IETF Logo Mail Archive

Re: [Uta] Security consideration for IDNs in draft-ietf-uta-rfc6125bis

Peter Saint-Andre <stpeter@stpeter.im> Tue, 26 July 2022 22:22 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B56AEC183565 for <uta@ietfa.amsl.com>; Tue, 26 Jul 2022 15:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.811
X-Spam-Level:
X-Spam-Status: No, score=-2.811 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=B1iUVKbu; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=GRIK99au
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6k_16BkN_Zy for <uta@ietfa.amsl.com>; Tue, 26 Jul 2022 15:22:22 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD17BC1C6CE5 for <uta@ietf.org>; Tue, 26 Jul 2022 15:22:07 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 2B83B32002F9; Tue, 26 Jul 2022 18:22:04 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Tue, 26 Jul 2022 18:22:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1658874123; x= 1658960523; bh=9ramZ8tHhhd1ykNQ/1yVKhotIZZh0ANBHXBcGi7GU14=; b=B 1iUVKbujBiugpl/7JjvD7VwhEWkD0rgSvMmNMMf1uCHQBO6H5dFHymo8tm0tVw3c ygabro2fcGQZr7GBAZuHMqTB9Hg/IuE3Sdhe81rBgtTXmHyQ8qz/AXQ7wV3Bg13y MjehqWWEnIr6IolCn9+r+va7F3mhjtJePEj65yUBxDWd9QxrIPNapYm8nJBliTK8 cA9HZqDayO3wYOhFBHRLiCsY0+mQyGv7mcknrem/ShvRWemUNcHKBs9iG8Ss9eRC Rs5AGIHsoXdyzpbBlxpRpOQjglggiKfpqIIS8JPP4taspRqHCU6f0+HdBiMwys7M qM2I/kvNA4X8IWw0+t3Zw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1658874123; x=1658960523; bh=9 ramZ8tHhhd1ykNQ/1yVKhotIZZh0ANBHXBcGi7GU14=; b=GRIK99auTr7o7Tknr YEPQYiIenH+TeweL8KFfKr71wzutVtwJ02j7SdRLJXgOHKdCmcMcm7cx0Jz6KwCH Kzk8Q4wlAhF/mr37ThPwy844Vd0b9XotKL1z6uWhnXuPyDfafwCGRQMU35Vy6P5T QpLQMUhC6wTdgFLXsb66EFoxYhN+BFdQ0YnQ0AbwWwEOXpyEViEURqpQa96L7Tnt TcOAe7EG/r8UrLAEadBX1t5ASUtqkthNLiR2muNSfjJiDBImxyafRfIPA1EIamI1 q07m9/0Ut/TNxWOAn/0sUjS/aQJR0f5/z/6W2l2bwoS7iK3xJPXBvzskiQkEXRzf aqiVA==
X-ME-Sender: <xms:C2ngYuQmuT_HjZz4gN9KrFgncoxHs99Hfj-foPWdeKat-Txeb1QKsQ> <xme:C2ngYjyD7FRElgATS5gm4aR9LW5dKNv4g9azMyWAwyu1TRkgp8SQRSOVj8f_c-Xeg CDc8fvwsOepIHVvVw>
X-ME-Received: <xmr:C2ngYr0gTKHwEEpaM9qodKqv3AWmM7T10SKbwqeofFol-LarWyL-pknnEju_YYhN>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrvdduuddguddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtke ertddtfeejnecuhfhrohhmpefrvghtvghrucfurghinhhtqdetnhgurhgvuceoshhtphgv thgvrhesshhtphgvthgvrhdrihhmqeenucggtffrrghtthgvrhhnpeegtdegheeftdethf ejgedthffhiefhjeevgfekheejfeejhfeujedvhfdvjeekheenucffohhmrghinhepihgv thhfrdhorhhgpdhrfhgtqdgvughithhorhdrohhrghenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsthhpvghtvghrsehsthhpvghtvghrrdhi mh
X-ME-Proxy: <xmx:C2ngYqAq82tuejlTBXtuROUjsBPEp5KnW-DZQsJ8_kkOyu1tXXC-8Q> <xmx:C2ngYniqmLbKkvGv7Xsl747qpShDS_7Zz8Cq4iPdqpGyf4JLzQVs4g> <xmx:C2ngYmoBr58cRB1yyCa77AkiFO5mpxs2OMf4MGRRIsba9sDZbaIYeQ> <xmx:C2ngYquOsUPGyKUia_01EvdrmxrCBBlGiU4RDJgX2-y4Dvi2QXZB6w>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 26 Jul 2022 18:22:02 -0400 (EDT)
Message-ID: <01f1aeeb-1ce2-b17a-cb7e-3b6901e6f686@stpeter.im>
Date: Tue, 26 Jul 2022 16:22:02 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>, "uta@ietf.org" <uta@ietf.org>
References: <90EC5BFC-FFF3-41E4-A0C8-885A18C75494@akamai.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <90EC5BFC-FFF3-41E4-A0C8-885A18C75494@akamai.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/Bjt84m2z9w9TgxvS_gSmPSgzci8>
Subject: Re: [Uta] Security consideration for IDNs in draft-ietf-uta-rfc6125bis
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 22:22:27 -0000

Yes, this looks right.

On 7/26/22 4:03 PM, Salz, Rich wrote:
> I think you’re right, and that it was a mistake (caused by my ignorance 
> of details of DNS/IDNA stuff) to not remove it.
> 
> *From: *Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
> *Date: *Tuesday, July 26, 2022 at 5:57 PM
> *To: *"uta@ietf.org" <uta@ietf.org>
> *Subject: *[Uta] Security consideration for IDNs in 
> draft-ietf-uta-rfc6125bis
> 
> Hello,
> 
> Apologies for not flagging this sooner, but I did want to raise this 
> while a revised I-D is needed for addressing IP-IDs so perhaps this 
> could be addressed as well.
> 
> Section 7.2 [1] contains the following guidance:
> 
> “Allowing internationalized domain names can lead to visually similar 
> characters, also referred to as "confusables", being included within 
> certificates. For discussion, see for example [IDNA-DEFS 
> <https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#IDNA-DEFS>], 
> Section 4.4 <https://rfc-editor.org/rfc/rfc5890#section-4.4> and [UTS-39 
> <https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#UTS-39>].”
> 
> This document obsoletes the use of CN-IDs which may contain U-Labels as 
> a source of presented identifiers. All types of identifiers specified in 
> the document (DNS-ID, SRV-ID, and URI-ID) will have IDNs encoded as 
> A-labels in certificates due to the limited character repertoire of 
> IA5String, so it is not possible to encode the U-label representation of 
> IDNs in the SAN for these types.
> 
> Given this, I’m unsure of the value of having this consideration 
> included, especially since the document describes an automated process 
> of matching identifiers where the presence of “confusables” in the 
> U-label representation of such identifiers has no bearing. Unless I’m 
> missing something, I think this consideration should be removed.
> 
> Thanks,
> 
> Corey
> 
> [1] 
> https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#section-7.2 
> <https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#section-7.2>
> 
> 
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta

v2.23.0 | Report a Bug | By Email