draft-ietf-lamps-eai-addresses-06.txt   draft-ietf-lamps-eai-addresses-07.txt 
LAMPS A. Melnikov, Ed. LAMPS A. Melnikov, Ed.
Internet-Draft Isode Ltd Internet-Draft Isode Ltd
Intended status: Standards Track W. Chuang, Ed. Intended status: Standards Track W. Chuang, Ed.
Expires: August 5, 2017 Google, Inc. Expires: September 9, 2017 Google, Inc.
February 1, 2017 March 8, 2017
Internationalized Email Addresses in X.509 certificates Internationalized Email Addresses in X.509 certificates
draft-ietf-lamps-eai-addresses-06 draft-ietf-lamps-eai-addresses-07
Abstract Abstract
This document defines a new name form for inclusion in the otherName This document defines a new name form for inclusion in the otherName
field of an X.509 Subject Alternative Name and Issuer Alternate Name field of an X.509 Subject Alternative Name and Issuer Alternate Name
extension that allows a certificate subject to be associated with an extension that allows a certificate subject to be associated with an
Internationalized Email Address. Internationalized Email Address.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 5, 2017. This Internet-Draft will expire on September 9, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 2
3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2 3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2
4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Matching of Internationalized Email Addresses in X.509 5. Matching of Internationalized Email Addresses in X.509
certificates . . . . . . . . . . . . . . . . . . . . . . . . 4 certificates . . . . . . . . . . . . . . . . . . . . . . . . 4
6. Name constraints in path validation . . . . . . . . . . . . . 5 6. Name constraints in path validation . . . . . . . . . . . . . 5
7. Deployment Considerations . . . . . . . . . . . . . . . . . . 7 7. Deployment Considerations . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 9 10.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10
Appendix B. Example of SmtpUtf8Name . . . . . . . . . . . . . . 10 Appendix B. Example of SmtpUTF8Name . . . . . . . . . . . . . . 11
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 11 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
[RFC5280] defines rfc822Name subjectAltName choice for representing [RFC5280] defines rfc822Name subjectAltName choice for representing
[RFC5321] email addresses. This form is restricted to a subset of [RFC5321] email addresses. This form is restricted to a subset of
US-ASCII characters and thus can't be used to represent US-ASCII characters and thus can't be used to represent
Internationalized Email addresses [RFC6531]. To facilitate use of Internationalized Email addresses [RFC6531]. To facilitate use of
these Internationalized Email addresses with X.509 certificates, this these Internationalized Email addresses with X.509 certificates, this
document specifies a new name form in otherName so that document specifies a new name form in otherName so that
subjectAltName and issuerAltName can carry them. In addition this subjectAltName and issuerAltName can carry them. In addition this
skipping to change at page 2, line 50 skipping to change at page 2, line 50
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
The formal syntax use the Augmented Backus-Naur Form (ABNF) [RFC5234] The formal syntax use the Augmented Backus-Naur Form (ABNF) [RFC5234]
notation. notation.
3. Name Definitions 3. Name Definitions
The GeneralName structure is defined in [RFC5280], and supports many The GeneralName structure is defined in [RFC5280], and supports many
different names forms including otherName for extensibility. This different names forms including otherName for extensibility. This
section specifies the SmtpUtf8Name name form of otherName, so that section specifies the SmtpUTF8Name name form of otherName, so that
Internationalized Email addresses can appear in the subjectAltName of Internationalized Email addresses can appear in the subjectAltName of
a certificate, the issuerAltName of a certificate, or anywhere else a certificate, the issuerAltName of a certificate, or anywhere else
that GeneralName is used. that GeneralName is used.
id-on-smtpUtf8Name OBJECT IDENTIFIER ::= { id-on 9 } id-on-SmtpUTF8Name OBJECT IDENTIFIER ::= { id-on 9 }
SmtpUtf8Name ::= UTF8String (SIZE (1..MAX)) SmtpUTF8Name ::= UTF8String (SIZE (1..MAX))
When the subjectAltName (or issuerAltName) extension contains an When the subjectAltName (or issuerAltName) extension contains an
Internationalized Email address, the address MUST be stored in the Internationalized Email address, the address MUST be stored in the
SmtpUtf8Name name form of otherName. The format of SmtpUtf8Name is SmtpUTF8Name name form of otherName. The format of SmtpUTF8Name is
defined as the ABNF rule SmtpUtf8Mailbox. SmtpUtf8Mailbox is a defined as the ABNF rule SmtpUTF8Mailbox. SmtpUTF8Mailbox is a
modified version of the Internationalized Mailbox which is defined in modified version of the Internationalized Mailbox which was defined
Section 3.3 of [RFC6531] which is itself derived from SMTP Mailbox in Section 3.3 of [RFC6531] which was itself derived from SMTP
from Section 4.1.2 of [RFC5321]. [RFC6531] defines the following Mailbox from Section 4.1.2 of [RFC5321]. [RFC6531] defines the
ABNF rules for Mailbox whose parts are modified for following ABNF rules for Mailbox whose parts are modified for
internationalization: <Local-part>, <Dot-string>, <Quoted-string>, internationalization: <Local-part>, <Dot-string>, <Quoted-string>,
<QcontentSMTP>, <Domain>, and <Atom>. In particular, <Local-part> <QcontentSMTP>, <Domain>, and <Atom>. In particular, <Local-part>
was updated to also support UTF8-non-ascii. UTF8-non-ascii is was updated to also support UTF8-non-ascii. UTF8-non-ascii was
described by Section 3.1 of [RFC6532]. Also, sub-domain is extended described by Section 3.1 of [RFC6532]. Also, sub-domain was extended
to support U-label, as defined in [RFC5890]. to support U-label, as defined in [RFC5890].
This document further refines Internationalized [RFC6531] Mailbox This document further refines Internationalized [RFC6531] Mailbox
ABNF rules and calls this SmtpUtf8Mailbox. In SmtpUtf8Mailbox, sub- ABNF rules and calls this SmtpUTF8Mailbox. In SmtpUTF8Mailbox, sub-
domain that encode non-ASCII characters SHALL use U-label Unicode domain that encode non-ASCII characters SHALL use U-label Unicode
native character labels and MUST NOT use A-label [RFC5890]. This native character labels and MUST NOT use A-label [RFC5890]. This
restriction prevents having to determine which label encoding A- or restriction prevents having to determine which label encoding A- or
U-label is present in the Domain. As per Section 2.3.2.1 of U-label is present in the Domain. As per Section 2.3.2.1 of
[RFC5890], U-label use UTF-8 [RFC3629] with Normalization Form C and [RFC5890], U-label use UTF-8 [RFC3629] with Normalization Form C and
other properties specified there. In SmtpUtf8Mailbox, sub-domain other properties specified there. In SmtpUTF8Mailbox, sub-domain
that encode solely ASCII character labels SHALL use NR-LDH that encode ASCII character labels SHALL use NR-LDH restrictions as
restrictions as specified by section 2.3.1 of [RFC5890] and specified by section 2.3.1 of [RFC5890] and SHALL be restricted to
restricted to lower case letters. Note that a SmtpUtf8Mailbox has no lower case letters. One suggested approach to apply these sub-
phrase (such as a common name) before it, has no comment (text domains restriction is to restrict sub-domain so that labels not
surrounded in parentheses) after it, and is not surrounded by "<" and start with two letters followed by two hyphen-minus characters.
">". Consistent with the treatment of rfc822Name in [RFC5280],
SmtpUTF8Name is an envelope <Mailbox> and has no phrase (such as a
common name) before it, has no comment (text surrounded in
parentheses) after it, and is not surrounded by "<" and ">".
In the context of building name constraint as needed by [RFC5280], In the context of building name constraint as needed by [RFC5280],
the SmtpUtf8Mailbox rules are modified to allow partial productions the SmtpUTF8Mailbox rules are modified to allow partial productions
to allow for additional forms required by Section 6. Name to allow for additional forms required by Section 6. Name
constraints may specify a complete email address, host name, or constraints may specify a complete email address, host name, or
domain. This means that the local-part may be missing, and domain domain. This means that the local-part may be missing, and domain
partially specified. partially specified.
SmtpUtf8Name is encoded as UTF8String. The UTF8String encoding MUST SmtpUTF8Name is encoded as UTF8String. The UTF8String encoding MUST
NOT contain a Byte-Order-Mark (BOM) [RFC3629] to aid consistency NOT contain a Byte-Order- Mark (BOM) [RFC3629] to aid consistency
across implementations particularly for comparison. across implementations particularly for comparison.
4. IDNA2008 4. IDNA2008
To facilitate comparison between email addresses, all email address To facilitate comparison between email addresses, all email address
domain in X.509 certificates MUST conform to IDNA2008 [RFC5890]. domain in X.509 certificates MUST conform to IDNA2008 [RFC5890].
Otherwise non-conforming email address domains introduces the Otherwise non-conforming email address domains introduces the
possibility of conversion errors between alternate forms. This possibility of conversion errors between alternate forms. This
applies to SmtpUtf8Mailbox and rfc822Name in subjectAltName, applies to SmtpUTF8Mailbox and rfc822Name in subjectAltName,
issuerAltName and anywhere else that GeneralName is used. issuerAltName and anywhere else that GeneralName is used.
5. Matching of Internationalized Email Addresses in X.509 certificates 5. Matching of Internationalized Email Addresses in X.509 certificates
In equivalence comparison with SmtpUtf8Name, there may be some setup In equivalence comparison with SmtpUTF8Name, there may be some setup
work to enable the comparison i.e. processing of the SmtpUtf8Name work to enable the comparison i.e. processing of the SmtpUTF8Name
content or the email address that is being compared against. The content or the email address that is being compared against. The
process for setup for comparing with SmtpUtf8Name is split into process for setup for comparing with SmtpUTF8Name is split into
domain steps and local-part steps. The comparison form for local- domain steps and local- part steps. The comparison form for local-
part always is UTF-8. The comparison form for domain depends on part always is UTF-8. The comparison form for domain depends on
context. While some contexts such as certificate path validation in context. While some contexts such as certificate path validation in
[RFC5280] specify transforming domain to A-label, this document [RFC5280] specify transforming domain to A-label, this document
RECOMMENDS transforming to UTF-8 U-label instead. This reduces the RECOMMENDS transforming to UTF-8 U-label instead. This reduces the
likelihood of errors by reducing conversions as more implementations likelihood of errors by reducing conversions as more implementations
natively support U-label domains. natively support U-label domains.
Comparison of two SmtpUtf8Name can be straightforward. No setup work Comparison of two SmtpUTF8Name is straightforward with no setup work
is needed and it can be an octet for octet comparison. For other needed. They are considered equivalent if there is an exact octet-
email address forms such as Internationalized email address or for-octet match. Comparison with other email address forms such as
rfc822Name, the comparison requires additional setup to convert the Internationalized email address or rfc822Name requires additional
format for comparison. Domain setup is particularly important for setup steps. Domain setup is particularly important for forms that
forms that may contain A- or U-label such as International email may contain A- or U-label such as International email address, or
address, or A-label only forms such as rfc822Name. This document A-label only forms such as rfc822Name. This document specifies the
specifies the process to transform the domain to U-label. (To process to transform the domain to U-label. (To convert the domain
convert the domain to A-label, follow the process specified in to A-label, follow the process specified in section 7.5 and 7.2 in
section 7.5 and 7.2 in [RFC5280]) The first step is to detect A-label [RFC5280]) The first step is to detect A-label by using section 5.1
by using section 5.1 of [RFC5891]. Next if necessary, transform the of [RFC5891]. Next if necessary, transform the A-label to U-label
A-label to U-label Unicode as specified in section 5.2 of [RFC5891]. Unicode as specified in section 5.2 of [RFC5891]. Finally if
Finally if necessary convert the Unicode to UTF-8 as specified in necessary convert the Unicode to UTF-8 as specified in section 3 of
section 3 of [RFC3629]. For ASCII NR-LDH labels, upper case letters [RFC3629]. For ASCII NR-LDH labels, upper case letters are converted
are converted to lower case letters. In setup for SmtpUtf8Mailbox, to lower case letters. In setup for SmtpUTF8Mailbox, the email
the email address local-part MUST conform to the requirements of address local-part MUST conform to the requirements of [RFC6530] and
[RFC6530] and [RFC6531], including already being a string in UTF-8 [RFC6531], including being a string in UTF-8 form. In particular,
form. In particular, the local-part MUST NOT be transformed in any the local-part MUST NOT be transformed in any way, such as by doing
way, such as by doing case folding or normalization of any kind. The case folding or normalization of any kind. The <Local-part> part of
<Local-part> part of an Internationalized email address is already in an Internationalized email address is already in UTF-8. For
UTF-8. For rfc822Name the local-part, which is IA5String (ASCII), rfc822Name the local-part, which is IA5String (ASCII), trivially maps
trivially maps to UTF-8 without change. Once setup is completed, to UTF-8 without change. Once setup is complete, they are again
comparison is again checking for octet for octet equivalence. compared octet-for-octet.
To summarize non-normatively the domain setup steps are: To summarize non-normatively, the comparison steps including setup
are:
1. if the domain contains A-labels, transform them to U-label 1. If the domain contains A-labels, transform them to U-label.
2. if the domain contains ASCII NR-LDH labels, lowercase them 2. If the domain contains ASCII NR-LDH labels, lowercase them.
This enables an octet for octet comparison. 3. Ensure local-part is UTF-8.
4. Compare strings octet-for-octet for equivalence.
This specification expressly does not define any wildcards characters This specification expressly does not define any wildcards characters
and SmtpUtf8Name comparison implementations MUST NOT interpret any and SmtpUTF8Name comparison implementations MUST NOT interpret any
character as wildcards. Instead, to specify multiple specifying character as wildcards. Instead, to specify multiple email addresses
multiple email addresses through SmtpUtf8Name, the certificate should through SmtpUTF8Name, the certificate SHOULD use multiple
use multiple subjectAltNames or issuerAltNames to explicitly carry subjectAltNames or issuerAltNames to explicitly carry those email
those email addresses. addresses.
6. Name constraints in path validation 6. Name constraints in path validation
This section defines use of SmtpUtf8Name name for name constraints. This section defines use of SmtpUTF8Name name for name constraints.
The format for SmtpUtf8Name in name constraints is identical to the The format for SmtpUTF8Name in name constraints is identical to the
use in subjectAltName as specified in Section 3 with the extension as use in subjectAltName as specified in Section 3 with the extension as
noted there for partial productions. noted there for partial productions.
Constraint comparison on complete email address with SmtpUtf8Name Constraint comparison on complete email address with SmtpUTF8Name
name uses the matching procedure defined by Section 5. As with name uses the matching procedure defined by Section 5. As with
rfc822Name name constraints as specified in Section 4.2.1.10 of rfc822Name name constraints as specified in Section 4.2.1.10 of
[RFC5280], SmtpUtf8Name name can specify a particular mailbox, all [RFC5280], SmtpUTF8Name name can specify a particular mailbox, all
addresses at a host, or all mailboxes in a domain by specifying the addresses at a host, or all mailboxes in a domain by specifying the
complete email address, a host name, or a domain. complete email address, a host name, or a domain. Name constraint
comparisons in the context of [RFC5280] that are specified with
SmtpUTF8Name name are only done on the subjectAltName SmtpUTF8Name
name and not on other forms. Similarly rfc822Name name constraints
do not apply to subjectAltName SmtpUTF8Name name. This imposes
requirements on the certificate issuer as described next.
Name constraint comparisons in the context [RFC5280] is specified When name constraints are used with SmtpUTF8Name subjectAltName
with SmtpUtf8Name name are only done on the subjectAltName (and names, they are specified in the following profile to prevent
issuerAltName) SmtpUtf8Name name, and says nothing more about bypassing of name constraints. Host name and domain constraints MUST
constraints on other email address forms such as rfc822Name. use both rfc822Name and SmtpUTF8Name forms in the issuing certificate
Consequently it may be necessary to include other name constraints with the constraint. Complete email address constraint with UTF-8
such as rfc822Name in addition to SmtpUtf8Name to constrain all local-part MUST only use SmtpUTF8Name form. Complete email address
potential email addresses. For example a domain with both ASCII and constraint with ASCII local-part MUST use both rfc822Name and
non-ASCII local-part email addresses may require both rfc822Name and SmtpUTF8Name forms. When both rfc822Name and SmtpUTF8Name name
SmtpUtf8Name name constraints. This can be illustrated in the constraints forms are present, they MUST carry the equivalent
following non-normative diagram Figure 1 which shows a name constraints as defined by Section 5 and MUST be found in the same
constraint set in the intermediate CA certificate, which then applies node and in the same permittedSubtrees or excludedSubtrees. This
to the children entity certificates. Note that a constraint on specification intentionally leaves unchanged rfc822Name name
rfc822Name does not apply to SmtpUtf8Name and vice versa as is shown constraint processing as described in Section 4.2.1.10 of [RFC5280].
in non-normative diagram Figure 2.
This document specifies that SmtpUTF8Name aware path validators check
for SmtpUTF8Name name constraint profiles as an additional path
validation step in Section 6 of [RFC5280]. SmtpUTF8Name aware
validators MUST NOT accept any certificate whose path contains an
issuing certificate whose rfc822Name or SmtpUTF8Name name constraints
do not match the above profile. That is the path validator verifies
that a rfc822Name name constraint has a corresponding SmtpUTF8Name
constraint and that a SmtpUTF8Name name constraint has a
corresponding rfc822Name constraint when the constraint contains host
name, domain or email address with an ASCII local-part. This
correspondence is required to be in the same issuing certificate node
and in the same nameConstraint permittedSubtrees or excludedSubtrees.
The name constraint requirement with SmtpUTF8Name subjectAltName is
illustrated in the following non-normative diagram Figure 1. This
show a SmtpUTF8Name aware issuer that constrained the intermediate CA
with host name and email address name constraints. In particular the
email address constraint with UTF8 local-part only used a single
SmtpUTF8Name name constraint, while the email address constraint with
ASCII local-part used both rfc822Name and SmtpUTF8Name name
constraints. The next non-normative diagram Figure 2 illustrates
legacy name constraints to contrasts the changes this document
specifies. The legacy approach has only a single rfc822Name name
email address name constraint.
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| Root CA Cert | | Root CA Cert |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| |
v v
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| Intermediate CA Cert | | Intermediate CA Cert |
| Name Constraint Extension | | Name Constraint Extension |
| Permitted | | Permitted |
| rfc822Name: allowed.example.com | | rfc822Name: allowed_host.example.com |
| SmtpUtf8Name: allowed.example.com | | SmtpUTF8Name: allowed_host.example.com |
| Excluded | | |
| rfc822Name: ignored.allowed.example.com | | SmtpUTF8Name: u+8001u+5E2B@allowed_email.example.com |
| |
| rfc822Name: student@allowed_email.example.com |
| SmtpUTF8Name: student@allowed_email.example.com |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| |
v v
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| Entity Cert (w/explicitly permitted subjects) | | Entity Cert (w/explicitly permitted subjects) |
| SubjectAltName Extension | | SubjectAltName Extension |
| rfc822Name: student@allowed.example.com | | SmtpUTF8Name: u+533Bu+751F@allowed_host.example.com |
| SmtpUtf8Name: u+8001u+5E2B@allowed.example.com | | |
| SmtpUTF8Name: u+8001u+5E2B@allowed_email.example.com |
| |
| rfc822Name: student@allowed_email.example.com |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
Name constraints with SmtpUTF8Name
Figure 1 Figure 1
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| Root CA Cert | | Root CA Cert |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| |
v v
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| Intermediate CA Cert | | Intermediate CA Cert |
| Name Constraint Extension | | Name Constraint Extension |
| Permitted | | Permitted |
| rfc822Name: allowed.example.com | | rfc822Name: allowed_host.example.com |
| SmtpUtf8Name: allowed.example.com |
| Excluded |
| rfc822Name: ignored.allowed.example.com |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| |
v v
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| Entity Cert (w/permitted subject i.e. excluded rfc822Name | | Entity Cert (w/explicitly permitted subjects) |
| does not exclude SmtpUtf8Name) |
| SubjectAltName Extension | | SubjectAltName Extension |
| SmtpUtf8Name: u+4E0Du+5C0D@ignored.allowed.example.com | | rfc822Name: student@allowed_host.example.com |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
Legacy name constraints with rfc822Name
Figure 2 Figure 2
7. Deployment Considerations 7. Deployment Considerations
For email addresses whose local-part is ASCII it may be more For email addresses whose local-part is ASCII it may be more
reasonable to continue using rfc822Name instead of SmtpUtf8Name. The reasonable to continue using rfc822Name instead of SmtpUTF8Name. The
use of rfc822Name rather than SmtpUtf8Name is currently more likely use of rfc822Name rather than SmtpUTF8Name is currently more likely
to be supported. Also use of SmtpUtf8Name incurs higher byte to be supported. Also use of SmtpUTF8Name incurs higher byte
representation overhead due to encoding with otherName and the representation overhead due to encoding with otherName and the
additional OID needed. This may be offset if domain requires non- additional OID needed. This may be offset if domain requires non-
ASCII characters as smptUtf8Name supports U-label whereas rfc822Name ASCII characters as smptUtf8Name supports U-label whereas rfc822Name
supports A-label. This document RECOMMENDS using SmtpUtf8Name when supports A-label. This document RECOMMENDS using SmtpUTF8Name when
local-part contains non-ASCII characters, and otherwise rfc822Name. local-part contains non-ASCII characters, and otherwise rfc822Name.
8. Security Considerations 8. Security Considerations
Use for SmtpUtf8Name for certificate subjectAltName (and Use for SmtpUTF8Name for certificate subjectAltName (and
issuerAltName) will incur many of the same security considerations of issuerAltName) will incur many of the same security considerations of
Section 8 in [RFC5280] but is further complicated by permitting non- Section 8 in [RFC5280] but is further complicated by permitting non-
ASCII characters in the email address local-part. This complication, ASCII characters in the email address local-part. This complication,
as mentioned in Section 4.4 of [RFC5890] and in Section 4 of as mentioned in Section 4.4 of [RFC5890] and in Section 4 of
[RFC6532], is that use of Unicode introduces the risk of visually [RFC6532], is that use of Unicode introduces the risk of visually
similar and identical characters which can be exploited to deceive similar and identical characters which can be exploited to deceive
the recipient. The former document references some means to mitigate the recipient. The former document references some means to mitigate
against these attacks. against these attacks.
9. IANA Considerations 9. IANA Considerations
This document makes use of object identifiers for the SmtpUtf8Name in Section Section 3 and the ASN.1 module identifier defined in
defined in Section Section 3 and the ASN.1 module identifier defined Section Appendix A. IANA is kindly requested to make the following
in Section Appendix A. IANA is kindly requested to make the assignments for:
following assignments for:
The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for
PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).
The SmtpUtf8Name otherName in the "PKIX Other Name Forms" registry The SmtpUTF8Name otherName in the "PKIX Other Name Forms" registry
(1.3.6.1.5.5.7.8). (1.3.6.1.5.5.7.8).
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 9, line 31 skipping to change at page 10, line 31
10.2. Informative References 10.2. Informative References
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010, DOI 10.17487/RFC5912, June 2010,
<http://www.rfc-editor.org/info/rfc5912>. <http://www.rfc-editor.org/info/rfc5912>.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
The following ASN.1 module normatively specifies the SmtpUtf8Name The following ASN.1 module normatively specifies the SmtpUTF8Name
structure. This specification uses the ASN.1 definitions from structure. This specification uses the ASN.1 definitions from
[RFC5912] with the 2002 ASN.1 notation used in that document. [RFC5912] with the 2002 ASN.1 notation used in that document.
[RFC5912] updates normative documents using older ASN.1 notation. [RFC5912] updates normative documents using older ASN.1 notation.
LAMPS-EaiAddresses-2016 LAMPS-EaiAddresses-2016
{ iso(1) identified-organization(3) dod(6) { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-lamps-eai-addresses-2016(TBD) } id-mod-lamps-eai-addresses-2016(TBD) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
skipping to change at page 10, line 31 skipping to change at page 11, line 31
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ; mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ;
-- --
-- otherName carries additional name types for subjectAltName, -- otherName carries additional name types for subjectAltName,
-- issuerAltName, and other uses of GeneralNames. -- issuerAltName, and other uses of GeneralNames.
-- --
id-on OBJECT IDENTIFIER ::= { id-pkix 8 } id-on OBJECT IDENTIFIER ::= { id-pkix 8 }
SmtpUtf8OtherNames OTHER-NAME ::= { on-smtpUtf8Name, ... } SmtpUtf8OtherNames OTHER-NAME ::= { on-SmtpUTF8Name, ... }
on-smtpUtf8Name OTHER-NAME ::= { on-SmtpUTF8Name OTHER-NAME ::= {
SmtpUtf8Name IDENTIFIED BY id-on-smtpUtf8Name SmtpUTF8Name IDENTIFIED BY id-on-SmtpUTF8Name
} }
id-on-smtpUtf8Name OBJECT IDENTIFIER ::= { id-on 9 } id-on-SmtpUTF8Name OBJECT IDENTIFIER ::= { id-on 9 }
SmtpUtf8Name ::= UTF8String (SIZE (1..MAX)) SmtpUTF8Name ::= UTF8String (SIZE (1..MAX))
END END
Figure 3 Figure 3
Appendix B. Example of SmtpUtf8Name Appendix B. Example of SmtpUTF8Name
This non-normative example demonstrates using SmtpUtf8Name as an This non-normative example demonstrates using SmtpUTF8Name as an
otherName in GeneralName to encode the email address otherName in GeneralName to encode the email address
"u+8001u+5E2B@example.com". "u+8001u+5E2B@example.com".
The hexidecimal DER encoding of the email address is: The hexadecimal DER encoding of the email address is:
A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861 A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861
6D706C65 2E636F6D 6D706C65 2E636F6D
The text decoding is: The text decoding is:
0 34: [0] { 0 34: [0] {
2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9' 2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9'
14 20: [0] { 14 20: [0] {
16 18: UTF8String '..@example.com' 16 18: UTF8String '..@example.com'
: } : }
: } : }
 End of changes. 47 change blocks. 
124 lines changed or deleted 164 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/