On Thu, Feb 09, 2017 at 04:33:44PM -0500, Russ Housley wrote:
> RFC 5280 says:
>
> A name constraint for Internet mail addresses MAY specify a
> particular mailbox, all addresses at a particular host, or all
> mailboxes in a domain. To indicate a particular mailbox, the
> constraint is the complete mail address. For example,
> "root@xxxxxxxxxxx" indicates the root mailbox on the host
> "example.com". To indicate all Internet mail addresses on a
> particular host, the constraint is specified as the host name. For
> example, the constraint "example.com" is satisfied by any mail
> address at the host "example.com". To specify any address within a
> domain, the constraint is specified with a leading period (as with
> URIs). For example, ".example.com" indicates all the Internet mail
> addresses in the domain "example.com", but not Internet mail
> addresses on the host "example.com”.
>
> I think you are talking about constraints on addresses at a particular
> host and constraints on mailboxes in a domain, but not constraints on a
> particular mailbox. Please correct me is I got that wrong.
Primarily, but not exclusively. In the case that an issuer CA is
constrainted to a specific rfc822Name, it should not be possible
to evade that constraint by using the same (all-ASCII) address as
an SmtpUtf8Name.
> I think you are suggesting that any A-label in the rfc822Name be converted
> to a U-label, and the result is used to constrain the SmtpUtf8Name.
No. I am *not* suggesting *any* conversions. If a CA has rfc822Name
constraints and no SmptUtf8Name constraints, and the rfc822Name
constraints limit the CA to "example.com", ".example.com", or as
you suggest above, a particular set of explicit rfc822Name addresses,
my suggestion is that it MUST NOT be able to issue SmtpUtf8Name altnames
that violate those constraints. For example:
* CA is constrained to permitted subtree rfc822Name: example.com
- can issue SmtpUtfName: виктор@example.com
- cannot issue SmtpUtf8Name: виктор@example.net
In the current form of the draft both would be allowed, the second
is a clear violation of the principle of least surprise (and the
policy of the parent CA that created the name constraint).
> If people like your suggestion, then a constraint for a particular mailbox
> will still require a SmtpUtf8Name, so I think the mechanism described in
> the draft is needed. It would just be used in combination with the above.
As to particular addresses, again:
* CA is constrained to permitted subtree rfc822Name: viktor@xxxxxxxxxxx
- cannot SmtpUtfName: виктор@example.com
- cannot issue SmtpUtf8Name: виктор@example.net
In the current form of the draft both would be allowed, in clear
violation of the name constraint on the permitted email addresses.
--
Viktor.