draft-ietf-lamps-eai-addresses-08.txt   draft-ietf-lamps-eai-addresses-09.txt 
LAMPS A. Melnikov, Ed. LAMPS A. Melnikov, Ed.
Internet-Draft Isode Ltd Internet-Draft Isode Ltd
Intended status: Standards Track W. Chuang, Ed. Intended status: Standards Track W. Chuang, Ed.
Expires: September 13, 2017 Google, Inc. Expires: October 17, 2017 Google, Inc.
March 12, 2017 April 15, 2017
Internationalized Email Addresses in X.509 certificates Internationalized Email Addresses in X.509 certificates
draft-ietf-lamps-eai-addresses-08 draft-ietf-lamps-eai-addresses-09
Abstract Abstract
This document defines a new name form for inclusion in the otherName This document defines a new name form for inclusion in the otherName
field of an X.509 Subject Alternative Name and Issuer Alternate Name field of an X.509 Subject Alternative Name and Issuer Alternate Name
extension that allows a certificate subject to be associated with an extension that allows a certificate subject to be associated with an
Internationalized Email Address. Internationalized Email Address.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2017. This Internet-Draft will expire on October 17, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 2
3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2 3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2
4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Matching of Internationalized Email Addresses in X.509 5. Matching of Internationalized Email Addresses in X.509
certificates . . . . . . . . . . . . . . . . . . . . . . . . 4 certificates . . . . . . . . . . . . . . . . . . . . . . . . 4
6. Name constraints in path validation . . . . . . . . . . . . . 5 6. Name constraints in path validation . . . . . . . . . . . . . 5
7. Deployment Considerations . . . . . . . . . . . . . . . . . . 10 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 9.1. Normative References . . . . . . . . . . . . . . . . . . 8
10.1. Normative References . . . . . . . . . . . . . . . . . . 10 9.2. Informative References . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 11 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12 Appendix B. Example of SmtpUTF8Name . . . . . . . . . . . . . . 10
Appendix B. Example of SmtpUTF8Name . . . . . . . . . . . . . . 13 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 11
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
[RFC5280] defines rfc822Name subjectAltName choice for representing [RFC5280] defines rfc822Name subjectAltName choice for representing
[RFC5321] email addresses. This form is restricted to a subset of [RFC5321] email addresses. This form is restricted to a subset of
US-ASCII characters and thus can't be used to represent US-ASCII characters and thus can't be used to represent
Internationalized Email addresses [RFC6531]. To facilitate use of Internationalized Email addresses [RFC6531]. To facilitate use of
these Internationalized Email addresses with X.509 certificates, this these Internationalized Email addresses with X.509 certificates, this
document specifies a new name form in otherName so that document specifies a new name form in otherName so that
subjectAltName and issuerAltName can carry them. In addition this subjectAltName and issuerAltName can carry them. In addition this
skipping to change at page 3, line 43 skipping to change at page 3, line 41
that encode ASCII character labels SHALL use NR-LDH restrictions as that encode ASCII character labels SHALL use NR-LDH restrictions as
specified by section 2.3.1 of [RFC5890] and SHALL be restricted to specified by section 2.3.1 of [RFC5890] and SHALL be restricted to
lower case letters. One suggested approach to apply these sub- lower case letters. One suggested approach to apply these sub-
domains restriction is to restrict sub-domain so that labels not domains restriction is to restrict sub-domain so that labels not
start with two letters followed by two hyphen-minus characters. start with two letters followed by two hyphen-minus characters.
Consistent with the treatment of rfc822Name in [RFC5280], Consistent with the treatment of rfc822Name in [RFC5280],
SmtpUTF8Name is an envelope <Mailbox> and has no phrase (such as a SmtpUTF8Name is an envelope <Mailbox> and has no phrase (such as a
common name) before it, has no comment (text surrounded in common name) before it, has no comment (text surrounded in
parentheses) after it, and is not surrounded by "<" and ">". parentheses) after it, and is not surrounded by "<" and ">".
In the context of building name constraint as needed by [RFC5280], Due to operational reasons described shortly and name constraint
the SmtpUTF8Mailbox rules are modified to allow partial productions compatibility reasons described in its section, SmtpUTF8Name
to allow for additional forms required by Section 6. Name subjectAltName MUST only be used when the local part of the email
constraints may specify a complete email address, host name, or address contains UTF-8. When the local-part is ASCII, rfc822Name
domain. This means that the local-part may be missing, and domain subjectAltName MUST be used instead of SmtpUTF8Name. The use of
partially specified. rfc822Name rather than SmtpUTF8Name is currently more likely to be
supported. Also use of SmtpUTF8Name incurs higher byte
representation overhead due to encoding with otherName and the
additional OID needed. This may be offset if domain requires non-
ASCII characters as SmtpUTF8Name supports U-label whereas rfc822Name
supports A-label.
SmtpUTF8Name is encoded as UTF8String. The UTF8String encoding MUST SmtpUTF8Name is encoded as UTF8String. The UTF8String encoding MUST
NOT contain a Byte-Order- Mark (BOM) [RFC3629] to aid consistency NOT contain a Byte-Order- Mark (BOM) [RFC3629] to aid consistency
across implementations particularly for comparison. across implementations particularly for comparison.
4. IDNA2008 4. IDNA2008
To facilitate comparison between email addresses, all email address To facilitate comparison between email addresses, all email address
domain in X.509 certificates MUST conform to IDNA2008 [RFC5890]. domain in X.509 certificates MUST conform to IDNA2008 [RFC5890].
Otherwise non-conforming email address domains introduces the Otherwise non-conforming email address domains introduces the
skipping to change at page 5, line 27 skipping to change at page 5, line 27
This specification expressly does not define any wildcards characters This specification expressly does not define any wildcards characters
and SmtpUTF8Name comparison implementations MUST NOT interpret any and SmtpUTF8Name comparison implementations MUST NOT interpret any
character as wildcards. Instead, to specify multiple email addresses character as wildcards. Instead, to specify multiple email addresses
through SmtpUTF8Name, the certificate SHOULD use multiple through SmtpUTF8Name, the certificate SHOULD use multiple
subjectAltNames or issuerAltNames to explicitly carry those email subjectAltNames or issuerAltNames to explicitly carry those email
addresses. addresses.
6. Name constraints in path validation 6. Name constraints in path validation
This section defines use of SmtpUTF8Name name for name constraints. This section updates [RFC5280] name constraints to work with
The format for SmtpUTF8Name in name constraints is identical to the SmtpUTF8Name subjectAltName. In the following, a CA or path verifier
use in subjectAltName as specified in Section 3 with the extension as implementation that follows this specification is called SmtpUTF8Name
noted there for partial productions. aware.
Constraint comparison on complete email address with SmtpUTF8Name
name uses the matching procedure defined by Section 5. As with
rfc822Name name constraints as specified in Section 4.2.1.10 of
[RFC5280], SmtpUTF8Name name can specify a particular mailbox, all
addresses at a host, or all mailboxes in a domain by specifying the
complete email address, a host name, or a domain. Name constraint
comparisons in the context of [RFC5280] that are specified with
SmtpUTF8Name name are only done on the subjectAltName SmtpUTF8Name
name and not on other forms. Similarly rfc822Name name constraints
do not apply to subjectAltName SmtpUTF8Name name. This imposes
requirements on the certificate issuer as described next.
When name constraints are used with SmtpUTF8Name subject alternative
names, the constraints are specified by the following changes to the
path validator to prevent bypass of the name constraints. The email
address path validator in Section 6 of [RFC5280] is modified to
consider:
1. When neither rfc822Name nor SmtpUTF8Name name constraints are
present in any issuer CA certificate, then path validation does
not add restrictions on children certificates with rfc822Name or
SmtpUTF8Name subject alternative names. That is any combination
of rfc822Name or SmtpUTF8Name subject alternative names may be
present.
2. If issuer CA certificates contain only rfc822Name name
constraints, then those constraints apply to rfc822Name subject
alternative name in children certificates. SmtpUTF8Name subject
alternative name are prohibited in those same certificates, that
is those certificates MUST be rejected by the path verifier.
3. When both rfc822Name and SmtpUTF8Name name constraints are SmtpUTF8Name aware path validators MUST be able to apply name
present in all issuer CA certificates that have either form, then constraint to the subject distinguished name and both forms of
the path verifier applies the constraint of the subject subject alternative name. That is rfc822Name name constraint applies
alternative name form in children certificates. This allows any to emailAddress subject distinguished name, and to SmtpUTF8Name and
combination of rfc822Name or SmtpUTF8Name subject alternative rfc822Name subject alternative name, as mentioned in Section 4.2.1.10
names to be present and implies that the issuer has applied of [RFC5280]. Constraint comparison with SmtpUTF8Name subjectAltName
appropriate name constraints. While commonly the alternative uses the matching procedure defined by Section 5 including any setup
forms will be equivalent, they need not be, as the forms can steps. The lack of a SmtpUTF8Name name constraint form is
represent features not present in its counterpart. One instance intentional and motivated as described next.
of this is when the issuer wants to name constrain domain or
hostname using the rules of a particular form.
4. If some issuer CA certificates contain only SmtpUTF8Name name This specification requires that SmtpUTF8Name aware CAs continue to
constraints, then those are at risk of bypass with rfc822Name issue certificates with rfc822Name name constraints form due to
subject alternative names when processed by legacy verifiers. To compatibility concerns with legacy systems. Using rfc822Name name
prevent this, issuers MUST also publish rfc822Name name constraints allows backwards compatibility with legacy path verifiers
constraint that prevent those bypasses. This occurs when both that only understand rfc822Name form, yet is forward compatible by
rfc822Name and SmtpUTF8Name constraint forms can represents the being able to describe the intent of the CA to constrain both
same host, domain or email address, and both are needed. Even rfc822Name and SmtpUTF8Name subjectAltName to SmtpUTF8Name aware path
when the constraints are asymmetric such as when the issuer verifiers. Oblivious legacy path verifier will not see the
wishes to constrain an email address with an UTF-8 local part, a SmtpUTF8Name subjectAltName (nor the unknown otherNames), and thereby
non empty rfc822Name name constraint may be needed if there isn't prevent the use of an unconstrained SmtpUTF8Name subjectAltName.
one already so that the path verifier initializes correctly.
When both name constraints are present, the contents depends on the Other implementations may detect an unknown otherNames, along with
usage. If the issuer desires to represent the same NR-LDH host or the critical bit set on the name constraints extension and then fail
domain, then it is the same string in both rfc822Name and path verification. This too prevents use of an unconstrained
SmtpUTF8Name. If the host or domain labels contain UTF-8, then the SmtpUTF8Name subjectAltName. A legacy CA will use rfc822Name name
labels may be used directly in SmtpUTF8Name noting the restriction in constraints. As the CA's intent is to constrain all email addresses
Section 5 and transformed to A-label for rfc822Name using the process matching the constraint, this will be forward compatible with a
described in [RFC5280]. Email addresses that use ASCII local-part SmtpUTF8Name aware path verifiers that applies the name constraint to
use the same processing procedures for host or domain. either forms rfc822Name and SmtpUTF8Name subjectAltName.
If the issuer wishes to represent the name constraint asymmetrically, The representation of name constraints are specified in
with either rfc822Name or SmtpUTF8Name to respectively represent some Section 4.2.1.10 of [RFC5280] and there MAY represent a particular
A-label or U-label in the domain or host, the alternate name mailbox, all addresses at a host, or all mailboxes in a domain by
constraint form must still be present. If nothing needs be specifying the complete email address, a host name, or a domain.
represented by the alternate form, then empty name constraint can This specification modifies [RFC5280] name constraint to only require
described by the "invalid" TLD that helps initialize the name with a MAY that it represents all addresses at a host or all
constraint path validation set. Or alternatively it may be omitted mailboxes in a domain, and require with a MAY NOT that it represent a
if some other name constraint pair, provides a name constraint of particular mailbox. This is motivated by rfc822Name name constraints
that form. In particular this initialization may be needed when inability to represent a specific mailbox with a UTF-8 email local
SmtpUTF8Name is used to represent an email address name constraint part email address. Certificate issuers should be aware of this
with an UTF-8 local-part and rfc822Name cannot represent such a email lessened support.
address constraint.
The name constraint requirement with SmtpUTF8Name subject alternative The name constraint requirement with SmtpUTF8Name subject alternative
name is illustrated in the non-normative diagram Figure 1 with name is illustrated in the non-normative diagram Figure 1. The first
several examples. (3a) shows an issuer constraining a NR-LDH example (1) illustrates a permitted rfc822Name ASCII only hostname
hostname with rfc822Name and SmtpUTF8Name so that they can issue name constraint, and the corresponding valid rfc822Name
ASCII and UTF-8 local-name email addresses certificates. (3b) shows subjectAltName and SmtpUTF8Name subjectAltName email addresses. The
an issuer constraining a hostname containing a non-ASCII label for second example (2) illustrates a permitted rfc822Name hostname name
u+5C0Fu+5B66 (elementary school). (3c) demonstrates that a hostname constraint with A-label, and the corresponding valid rfc822Name
constraint with an rfc822Name is distinguishable from its subjectAltName and SmtpUTF8Name subjectAltName email addresses.
SmtpUTF8Name constraint, and that only the rfc822Name form is
permitted. No 'invalid' SmtpUTF8Name constraint is needed since
other SmtpUTF8Name constraints are present. (3d) similarly
demonstrates this capability to restrict a name constraint to
SmtpUTF8Name only. (3e) shows that a non-ASCII local- part email
address can also be constrained to be permitted using SmtpUTF8Name.
It too does not need an 'invalid' rfc822Name as other rfc822Name
constrains are present. Diagram Figure 2 illustrates (non-
normatively) a different certificate chain that does need the
'invalid' name constraint. (3f) constrains a non-ASCII local-part
email address using a SmtpUTF8Name name constraint but requires a
rfc822Name 'invalid' constraint because it lacks any other rfc822Name
constraints needed to initialize the name constraint path
verification. The next non-normative diagram Figure 3 illustrates
legacy name constraints that contrasts the changes this document
specifies. The legacy approach (2) has only a single rfc822Name name
email address name constraint.
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Root CA Cert | | Root CA Cert |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| |
v v
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Intermediate CA Cert | | Intermediate CA Cert |
| Permitted | | Permitted |
| rfc822Name: nr.ldh.host.example.com (3a) | | rfc822Name: elementary.school.example.com (1) |
| SmtpUTF8Name: nr.ldh.host.example.com (3a) |
| |
| rfc822Name: u+5C0Fu+5B66.host.example.com (3b) |
| SmtpUTF8Name: xn--48s3o.host.example.com (3b) |
| |
| rfc822Name: xn--pss25c.a.label.example.com (3c) |
| | | |
| SmtpUTF8Name: u+4E2Du+5B66.u.label.example.com (3d) | | rfc822Name: xn--pss25c.example.com (2) |
| | | |
| SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3e) |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| |
v v
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Entity Cert (w/explicitly permitted subjects) | | Entity Cert (w/explicitly permitted subjects) |
| SubjectAltName Extension | | SubjectAltName Extension |
| rfc822Name: student@nr.ldh.host.example.com (3a) | | rfc822Name: student@elemenary.school.example.com (1) |
| SmtpUTF8Name: u+5B66u+751F@nr.ldh.host.example.com (3a) | | SmtpUTF8Name: u+5B66u+751F@elementary.school.example.com (1) |
| |
| rfc822Name: student@u+5C0Fu+5B66.host.example.com (3b) |
| SmtpUTF8Name: u+5B66u+751F@xn--48s3o.host.example.com (3b) |
| |
| rfc822Name: student@xn--pss25c.a.label.example.com (3c) |
| | | |
| SmtpUTF8Name: student@u+4E2Du+5B66.u.label.example.com (3d) | | rfc822Name: student@xn--pss25c.example.com (2) |
| SmtpUTF8Name: u+533Bu+751F@xn--pss25c.example.com (2) |
| | | |
| SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3e) |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
Name constraints with SmtpUTF8Name and rfc822Name Name constraints with SmtpUTF8Name and rfc822Name
Figure 1 Figure 1
+-------------------------------------------------------------------+ 7. Security Considerations
| Root CA Cert |
+-------------------------------------------------------------------+
|
v
+-------------------------------------------------------------------+
| Intermediate CA Cert |
| Name Constraint Extension |
| Permitted |
| rfc822Name: invalid (3f) |
| SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3f) |
+-------------------------------------------------------------------+
|
v
+-------------------------------------------------------------------+
| Entity Cert (w/explicitly permitted subjects) |
| SubjectAltName Extension |
| SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3f) |
+-------------------------------------------------------------------+
Name constraints with SmtpUTF8Name email address and empty rfc822Name
Figure 2
+-------------------------------------------------------------------+
| Root CA Cert |
+-------------------------------------------------------------------+
|
v
+-------------------------------------------------------------------+
| Intermediate CA Cert |
| Name Constraint Extension |
| Permitted |
| rfc822Name: student@email.example.com (2) |
+-------------------------------------------------------------------+
|
v
+-------------------------------------------------------------------+
| Entity Cert (w/explicitly permitted subjects) |
| SubjectAltName Extension |
| rfc822Name: student@email.example.com (2) |
+-------------------------------------------------------------------+
Legacy name constraints with rfc822Name
Figure 3
7. Deployment Considerations
For email addresses whose local-part is ASCII it may be more
reasonable to continue using rfc822Name instead of SmtpUTF8Name. The
use of rfc822Name rather than SmtpUTF8Name is currently more likely
to be supported. Also use of SmtpUTF8Name incurs higher byte
representation overhead due to encoding with otherName and the
additional OID needed. This may be offset if domain requires non-
ASCII characters as SmtpUTF8Name supports U-label whereas rfc822Name
supports A-label. This document RECOMMENDS using SmtpUTF8Name when
local-part contains non-ASCII characters, and otherwise rfc822Name.
8. Security Considerations
Use for SmtpUTF8Name for certificate subjectAltName (and Use for SmtpUTF8Name for certificate subjectAltName (and
issuerAltName) will incur many of the same security considerations of issuerAltName) will incur many of the same security considerations of
Section 8 in [RFC5280] but is further complicated by permitting non- Section 8 in [RFC5280] but is further complicated by permitting non-
ASCII characters in the email address local-part. This complication, ASCII characters in the email address local-part. This complication,
as mentioned in Section 4.4 of [RFC5890] and in Section 4 of as mentioned in Section 4.4 of [RFC5890] and in Section 4 of
[RFC6532], is that use of Unicode introduces the risk of visually [RFC6532], is that use of Unicode introduces the risk of visually
similar and identical characters which can be exploited to deceive similar and identical characters which can be exploited to deceive
the recipient. The former document references some means to mitigate the recipient. The former document references some means to mitigate
against these attacks. against these attacks.
9. IANA Considerations 8. IANA Considerations
in Section Section 3 and the ASN.1 module identifier defined in in Section Section 3 and the ASN.1 module identifier defined in
Section Appendix A. IANA is kindly requested to make the following Section Appendix A. IANA is kindly requested to make the following
assignments for: assignments for:
The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for
PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).
The SmtpUTF8Name otherName in the "PKIX Other Name Forms" registry The SmtpUTF8Name otherName in the "PKIX Other Name Forms" registry
(1.3.6.1.5.5.7.8). (1.3.6.1.5.5.7.8).
10. References 9. References
10.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <http://www.rfc-editor.org/info/rfc3629>. 2003, <http://www.rfc-editor.org/info/rfc3629>.
skipping to change at page 11, line 42 skipping to change at page 9, line 13
February 2012, <http://www.rfc-editor.org/info/rfc6530>. February 2012, <http://www.rfc-editor.org/info/rfc6530>.
[RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized [RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized
Email", RFC 6531, DOI 10.17487/RFC6531, February 2012, Email", RFC 6531, DOI 10.17487/RFC6531, February 2012,
<http://www.rfc-editor.org/info/rfc6531>. <http://www.rfc-editor.org/info/rfc6531>.
[RFC6532] Yang, A., Steele, S., and N. Freed, "Internationalized [RFC6532] Yang, A., Steele, S., and N. Freed, "Internationalized
Email Headers", RFC 6532, DOI 10.17487/RFC6532, February Email Headers", RFC 6532, DOI 10.17487/RFC6532, February
2012, <http://www.rfc-editor.org/info/rfc6532>. 2012, <http://www.rfc-editor.org/info/rfc6532>.
10.2. Informative References 9.2. Informative References
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010, DOI 10.17487/RFC5912, June 2010,
<http://www.rfc-editor.org/info/rfc5912>. <http://www.rfc-editor.org/info/rfc5912>.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
The following ASN.1 module normatively specifies the SmtpUTF8Name The following ASN.1 module normatively specifies the SmtpUTF8Name
structure. This specification uses the ASN.1 definitions from structure. This specification uses the ASN.1 definitions from
skipping to change at page 12, line 50 skipping to change at page 10, line 43
on-SmtpUTF8Name OTHER-NAME ::= { on-SmtpUTF8Name OTHER-NAME ::= {
SmtpUTF8Name IDENTIFIED BY id-on-SmtpUTF8Name SmtpUTF8Name IDENTIFIED BY id-on-SmtpUTF8Name
} }
id-on-SmtpUTF8Name OBJECT IDENTIFIER ::= { id-on 9 } id-on-SmtpUTF8Name OBJECT IDENTIFIER ::= { id-on 9 }
SmtpUTF8Name ::= UTF8String (SIZE (1..MAX)) SmtpUTF8Name ::= UTF8String (SIZE (1..MAX))
END END
Figure 4 Figure 2
Appendix B. Example of SmtpUTF8Name Appendix B. Example of SmtpUTF8Name
This non-normative example demonstrates using SmtpUTF8Name as an This non-normative example demonstrates using SmtpUTF8Name as an
otherName in GeneralName to encode the email address otherName in GeneralName to encode the email address
"u+8001u+5E2B@example.com". "u+8001u+5E2B@example.com".
The hexadecimal DER encoding of the email address is: The hexadecimal DER encoding of the email address is:
A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861 A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861
6D706C65 2E636F6D 6D706C65 2E636F6D
The text decoding is: The text decoding is:
0 34: [0] { 0 34: [0] {
2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9' 2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9'
14 20: [0] { 14 20: [0] {
16 18: UTF8String '..@example.com' 16 18: UTF8String '..@example.com'
: } : }
: } : }
Figure 5 Figure 3
The example was encoded on the OSS Nokalva ASN.1 Playground and the The example was encoded on the OSS Nokalva ASN.1 Playground and the
above text decoding is an output of Peter Gutmann's "dumpasn1" above text decoding is an output of Peter Gutmann's "dumpasn1"
program. program.
Appendix C. Acknowledgements Appendix C. Acknowledgements
Thank you to Magnus Nystrom for motivating this document. Thanks to Thank you to Magnus Nystrom for motivating this document. Thanks to
Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean
Leonard, Sean Turner, John Levine, and Patrik Falstrom for their Leonard, Sean Turner, John Levine, and Patrik Falstrom for their
skipping to change at page 14, line 4 skipping to change at page 11, line 42
Authors' Addresses Authors' Addresses
Alexey Melnikov (editor) Alexey Melnikov (editor)
Isode Ltd Isode Ltd
14 Castle Mews 14 Castle Mews
Hampton, Middlesex TW12 2NP Hampton, Middlesex TW12 2NP
UK UK
Email: Alexey.Melnikov@isode.com Email: Alexey.Melnikov@isode.com
Weihaw Chuang (editor) Weihaw Chuang (editor)
Google, Inc. Google, Inc.
1600 Amphitheatre Parkway 1600 Amphitheater Parkway
Mountain View, CA 94043 Mountain View, CA 94043
US US
Email: weihaw@google.com Email: weihaw@google.com
 End of changes. 26 change blocks. 
206 lines changed or deleted 88 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/