On Feb 9, 2017, at 7:06 PM, Russ Housley <housley(_at_)vigilsec(_dot_)com>
wrote:
Wei is arguing that the two (ffc822Name and SmtpMUtf8Name) should be
completely separate.
You are arguing for some crossover,
I am not arguing for "some crossover", I am arguing to stop bypass attacks
when rfc822Name constraints are specified by a (legacy) CA, and SmtpUtf8Name
constraints are not.
Anything that prevents the creation of SmtpUt8Name entries that violate the
intent of the rfc822Name constraints is sufficient. In particular, it is
not absolutely necessary to allow "faß.de" to be used via a name-constained
legacy certificate. The most recently proposed compromise was to just ban
all SmtpUtf8Name altnames when rfc822Name constraints are set, with no
corresponding SmtpUtf8Name constraints.
but I do not understand how A-labels in the rfc822Name are handled in your
proposal.
No special treatment, just disallow bypass via use of unconstrained
SmtpUtf8Name.
If rfc822Name permits 'xn--fa-hia.de’ then it would need to be translated to
'faß.de’ for comparison in SmtpUtf8Name.
Simplest to avoid translation, and just deny.
--
Viktor.