Re: [Uta] Browser behavior in draft-ietf-uta-rfc6125bis
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 27 January 2023 20:43 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A454CC1516F2 for <uta@ietfa.amsl.com>; Fri, 27 Jan 2023 12:43:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VKbn7J7HMWH for <uta@ietfa.amsl.com>; Fri, 27 Jan 2023 12:43:51 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9F3BC14CE4A for <uta@ietf.org>; Fri, 27 Jan 2023 12:43:32 -0800 (PST)
Received: from [IPV6:2620:0:1003:512:a1ff:46ad:1836:da6b] (unknown [IPv6:2620:0:1003:512:a1ff:46ad:1836:da6b]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 151C010F1D0 for <uta@ietf.org>; Fri, 27 Jan 2023 15:43:31 -0500 (EST)
Message-ID: <9da6faef-8d57-e1ac-828c-7c80b5185679@dukhovni.org>
Date: Fri, 27 Jan 2023 15:43:28 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
To: uta@ietf.org
References: <CAChr6Sx4tWCRM8OB08Py1-khQpVv3FX9E2a7JQPF8=5B+hpd1g@mail.gmail.com> <DM6PR14MB218694EA4F8AC20E23E8AD8092CF9@DM6PR14MB2186.namprd14.prod.outlook.com> <CAChr6SwpJ6HLGfQV4W93+JXTC_eYYttVTs8+UXvEqp6e_OQ+qA@mail.gmail.com> <ad05edf6-160c-5882-2089-f7f8cdd8fdc7@stpeter.im> <CAChr6SzL2no0L89=xCinw=gCm8K2gqnhb1TyFo9F8RwHRaXGgQ@mail.gmail.com> <DM6PR14MB2186B55AE9F80C5286C9229892CF9@DM6PR14MB2186.namprd14.prod.outlook.com> <CAChr6Sw=Jez9XShhLniqV+MHfoRTS5Ne6S-xpD+UXXZMxs7zzA@mail.gmail.com>
Content-Language: en-US
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAChr6Sw=Jez9XShhLniqV+MHfoRTS5Ne6S-xpD+UXXZMxs7zzA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/VBSuqkXWZY6QBT_ILQTosCxpD8Q>
Subject: Re: [Uta] Browser behavior in draft-ietf-uta-rfc6125bis
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2023 20:43:55 -0000
On 26/1/2023 7:58 pm, Rob Sayre wrote: > For instance, ☕.example becomes xn--53h.example and not failure. > [UTS46] [RFC5890]" Yes, thus, for example, Postfix via libicu (my terminal doesn't actually display "☕", but it was part of the input argument anyway): $ posttls-finger "☕.example" posttls-finger: ☕.example asciified to xn--53h.example posttls-finger: Destination address lookup failed: Host or domain name not found. Name service error for name=xn--53h.example type=MX: Host not found, try again But but I don't see how this is relevant to the security of certificate validation. If the application wants to authenticate "☕.example", it matches the A-label form to the certificate. Perhaps it should have refused to communicate with "☕.example", but that question is I think at a different layer. If an EAI-capable MUA addresses email to "☕.example" (for some domain-name-valued "example"), and traffic to that domain is subject to authenticated TLS, then Postfix will authenticate "xn--53h.example", ignoring MX indirection for the moment). -- Viktor.
- [Uta] Browser behavior in draft-ietf-uta-rfc6125b… Rob Sayre
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Corey Bonnell
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Rob Sayre
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Peter Saint-Andre
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Rob Sayre
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Corey Bonnell
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Rob Sayre
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Corey Bonnell
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… John Levine
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Rob Sayre
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Rob Sayre
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Viktor Dukhovni
- Re: [Uta] Browser behavior in draft-ietf-uta-rfc6… Peter Saint-Andre