--On Thursday, July 15, 2010 16:08 -0700 The IESG
<iesg-secretary(_at_)ietf(_dot_)org> wrote:
The IESG has received a request from an individual submitter
to consider the following document:
- 'Representation and Verification of Domain-Based Application
Service Identity in Certificates Used with Transport Layer
Security ' <draft-saintandre-tls-server-id-check-08.txt> as
a Proposed Standard
Hi.
These are sort of nits, but they do identify areas where the
document is substantively incorrect and subject to
misinterpretation:
(1) In Section 4.4.1, the reference should be to the IDNA2008
discussion. The explanations are a little better vis-a-vis the
DNS specs and it is a bad idea to reference an obsolete spec.
(2) In Section 4.4.2, note that there are definitional and
procedural problems if one tries to talk about a single rule for
full domain names. It is possible, and has been the only option
until very recently, for a fully-qualified IDN to contain both
"traditional" and "internationalized" labels. IDNA2008 avoided
a number of definitional problems by being defined strictly in
terms of labels for just that reason. In particular,
conversion of an all-ASCII label to an A-label is undefined and
meaningless: such a label is not a U-label and hence cannot be
converted. One needs to parse the string into labels, determine
for each label whether it is "traditional" or
"internationalized", and then apply the appropriate rule. I'd
recommend rewriting 4.4.1 and 4.4.2 in terms of labels, not
FQDNs.
(3) Note that anything that requires that an application program
parse a FQDN that might be an IDN into labels should probably
have a Security Considerations note about the risks if various
dotoids leak into the relevant environment.
best,
john
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf