IETF Logo Mail Archive

Re: [Uta] Security consideration for IDNs in draft-ietf-uta-rfc6125bis

"Salz, Rich" <rsalz@akamai.com> Tue, 26 July 2022 22:04 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA5E0C1C6CE6; Tue, 26 Jul 2022 15:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.685
X-Spam-Level:
X-Spam-Status: No, score=-7.685 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a0C_1c34HI9b; Tue, 26 Jul 2022 15:04:03 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01CC9C18359A; Tue, 26 Jul 2022 15:04:01 -0700 (PDT)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.17.1.5/8.17.1.5) with ESMTP id 26QLBHbq008267; Tue, 26 Jul 2022 23:04:00 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=hrbhb4R8O6/eF1RkXt8hkUvUz7zwWZHywCv4pzq/dC4=; b=HWwG1rgtXOL2G4mJFvaypBv1d8NBG6aHcMJ8zLOR+hgEvG4TROhxAHqsJHMNTgsAhidQ TRV/v5ODVgOBz+JLxbRHqoSuNbGiFB4S+bdWTq5PXnsB4Lr4SrCYBqTEzZXucngTp5X9 WFCHxWhDSHX+Ia6G4urhAzMqg6qH0xHOk3DN9soE6WJPKjIEcAdRMpgJV84xwQLZe2ps soPMrMgRUqJ0jAoKpyMReU0kWOf/37GDgG9Zjtz+QMHt9be8xa6ggv8P7PYkNJpaAgVU ZeLwT2CZgInAbLjL88Ug7Jg0aOKu0s5UCAa4flOnruJmEFI7AXTDj0R9bePPXN8GvuFx vw==
Received: from prod-mail-ppoint3 (a72-247-45-31.deploy.static.akamaitechnologies.com [72.247.45.31] (may be forged)) by m0050095.ppops.net-00190b01. (PPS) with ESMTPS id 3hjaw4tjpd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Jul 2022 23:04:00 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.17.1.5/8.17.1.5) with ESMTP id 26QJKhaL022067; Tue, 26 Jul 2022 18:03:43 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.205]) by prod-mail-ppoint3.akamai.com (PPS) with ESMTPS id 3hgxgn9mqw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Jul 2022 18:03:43 -0400
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com (172.27.50.203) by ustx2ex-dag4mb2.msg.corp.akamai.com (172.27.50.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Tue, 26 Jul 2022 15:03:42 -0700
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) by ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) with mapi id 15.02.1118.009; Tue, 26 Jul 2022 15:03:42 -0700
From: "Salz, Rich" <rsalz@akamai.com>
To: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] Security consideration for IDNs in draft-ietf-uta-rfc6125bis
Thread-Index: AQHYoTuRqd1WL0Fvok2Z0emGxMEZhg==
Date: Tue, 26 Jul 2022 22:03:42 +0000
Message-ID: <90EC5BFC-FFF3-41E4-A0C8-885A18C75494@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.61.22050700
x-originating-ip: [172.27.164.43]
Content-Type: multipart/alternative; boundary="_000_90EC5BFCFFF341E4A0C8885A18C75494akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-26_07,2022-07-26_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 adultscore=0 malwarescore=0 spamscore=0 bulkscore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207260084
X-Proofpoint-ORIG-GUID: 87VKVLAtN65JqW5ufQwanuKMiSn680iI
X-Proofpoint-GUID: 87VKVLAtN65JqW5ufQwanuKMiSn680iI
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-26_07,2022-07-26_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxscore=0 bulkscore=0 adultscore=0 lowpriorityscore=0 spamscore=0 phishscore=0 malwarescore=0 mlxlogscore=999 impostorscore=0 priorityscore=1501 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207260084
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/NUJBBOizg2r89nhKZYj9ex8VMSo>
Subject: Re: [Uta] Security consideration for IDNs in draft-ietf-uta-rfc6125bis
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 22:04:06 -0000

I think you’re right, and that it was a mistake (caused by my ignorance of details of DNS/IDNA stuff) to not remove it.

From: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
Date: Tuesday, July 26, 2022 at 5:57 PM
To: "uta@ietf.org" <uta@ietf.org>
Subject: [Uta] Security consideration for IDNs in draft-ietf-uta-rfc6125bis

Hello,
Apologies for not flagging this sooner, but I did want to raise this while a revised I-D is needed for addressing IP-IDs so perhaps this could be addressed as well.

Section 7.2 [1] contains the following guidance:
“Allowing internationalized domain names can lead to visually similar characters, also referred to as "confusables", being included within certificates. For discussion, see for example [IDNA-DEFS<https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#IDNA-DEFS>], Section 4.4<https://rfc-editor.org/rfc/rfc5890#section-4.4> and [UTS-39<https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#UTS-39>].”

This document obsoletes the use of CN-IDs which may contain U-Labels as a source of presented identifiers. All types of identifiers specified in the document (DNS-ID, SRV-ID, and URI-ID) will have IDNs encoded as A-labels in certificates due to the limited character repertoire of IA5String, so it is not possible to encode the U-label representation of IDNs in the SAN for these types.

Given this, I’m unsure of the value of having this consideration included, especially since the document describes an automated process of matching identifiers where the presence of “confusables” in the U-label representation of such identifiers has no bearing. Unless I’m missing something, I think this consideration should be removed.

Thanks,
Corey

[1] https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#section-7.2

v2.23.0 | Report a Bug | By Email