <uta@ietf.org>; Fri, 27 Jan 2023 15:06:29 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 477255C0244; Fri, 27 Jan 2023 18:06:28 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Fri, 27 Jan 2023 18:06:28 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1674860788; x= 1674947188; bh=G+fwhgQIUqfv/Afqh+uy96qoGK2rFf2u6PZOKh5HTUw=; b=W ciWBpXpXm21l3iMWeW3HaXgNXqphqhbWM+mvAlhcWsHc9VmcuvvvqmgZEcz70rYg 5imj3NMkGI3GacqMSYpFMkl3j2gx1s4lXAN6iYXetlGk75T6rpNVbFQj4X83TU9X 8wNhKbOmwX6+Jd3I4BdkoWvjdRhN1b4Gh1gqxyOC/4O2eJOZeQWzZSVdpIbj8ZBb jJokjslIEy7fPqnptFBUkGHd0U46ejTGuo11LKN87A7BNstw3vJuXprpnT19fvBI Y8PsTKpBi1qaVB4ZmGeU7dxnG4xbEOxOXg5iwVxR2nphkSvwNeWKGO8IYKg7vmEf cBsDmr1NONm1QIvaBQAbA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1674860788; x=1674947188; bh=G +fwhgQIUqfv/Afqh+uy96qoGK2rFf2u6PZOKh5HTUw=; b=CRDYN24cwN+tyiyeL K2otYtB84nq+f+g7vUDMfXTziuOAbm3vgnsYrVlK4+rVmt0C8qEJo8WuYYkipnc4 izAFUpOtjvYAHX3wzOA+3RddH4rZ8H4VP/jqGhYX3bGtOVszMkEOqAEozcxgMo8v udZc2mFMRs3RkuLJ2ReEduJDa3f9G2gLFX6Kphiu4VAz3v1s/DeG1tNPhZu9YKOc lswwBG3EkDhR00Sgc6DI1fRn1zAI6WPdtnuz0Wok6Fb+iO9HKVCNhlb+KcUFJF4w g1uUsKnCR0D4PlqOFznOSDjUrSTZI7mgknAb+BsmyKpULg8Z7HMq4DOCW4Z8WsIs B69Mw==
X-ME-Sender: <xms:81jUY17T-_e48iz12C1ZupxVmMEHLAi_Nqq-X030h056Z1xhy_45uw> <xme:81jUYy6PvXzEwXXFRU7YdMwbo5SMouGfWpsoUoHMaRTQWtSitRS6TCExpz_3ec9KS d2y-LG1APXLsfnaJw>
X-ME-Received: <xmr:81jUY8eiIUXCrVovVY7bEPM-xRnZgxklXqIdauxDLxr276RFM2lRFvlP4ea981WYyKAlZMygTiLdURaPYSxNsFTtUzr-BwjH1t4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedruddvjedgtdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtke ertddtfeejnecuhfhrohhmpefrvghtvghrucfurghinhhtqdetnhgurhgvuceoshhtphgv thgvrhesshhtphgvthgvrhdrihhmqeenucggtffrrghtthgvrhhnpeevtdfgteetgfffve ehtedvudegudfgleevfedtleevtefgfeeggffgfeeludekheenucevlhhushhtvghrufhi iigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsthhpvghtvghrsehsthhpvghtvg hrrdhimh
X-ME-Proxy: <xmx:81jUY-KE6I2lojxwwoy1Vca4mpWrI8LktovsvN7wVKb8Mh8w4yefPw> <xmx:81jUY5Jk_wtYzKSHj4FgWid7MjkL9sSr3ePV8BDeMjYlyCaq05t23A> <xmx:81jUY3yal2MIoki2KlzN5av8ACC4DHXK_XmlrunGcyv9vTrEgL1hxA> <xmx:9FjUY3iKgmPtAfsW60P4XIGiFCEEeGPYFBvdvzxi85BV3-hXc4-K7A>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 27 Jan 2023 18:06:27 -0500 (EST)
Message-ID: <fdb95dc1-91a0-95e5-7a05-cb6f82ea9cbc@stpeter.im>
Date: Fri, 27 Jan 2023 16:06:21 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.7.0
To: Viktor Dukhovni <ietf-dane@dukhovni.org>, uta@ietf.org
References: <CAChr6Sx4tWCRM8OB08Py1-khQpVv3FX9E2a7JQPF8=5B+hpd1g@mail.gmail.com> <DM6PR14MB218694EA4F8AC20E23E8AD8092CF9@DM6PR14MB2186.namprd14.prod.outlook.com> <CAChr6SwpJ6HLGfQV4W93+JXTC_eYYttVTs8+UXvEqp6e_OQ+qA@mail.gmail.com> <ad05edf6-160c-5882-2089-f7f8cdd8fdc7@stpeter.im> <CAChr6SzL2no0L89=xCinw=gCm8K2gqnhb1TyFo9F8RwHRaXGgQ@mail.gmail.com> <DM6PR14MB2186B55AE9F80C5286C9229892CF9@DM6PR14MB2186.namprd14.prod.outlook.com> <CAChr6Sw=Jez9XShhLniqV+MHfoRTS5Ne6S-xpD+UXXZMxs7zzA@mail.gmail.com> <9da6faef-8d57-e1ac-828c-7c80b5185679@dukhovni.org>
Content-Language: en-US
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <9da6faef-8d57-e1ac-828c-7c80b5185679@dukhovni.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/7wTnJxYlBxQUj9HNqT1squskzaU>
Subject: Re: [Uta] Browser behavior in draft-ietf-uta-rfc6125bis
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2023 23:06:34 -0000

On 1/27/23 1:43 PM, Viktor Dukhovni wrote:

> But but I don't see how this is relevant to the security of certificate 
> validation. If the application wants to authenticate "☕.example", it 
> matches the A-label form to the certificate. Perhaps it should have 
> refused to communicate with "☕.example", but that question is I think 
> at a different layer. If an EAI-capable MUA addresses email to 
> "☕.example" (for some domain-name-valued "example"), and traffic to 
> that domain is subject to authenticated TLS, then Postfix will 
> authenticate "xn--53h.example", ignoring MX indirection for the moment).

Bingo.

It's unclear to me what kind of text folks want in this document, which 
is about certificate validation (with IDNs converted to A-labels) and 
not all the fun things one can do with U-labels on the web or elsewhere.

Peter

v2.23.0 | Report a Bug | By Email