ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard

2017-02-28 05:12:11
from [Wei Chuang] [Permanent Link] 
On Thu, Feb 16, 2017 at 10:26 AM, Viktor Dukhovni 
<ietf-dane(_at_)dukhovni(_dot_)org>
wrote:




On Feb 16, 2017, at 10:30 AM, Wei Chuang <weihaw(_at_)google(_dot_)com> 
wrote:


How about if a CA with only rfc822Name constraints can't issue certs
with SmtpUTF8Names at all, and of course vice versa.  If you want both
kinds of names, the CA has to constrain both.


I had asked a few folks at Google for an opinion about the name

constraints.

Let me post Ryan Sleevi's (CC'ed) opinion:

https://mailarchive.ietf.org/arch/msg/ietf/ngUOjvCHubjcyiG4uZ0w16-5-fg
[the above] basically says option 3 [the acceptable approach of the 3],
but unfortunately suffers from 'legacy' - namely, you cannot assume that
all rfc822Name clients will be updated to support SmtpUtf8Name, and short
of marking it critical (which would mean its undeployable), you can't
assume that an SmtpUtf8Name nameConstraint will constrain an rfc822Name.


Given that rfc822Name is a well-known legacy element, while SmtpUtf8Name
is a novel element, the prescription can be asymmetric.  Specifically,
all that's really needed (in the simpler model proposed by John) is
to disallow SmtpUtf8Name altnames when (only) rfc822Name constraints
are present.

The converse is not required, a parent CA that is SmtpUtf8Name aware
and wants to issue a child CA with SmtpUtf8Name constraints can and
should also include appropriate rfc822Name constraints that ensure
that the desired SmtpUtf8Name constraints are not bypassed via
unauthorized rfc822Name altnames.

The rfc822Name constraints can either permit only equivalent domain
names (LDH or A-label forms), or, if no rfc822Name can be compatible
with the SmtpUtf8Name constraints, permit only something like
"nouser@nodomain.invalid", thereby excluding all valid rfc822 addresses.

--
        Viktor.



Hi Viktor and everyone else on the thread,

Apologies about being pedantic.  If we specify the CA name constraints as
you describe above with the asymmetric requirements on SmtpUtf8Name, are
you okay with the draft's position on keeping separate name constraint
processing for rfc822Name and SmtpUtf8Name types?  In other words the above
is proposed to be the resolution for the issue raised in your email Feb
11th, second email, para 1-3 i.e. preventing evasion of name constraints.

thanks,
-Wei

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Proposed IETF Statement Concerning Personal Data for Review, Stephen Farrell
Next by Date:  Re: Proposed IETF Statement Concerning Personal Data for Review, John R Levine
Previous by Thread:  Re: Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard, Stephen Farrell
Next by Thread:  Re: Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard, Viktor Dukhovni
Indexes:  [Date] [Thread] [Top] [All Lists]