IETF Logo Mail Archive

Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 28 June 2022 14:14 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38433C1594AD for <uta@ietfa.amsl.com>; Tue, 28 Jun 2022 07:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aN9pH1-BMhYi for <uta@ietfa.amsl.com>; Tue, 28 Jun 2022 07:14:55 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B5A7C157B3F for <uta@ietf.org>; Tue, 28 Jun 2022 07:14:54 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id A94A1100B5B; Tue, 28 Jun 2022 10:14:53 -0400 (EDT)
Date: Tue, 28 Jun 2022 10:14:53 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <YrsM3fWYZ2dVi1bP@straasha.imrryr.org>
Reply-To: uta@ietf.org
References: <032e01d8878f$c2e8f630$48bae290$@smyslov.net> <A7E6035E-7BCF-4BB3-BB87-D261ED98532D@gmail.com> <ae5b3a02-bcc3-2106-a39a-b67aae55d85c@stpeter.im> <ac41a613-f802-0138-1e1b-326d2baa6574@stpeter.im> <BE6D8552-2723-4B64-9909-22C0BC32AC75@gmail.com> <8cf3b08d-478c-4cc5-be19-46cc1cc90271@stpeter.im> <YroARsHlIeR97z52@straasha.imrryr.org> <45cf71a8-c890-695a-5469-a7d545143571@stpeter.im> <YrorpEyiXIWDinNz@straasha.imrryr.org> <3d050f75-d4bf-dc52-0c2f-db488b2604e7@stpeter.im>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3d050f75-d4bf-dc52-0c2f-db488b2604e7@stpeter.im>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/YPvD8a8nQbYkwIgBbi9_qIEnR5o>
Subject: Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2022 14:14:56 -0000

On Mon, Jun 27, 2022 at 04:31:25PM -0600, Peter Saint-Andre wrote:

> >> I'm not necessarily saying that - I'm saying only that Jeff and I tried
> >> to find a canonical definition of "fully-qualified domain name" and the
> >> best we could do was RFC 1034. Alternative proposals are welcome.
> > 
> > There are only two possible answers:
> > 
> >    - All DNS names are valid, so long as they have a wire form that
> >      meets the requirements of RFC 1034.
> > 
> >    - Only names that comply with section 2.1 of the Host Requirements RFC:
> > 
> >          https://datatracker.ietf.org/doc/html/rfc1123#page-13
> > 
> >      are valid.  These are LDH forms, whose labels therefore require no
> >      special processing in presentation form, and so the limits are at
> >      most 63 octets per label, and at most 254 bytes total (allowing for
> >      an extra byte for the final 0 length wire-form label).
> > 
> >      In LDH form the hyphens must not be the first or last character of
> >      any label.  Names starting with "xx--" for various values of "xx"
> >      are special reserved forms with (IIRC) "xn" being the only presently
> >      defined prefix, but I don't think that it is appropriate for the
> >      present document to delve into this level of detail.
> > 
> >      The host requirements RFC further recomments staying under 63 bytes,
> >      and though this is somewhat dated, it is nevertheless prudent if
> >      possible.
> 
> RFC 6125 (and now 6125bis) are not documents about the definition or 
> enforcement of DNS naming rules, only about client-side matching of 
> service identifiers presented in X.509 certificates against the client's 
> conception of what the service ought to be (i.e., against a reference 
> identifier). I see no reason to expand the scope of 6125bis in the 
> direction you might be proposing. Thus I would favor the first option above.

Note, I was not proposing anything for 6125bis.  Rather, I was just
responding to the posted question of what *might be* the definition
of a (DNS) FQDN.

One might however make a reasonable case that if DNS names in DNS
subject alternative names are not constrained to RFC 1123 Section 2.1
LDH names, then their representation in DNS-ID values is of course
constrained to "7-bit" (IA5String) characters and needs to use DNS
presentation form escaping rules for at least some special characters.

At a minimum "." and "\" may need to be escaped, as "\." and "\\".  Other
"special" IA5 characters could arguably be rendered verbatim, but better
I think also escaped, probably via "\DDD" decimal escapes for control
characters, <DEL>, punctuation, double-quotes and whitespace.

The above is perhaps not terribly appealing, and interoperability for
escaped forms would likely be limited.  So non-LDH names could
reasonably be "discouraged".

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email