Re: Last Call: <draft-ietf-lamps-eai-addresses-05.txt> (Internationalized Email Addresses in X.509 certificates) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Viktor:

[bottom posting]

> 
>> RFC 5280 says:
>> 
>> A name constraint for Internet mail addresses MAY specify a
>> particular mailbox, all addresses at a particular host, or all
>> mailboxes in a domain.  To indicate a particular mailbox, the
>> constraint is the complete mail address.  For example,
>> "root@xxxxxxxxxxx" indicates the root mailbox on the host
>> "example.com".  To indicate all Internet mail addresses on a
>> particular host, the constraint is specified as the host name.  For
>> example, the constraint "example.com" is satisfied by any mail
>> address at the host "example.com".  To specify any address within a
>> domain, the constraint is specified with a leading period (as with
>> URIs).  For example, ".example.com" indicates all the Internet mail
>> addresses in the domain "example.com", but not Internet mail
>> addresses on the host "example.com”.
>> 
>> I think you are talking about constraints on addresses at a particular
>> host and constraints on mailboxes in a domain, but not constraints on a
>> particular mailbox.  Please correct me is I got that wrong.
> 
> Primarily, but not exclusively.  In the case that an issuer CA is
> constrainted to a specific rfc822Name, it should not be possible
> to evade that constraint by using the same (all-ASCII) address as
> an SmtpUtf8Name.
> 
>> I think you are suggesting that any A-label in the rfc822Name be converted
>> to a U-label, and the result is used to constrain the SmtpUtf8Name.
> 
> No.  I am *not* suggesting *any* conversions.  If a CA has rfc822Name
> constraints and no SmptUtf8Name constraints, and the rfc822Name
> constraints limit the CA to "example.com", ".example.com", or as
> you suggest above, a particular set of explicit rfc822Name addresses,
> my suggestion is that it MUST NOT be able to issue SmtpUtf8Name altnames
> that violate those constraints.  For example:
> 
> * CA is constrained to permitted subtree rfc822Name: example.com
> 	- can issue SmtpUtfName: виктор@example.com
> 	- cannot issue SmtpUtf8Name: виктор@example.net
> 
> In the current form of the draft both would be allowed, the second
> is a clear violation of the principle of least surprise (and the
> policy of the parent CA that created the name constraint).
> 
>> If people like your suggestion, then a constraint for a particular mailbox
>> will still require a SmtpUtf8Name, so I think the mechanism described in
>> the draft is needed.  It would just be used in combination with the above.
> 
> As to particular addresses, again:
> 
> 
> * CA is constrained to permitted subtree rfc822Name: viktor@xxxxxxxxxxx
> 	- cannot SmtpUtfName: виктор@example.com
> 	- cannot issue SmtpUtf8Name: виктор@example.net
> 
> In the current form of the draft both would be allowed, in clear
> violation of the name constraint on the permitted email addresses.


Wei is arguing that the two (ffc822Name and SmtpMUtf8Name) should be completely separate.

You are arguing for some crossover, but I do not understand how A-labels in the rfc822Name are handled in your proposal.

If rfc822Name permits 'xn--fa-hia.de’ then it would need to be translated to 'faß.de’ for comparison in SmtpUtf8Name.

Russ





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]