IETF Logo Mail Archive

Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06

Peter Saint-Andre <stpeter@stpeter.im> Mon, 27 June 2022 22:31 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C185C13CDB1 for <uta@ietfa.amsl.com>; Mon, 27 Jun 2022 15:31:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.003
X-Spam-Level:
X-Spam-Status: No, score=-4.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=l2ZS3qs5; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=qPZi1PtK
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DGk2A1Vw9pHV for <uta@ietfa.amsl.com>; Mon, 27 Jun 2022 15:31:28 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 195C9C13CD97 for <uta@ietf.org>; Mon, 27 Jun 2022 15:31:28 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 58D475C0112; Mon, 27 Jun 2022 18:31:27 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 27 Jun 2022 18:31:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1656369087; x= 1656455487; bh=lJJSpUgT9JkN2Qp7JRrJPPMCNGQFC+m/vCyhkuunst4=; b=l 2ZS3qs5UvmTfNZKwK8L5TDN8GqgKafdrpzQuqMF/+X6K72j/ES0da17/DgXFofON 6c+v6vvcTolfcA7iSTCqa1qAWE1b4IDpyoON17C9W0CEQ8eeJtBrmPxn8fFTO0IT zPQewy3ekYTpEGuzlc+ooRABm2qu4bijh25tVWvRdmLBTjEAWr9hxoBMZHCLVXrK mQaFy/EtVRwM8s/NZm3MM0ZRx3jMD2Boynjpgo8lDxKs1YFWdfZJUI84ioJ95kjL gJGUHsXA5tZFFSrSa/IHkA6ItKAoOLCOpA1iLpUOQP2DLUf6DzER+/5WaiuW9YER RPaguiSX6irSZu+6MhlZw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1656369087; x=1656455487; bh=l JJSpUgT9JkN2Qp7JRrJPPMCNGQFC+m/vCyhkuunst4=; b=qPZi1PtKAmE9GXYXq M2fJ3BTh5euOKPsloyZLpLsYCnwg3llGOLBiUvSWaR0FvjWAX4FJ2crZBEfbRQB0 ysNbrj9kj+IIp1wGQpu909D31DnJnDoMpAmKe8v9aqOpV3MLHSzR3+X/9raGlQom jedWotVwoh/hBw6kEyTwnmfCLClfpl9+2qOBXd4oOlv3YX+snzBThJGHtC4ZoI4o tFSE+EE0kZINV4v9CUrNnYL8GnyRX9p4Mj5poE43qPGo4FM41T6HYHmEvZITUVEF HULga5rrJxlVGphsYzm1rBIqo5L8bh7BfLG+D6uyyw1cJreVR+2zr6v+62dLOlg+ 4pLkQ==
X-ME-Sender: <xms:vy-6Yp4AQPDQtoBxXNC1kOAzU4c3jgqxqrmzXh--_3L6czjEYV9Glg> <xme:vy-6Ym5TbKkIFfWjtrgqVNlELAC7LIHD-bK9L9eeQ_W2o5hXSi6iLnB_560QOyVyA kooZhboIubPGodT4Q>
X-ME-Received: <xmr:vy-6Ygey3LqWPKgOLlyjStFGhGEsqXHjwrygMzbiFbN876Xa_NpU1Bns_XZn>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudegiedgudduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtje ertddtfeejnecuhfhrohhmpefrvghtvghrucfurghinhhtqdetnhgurhgvuceoshhtphgv thgvrhesshhtphgvthgvrhdrihhmqeenucggtffrrghtthgvrhhnpedvvedtueffieevle eggeeuheeiieeuvdeftdeutdduvdeiheegheekhedutdehueenucffohhmrghinhepihgv thhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepshhtphgvthgvrhesshhtphgvthgvrhdrihhm
X-ME-Proxy: <xmx:vy-6YiKDQU39CjbapHsMHrsD3PzRHLJ_uV7PDhcTHLS_no0NntOgRw> <xmx:vy-6YtIlUVxuTSX8ZbcNzGJEw9npTOGhq9_6WuZkLkckl365vKv3AQ> <xmx:vy-6YrxiBrE0DGW4F-u5tgw38g5Ww63jnFZCp4tommqoL_5U1EE-EQ> <xmx:vy-6YrgQJdO7VIfzJVgHVF4S0EaX4Y60S_ZECojwdlxJjJjc3ej7Dw>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 27 Jun 2022 18:31:26 -0400 (EDT)
Message-ID: <3d050f75-d4bf-dc52-0c2f-db488b2604e7@stpeter.im>
Date: Mon, 27 Jun 2022 16:31:25 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: uta@ietf.org, Viktor Dukhovni <ietf-dane@dukhovni.org>
References: <002e01d87e9c$78a002e0$69e008a0$@smyslov.net> <032e01d8878f$c2e8f630$48bae290$@smyslov.net> <A7E6035E-7BCF-4BB3-BB87-D261ED98532D@gmail.com> <ae5b3a02-bcc3-2106-a39a-b67aae55d85c@stpeter.im> <ac41a613-f802-0138-1e1b-326d2baa6574@stpeter.im> <BE6D8552-2723-4B64-9909-22C0BC32AC75@gmail.com> <8cf3b08d-478c-4cc5-be19-46cc1cc90271@stpeter.im> <YroARsHlIeR97z52@straasha.imrryr.org> <45cf71a8-c890-695a-5469-a7d545143571@stpeter.im> <YrorpEyiXIWDinNz@straasha.imrryr.org>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <YrorpEyiXIWDinNz@straasha.imrryr.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/O5YETLmLTnR6Wx1VRcthmJo6LG8>
Subject: Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2022 22:31:32 -0000

On 6/27/22 4:13 PM, Viktor Dukhovni wrote:
> On Mon, Jun 27, 2022 at 02:43:43PM -0600, Peter Saint-Andre wrote:
> 
>> On 6/27/22 1:08 PM, Viktor Dukhovni wrote:
>>> On Mon, Jun 27, 2022 at 12:52:00PM -0600, Peter Saint-Andre wrote:
>>>
>>>>> Yep, we can punt the definition but then we need to address all the special cases.
>>>>
>>>> I would prefer to bring back the reference to RFC 1034.
>>>
>>> A DNS FQDN is sequence of dot-separated labels each of whose wire forms
>>> is at most 63 octets, and where the total wire length including the
>>> final zero length byte (terminating empty root label) is at most 255
>>> bytes.  Due to potential characters that need escaping, the presentation
>>> form of such a name can contain labels whose length exceeds 63 bytes,
>>> and whole name can exceed 255 bytes.
>>>
>>> It is not clear to me that DNS names in certificates are a priori
>>> constrained by the host requirements RFC which constrains hostnames to
>>> LDH label forms, although perhaps the scope of RFC6125bis is exclusively
>>> for certificates that identify end-entities that meet the host
>>> requirements RFC.
>>
>> I'm not necessarily saying that - I'm saying only that Jeff and I tried
>> to find a canonical definition of "fully-qualified domain name" and the
>> best we could do was RFC 1034. Alternative proposals are welcome.
> 
> There are only two possible answers:
> 
>    - All DNS names are valid, so long as they have a wire form that
>      meets the requirements of RFC 1034.
> 
>    - Only names that comply with section 2.1 of the Host Requirements RFC:
> 
>          https://datatracker.ietf.org/doc/html/rfc1123#page-13
> 
>      are valid.  These are LDH forms, whose labels therefore require no
>      special processing in presentation form, and so the limits are at
>      most 63 octets per label, and at most 254 bytes total (allowing for
>      an extra byte for the final 0 length wire-form label).
> 
>      In LDH form the hyphens must not be the first or last character of
>      any label.  Names starting with "xx--" for various values of "xx"
>      are special reserved forms with (IIRC) "xn" being the only presently
>      defined prefix, but I don't think that it is appropriate for the
>      present document to delve into this level of detail.
> 
>      The host requirements RFC further recomments staying under 63 bytes,
>      and though this is somewhat dated, it is nevertheless prudent if
>      possible.

RFC 6125 (and now 6125bis) are not documents about the definition or 
enforcement of DNS naming rules, only about client-side matching of 
service identifiers presented in X.509 certificates against the client's 
conception of what the service ought to be (i.e., against a reference 
identifier). I see no reason to expand the scope of 6125bis in the 
direction you might be proposing. Thus I would favor the first option above.

Peter

v2.23.0 | Report a Bug | By Email