Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
Peter Saint-Andre <stpeter@stpeter.im> Mon, 27 June 2022 22:31 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C185C13CDB1 for <uta@ietfa.amsl.com>; Mon, 27 Jun 2022 15:31:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.003
X-Spam-Level:
X-Spam-Status: No, score=-4.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=l2ZS3qs5; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=qPZi1PtK
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DGk2A1Vw9pHV for <uta@ietfa.amsl.com>; Mon, 27 Jun 2022 15:31:28 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 195C9C13CD97 for <uta@ietf.org>; Mon, 27 Jun 2022 15:31:28 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 58D475C0112; Mon, 27 Jun 2022 18:31:27 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 27 Jun 2022 18:31:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1656369087; x= 1656455487; bh=lJJSpUgT9JkN2Qp7JRrJPPMCNGQFC+m/vCyhkuunst4=; b=l 2ZS3qs5UvmTfNZKwK8L5TDN8GqgKafdrpzQuqMF/+X6K72j/ES0da17/DgXFofON 6c+v6vvcTolfcA7iSTCqa1qAWE1b4IDpyoON17C9W0CEQ8eeJtBrmPxn8fFTO0IT zPQewy3ekYTpEGuzlc+ooRABm2qu4bijh25tVWvRdmLBTjEAWr9hxoBMZHCLVXrK mQaFy/EtVRwM8s/NZm3MM0ZRx3jMD2Boynjpgo8lDxKs1YFWdfZJUI84ioJ95kjL gJGUHsXA5tZFFSrSa/IHkA6ItKAoOLCOpA1iLpUOQP2DLUf6DzER+/5WaiuW9YER RPaguiSX6irSZu+6MhlZw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1656369087; x=1656455487; bh=l JJSpUgT9JkN2Qp7JRrJPPMCNGQFC+m/vCyhkuunst4=; b=qPZi1PtKAmE9GXYXq M2fJ3BTh5euOKPsloyZLpLsYCnwg3llGOLBiUvSWaR0FvjWAX4FJ2crZBEfbRQB0 ysNbrj9kj+IIp1wGQpu909D31DnJnDoMpAmKe8v9aqOpV3MLHSzR3+X/9raGlQom jedWotVwoh/hBw6kEyTwnmfCLClfpl9+2qOBXd4oOlv3YX+snzBThJGHtC4ZoI4o tFSE+EE0kZINV4v9CUrNnYL8GnyRX9p4Mj5poE43qPGo4FM41T6HYHmEvZITUVEF HULga5rrJxlVGphsYzm1rBIqo5L8bh7BfLG+D6uyyw1cJreVR+2zr6v+62dLOlg+ 4pLkQ==
X-ME-Sender: <xms:vy-6Yp4AQPDQtoBxXNC1kOAzU4c3jgqxqrmzXh--_3L6czjEYV9Glg> <xme:vy-6Ym5TbKkIFfWjtrgqVNlELAC7LIHD-bK9L9eeQ_W2o5hXSi6iLnB_560QOyVyA kooZhboIubPGodT4Q>
X-ME-Received: <xmr:vy-6Ygey3LqWPKgOLlyjStFGhGEsqXHjwrygMzbiFbN876Xa_NpU1Bns_XZn>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudegiedgudduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtje ertddtfeejnecuhfhrohhmpefrvghtvghrucfurghinhhtqdetnhgurhgvuceoshhtphgv thgvrhesshhtphgvthgvrhdrihhmqeenucggtffrrghtthgvrhhnpedvvedtueffieevle eggeeuheeiieeuvdeftdeutdduvdeiheegheekhedutdehueenucffohhmrghinhepihgv thhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepshhtphgvthgvrhesshhtphgvthgvrhdrihhm
X-ME-Proxy: <xmx:vy-6YiKDQU39CjbapHsMHrsD3PzRHLJ_uV7PDhcTHLS_no0NntOgRw> <xmx:vy-6YtIlUVxuTSX8ZbcNzGJEw9npTOGhq9_6WuZkLkckl365vKv3AQ> <xmx:vy-6YrxiBrE0DGW4F-u5tgw38g5Ww63jnFZCp4tommqoL_5U1EE-EQ> <xmx:vy-6YrgQJdO7VIfzJVgHVF4S0EaX4Y60S_ZECojwdlxJjJjc3ej7Dw>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 27 Jun 2022 18:31:26 -0400 (EDT)
Message-ID: <3d050f75-d4bf-dc52-0c2f-db488b2604e7@stpeter.im>
Date: Mon, 27 Jun 2022 16:31:25 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: uta@ietf.org, Viktor Dukhovni <ietf-dane@dukhovni.org>
References: <002e01d87e9c$78a002e0$69e008a0$@smyslov.net> <032e01d8878f$c2e8f630$48bae290$@smyslov.net> <A7E6035E-7BCF-4BB3-BB87-D261ED98532D@gmail.com> <ae5b3a02-bcc3-2106-a39a-b67aae55d85c@stpeter.im> <ac41a613-f802-0138-1e1b-326d2baa6574@stpeter.im> <BE6D8552-2723-4B64-9909-22C0BC32AC75@gmail.com> <8cf3b08d-478c-4cc5-be19-46cc1cc90271@stpeter.im> <YroARsHlIeR97z52@straasha.imrryr.org> <45cf71a8-c890-695a-5469-a7d545143571@stpeter.im> <YrorpEyiXIWDinNz@straasha.imrryr.org>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <YrorpEyiXIWDinNz@straasha.imrryr.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/O5YETLmLTnR6Wx1VRcthmJo6LG8>
Subject: Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2022 22:31:32 -0000
On 6/27/22 4:13 PM, Viktor Dukhovni wrote: > On Mon, Jun 27, 2022 at 02:43:43PM -0600, Peter Saint-Andre wrote: > >> On 6/27/22 1:08 PM, Viktor Dukhovni wrote: >>> On Mon, Jun 27, 2022 at 12:52:00PM -0600, Peter Saint-Andre wrote: >>> >>>>> Yep, we can punt the definition but then we need to address all the special cases. >>>> >>>> I would prefer to bring back the reference to RFC 1034. >>> >>> A DNS FQDN is sequence of dot-separated labels each of whose wire forms >>> is at most 63 octets, and where the total wire length including the >>> final zero length byte (terminating empty root label) is at most 255 >>> bytes. Due to potential characters that need escaping, the presentation >>> form of such a name can contain labels whose length exceeds 63 bytes, >>> and whole name can exceed 255 bytes. >>> >>> It is not clear to me that DNS names in certificates are a priori >>> constrained by the host requirements RFC which constrains hostnames to >>> LDH label forms, although perhaps the scope of RFC6125bis is exclusively >>> for certificates that identify end-entities that meet the host >>> requirements RFC. >> >> I'm not necessarily saying that - I'm saying only that Jeff and I tried >> to find a canonical definition of "fully-qualified domain name" and the >> best we could do was RFC 1034. Alternative proposals are welcome. > > There are only two possible answers: > > - All DNS names are valid, so long as they have a wire form that > meets the requirements of RFC 1034. > > - Only names that comply with section 2.1 of the Host Requirements RFC: > > https://datatracker.ietf.org/doc/html/rfc1123#page-13 > > are valid. These are LDH forms, whose labels therefore require no > special processing in presentation form, and so the limits are at > most 63 octets per label, and at most 254 bytes total (allowing for > an extra byte for the final 0 length wire-form label). > > In LDH form the hyphens must not be the first or last character of > any label. Names starting with "xx--" for various values of "xx" > are special reserved forms with (IIRC) "xn" being the only presently > defined prefix, but I don't think that it is appropriate for the > present document to delve into this level of detail. > > The host requirements RFC further recomments staying under 63 bytes, > and though this is somewhat dated, it is nevertheless prudent if > possible. RFC 6125 (and now 6125bis) are not documents about the definition or enforcement of DNS naming rules, only about client-side matching of service identifiers presented in X.509 certificates against the client's conception of what the service ought to be (i.e., against a reference identifier). I see no reason to expand the scope of 6125bis in the direction you might be proposing. Thus I would favor the first option above. Peter
- [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Alexey Melnikov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 tom petch
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre