IETF Logo Mail Archive

Re: [Uta] UTS-46 / WHATWG

Watson Ladd <watsonbladd@gmail.com> Mon, 30 January 2023 19:17 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80A74C16B5C1; Mon, 30 Jan 2023 11:17:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7uNRed5Cg2PF; Mon, 30 Jan 2023 11:17:21 -0800 (PST)
Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5054C151553; Mon, 30 Jan 2023 11:17:21 -0800 (PST)
Received: by mail-oi1-x22a.google.com with SMTP id dt8so7856615oib.0; Mon, 30 Jan 2023 11:17:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Q2Exx5sKu4gkGRFHSxsmYwdCmAErv1BUFoXvtBZWsbo=; b=hU0HNZlvLJvEMoYs0JA97vzRhZFWgt6iD/GlEWJwhabhSfWSFeUnQwsL11KWXtMGXs s/YlZT815nko3UUgg8CEEeWjLfit8hyJsj4Lxeu9xEpsW6p6aR0/SmbiAkCgrUckuf3z amQHBeDB97dmHMZBCljS+U/uxVl65eCXvK8+7aU5kJAZx8XqPELrj8sPkvl606TC8ULq 1UsQiyZJKmyfgWw7j5fotFmke5ZjdselT5vm/XVGkmsAhjbXPVcA+YIKLmNQJyIhaRD/ xvdde9vEWT37Ig0qKNwBhk64iXtNqV5/AtN88Gmd7cgSRYUBzGZPdhjV4tEMsxU9FZr6 Nr6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Q2Exx5sKu4gkGRFHSxsmYwdCmAErv1BUFoXvtBZWsbo=; b=m5KkhzbwG9Q5kv5eLCCfk3ONHdM7qcaAcjOC0yTCgMfBCI0v5IWJnJFAYqAjFa9kS5 bvvb1abFPmJud/YCByRvXdGKFn4t/Iw7pAMaPc76ca3utaCwUJoTV0RCLOxlgBY/47jn 2vNc24yM6sGIcVeibPqpw9TU8M4N3WgEVvn3HqHVoVmfh/G2Tktr5MBY4oR6AjFbTwkQ BW+sg6JOlK5e31N3GdB6Vprg+PHa/zDsY4Up/F/b2tUnAi99LFcijy8iZPNx32A5PojB b2yrsOdH2lOosl4xI4etf0MTbkc5aIbew6nd8ODoMGoFp/ceqSOz/GBLrBEU1lqiBiJ4 h0pw==
X-Gm-Message-State: AFqh2kq3saSp9lzvwPKeQoBUT+YRTM66TSc2pLLbE+L8dsXkU1fb52xj 8Hh5BesXxyxm4Ohu3fjopplo8PnhOWC4xOxv07Q=
X-Google-Smtp-Source: AMrXdXue4sKDn5ldXxkfiKtCEYEeAKHkam5RVsb+ToEOtqGF8Wtp8CC0PiJNDQYzx5NmqTi3RPYXPlRDM3gLWrs8NuY=
X-Received: by 2002:aca:b40a:0:b0:35e:166c:193b with SMTP id d10-20020acab40a000000b0035e166c193bmr3701829oif.84.1675106241006; Mon, 30 Jan 2023 11:17:21 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6Sxk70HaZbuGykdLHBXr50kVhu3Aw8as5zkHUZjtNzRSfQ@mail.gmail.com> <c3388f3c-ddf4-994d-2724-5116b160297e@stpeter.im> <CAChr6SwQKNrDG-Pehn_-qB+QH7A6aj0R_9Ss_fofQJcyTfXZ=g@mail.gmail.com> <931D4D2C72BA35802715512C@PSB> <CAChr6SxPKvBfzRcaR5J4_xwee7dtJa8iws5GP99OSd-P6trnEg@mail.gmail.com> <6bbb9b8d-21b7-808d-773a-4b54932217a4@lear.ch> <CAChr6Sz7ShmU0c=Q_az_Cde4xRK8EnTL1dON8Jpd5x_1ryzCVw@mail.gmail.com> <Y9bHXiTanQ5fnEAh@straasha.imrryr.org> <FDA2D2DE-D24B-4CA3-AD44-B4C68B6931CF@akamai.com> <9d2ee1ba-2b04-8dd2-1015-391c20708f46@stpeter.im> <006501d934b4$3bad6fc0$b3084f40$@gmail.com> <CAChr6SxdUmShJpO+dHipgHeMZZQvpGdWLn6bvXDPXqjUBMXe3g@mail.gmail.com>
In-Reply-To: <CAChr6SxdUmShJpO+dHipgHeMZZQvpGdWLn6bvXDPXqjUBMXe3g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 30 Jan 2023 11:17:09 -0800
Message-ID: <CACsn0cnJuEqmg3M8ovMnKEvtSBPVxiSOPKLcJh5RiB+SOjNDJw@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, uta@ietf.org, Peter Saint-Andre <stpeter@stpeter.im>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, uta-chairs@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/QNbB7F6JF9DQqsB_z0w6MZbk4-w>
Subject: Re: [Uta] UTS-46 / WHATWG
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2023 19:17:26 -0000

On Mon, Jan 30, 2023 at 10:49 AM Rob Sayre <sayrer@gmail.com> wrote:
>
> Hi,
>
> That is a reasonable thing to ask for, and I will supply edits below. They might sound like me rather than the authors, so I wouldn't mind if they write something substantially similar in their own voice.
>
> I also understand the point of view that says "Really all this draft says is 'compare A labels.'" But this is incompatible with strenuous objections to changes to IDNA text in the document, so I don't understand this behavior. When I read the document, I thought "that's not how it really works, and I sure wish I didn't have to read the WHATWG document to get the truth, because it's really long". In fact, this very mailing list even runs on UTS-46. See https://mailarchive.ietf.org/arch/msg/uta/KbtvWrG5vdW6iq0scwWpBc1xeM8/
>
> In Section 2, the current text is incorrect, because UTS-46 domains sometimes don't conform to these validity checks. So, the document is inconsistent in making this claim. Citing UTS-46 here would be correct, since that would also cover IDNA2008, but it doesn't seem like that will fly.
>
> Current:
> ---
> An "internationalized domain name", i.e., a DNS domain name that includes at least one label containing appropriately encoded Unicode code points outside the traditional US-ASCII range and conforming to the processing and validity checks specified for "IDNA2008" in [IDNA-DEFS] and the associated documents. In particular, it contains at least one U-label or A-label, but otherwise may contain any mixture of NR-LDH labels, A-labels, or U-labels.
>
> New:
> ---
> An "internationalized domain name", i.e., a DNS domain name that includes at least one label containing appropriately encoded Unicode code points outside the traditional US-ASCII range. In particular, it contains at least one U-label or A-label, but otherwise may contain any mixture of NR-LDH labels, A-labels, or U-labels. Refer to [[Section 7.3]] for further details.
> ---

I think that's right.

>
>
> Then, in section 7.3:
> Current:
> ---
> As with URIs and URLs, there are in practice at least two primary approaches to internationalized domain names: "IDNA2008" (see [IDNA-DEFS] and the associated documents) and an alternative approach specified by the Unicode Consortium in [UTS-46]. (At this point the transition from the older "IDNA2003" technology is mostly complete.) Differences in specification, interpretation, and deployment of these technologies can be relevant to Internet services that are secured through certificates (e.g., some top-level domains might allow registration of names containing Unicode code points that typically are discouraged, either formally or otherwise). Although there is little that can be done by certificate matching software itself to mitigate these differences (aside from matching exclusively on A-labels), the reader needs to be aware that the handling of internationalized domain names is inherently complex and can lead to significant security vulnerabilities if not properly implemented.
>
> New:
> The IETF document covering internationalized domain names is "IDNA2008" [IDNA-DEFS]. The Unicode Consortium publishes a similar document known as "UTF-46". This document allows names that are valid in IDNA2003 but not IDNA2008, and additionally allows characters that are not valid in either IETF document, such as emoji characters. This more lenient approach carries additional risk of semantic ambiguity and additional security considerations. ICANN recommends IDNA2008 [https://features.icann.org/ssac-advisory-use-emoji-domain-names] and against emoji characters in domain names. However, the internet contains old content published under IDNA2003, and people enjoy emoji characters, so consumer applications often end up using the more liberal approach in [UTS-46].
> ---

I think we actually need to say more here: the A-label used in the
X509 comparison needs to be the A-label derived and used to do the DNS
lookup. Otherwise we have the issue of bugs that change the IDN
behavior between application and X509/TLS library breaking the
relation between what the user put in and the cert presented.

Also I don't think comparison is enough: don't name constraints need
to be included in the calculation?

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email