> On Feb 9, 2017, at 7:06 PM, Russ Housley <housley@xxxxxxxxxxxx> wrote: > > > Wei is arguing that the two (ffc822Name and SmtpMUtf8Name) should be completely separate. > > You are arguing for some crossover, I am not arguing for "some crossover", I am arguing to stop bypass attacks when rfc822Name constraints are specified by a (legacy) CA, and SmtpUtf8Name constraints are not. Anything that prevents the creation of SmtpUt8Name entries that violate the intent of the rfc822Name constraints is sufficient. In particular, it is not absolutely necessary to allow "faß.de" to be used via a name-constained legacy certificate. The most recently proposed compromise was to just ban all SmtpUtf8Name altnames when rfc822Name constraints are set, with no corresponding SmtpUtf8Name constraints. > but I do not understand how A-labels in the rfc822Name are handled in your proposal. No special treatment, just disallow bypass via use of unconstrained SmtpUtf8Name. > If rfc822Name permits 'xn--fa-hia.de’ then it would need to be translated to 'faß.de’ for comparison in SmtpUtf8Name. Simplest to avoid translation, and just deny. -- Viktor.