draft-ietf-lamps-eai-addresses-02.txt   draft-ietf-lamps-eai-addresses-03.txt 
LAMPS A. Melnikov, Ed. LAMPS A. Melnikov, Ed.
Internet-Draft Isode Ltd Internet-Draft Isode Ltd
Intended status: Standards Track W. Chuang, Ed. Intended status: Standards Track W. Chuang, Ed.
Expires: May 4, 2017 Google, Inc. Expires: June 12, 2017 Google, Inc.
October 31, 2016 December 9, 2016
Internationalized Email Addresses in X.509 certificates Internationalized Email Addresses in X.509 certificates
draft-ietf-lamps-eai-addresses-02 draft-ietf-lamps-eai-addresses-03
Abstract Abstract
This document defines a new name form for inclusion in the otherName This document defines a new name form for inclusion in the otherName
field of an X.509 Subject Alternative Name extension that allows a field of an X.509 Subject Alternative Name and Issuer Alternate Name
certificate subject to be associated with an Internationalized Email extension that allows a certificate subject to be associated with an
Address. Internationalized Email Address.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 4, 2017. This Internet-Draft will expire on June 12, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 13 skipping to change at page 2, line 13
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 2
3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2 3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2
4. Matching of Internationalized Email Addresses in X.509 4. Matching of Internationalized Email Addresses in X.509
certificates . . . . . . . . . . . . . . . . . . . . . . . . 3 certificates . . . . . . . . . . . . . . . . . . . . . . . . 3
5. Name constraints in path validation . . . . . . . . . . . . . 4 5. Name constraints in path validation . . . . . . . . . . . . . 4
6. Resource Considerations . . . . . . . . . . . . . . . . . . . 6 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.1. Normative References . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . 6
9.2. Informative References . . . . . . . . . . . . . . . . . 8 9.2. Informative References . . . . . . . . . . . . . . . . . 7
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 8 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 8
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 9 Appendix B. Example of smtpUtf8Name . . . . . . . . . . . . . . 9
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
[RFC5280] defines rfc822Name subjectAltName choice for representing [RFC5280] defines rfc822Name subjectAltName choice for representing
[RFC5322] email addresses. This form is restricted to a subset of [RFC5322] email addresses. This form is restricted to a subset of
US-ASCII characters and thus can't be used to represent US-ASCII characters and thus can't be used to represent
Internationalized Email addresses [RFC6531]. To fascilitate use of Internationalized Email addresses [RFC6531]. To facilitate use of
these Internationalized Email addresses with X.509 certificates, this these Internationalized Email addresses with X.509 certificates, this
document specifies a new name form in otherName so that document specifies a new name form in otherName so that
subjectAltName and issuerAltName can carry them. subjectAltName and issuerAltName can carry them.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
The formal syntax use the Augmented Backus-Naur Form (ABNF) [RFC5234] The formal syntax use the Augmented Backus-Naur Form (ABNF) [RFC5234]
notation. notation.
3. Name Definitions 3. Name Definitions
The GeneralName structure is defined in [RFC5280], and supports many The GeneralName structure is defined in [RFC5280], and supports many
different names forms including otherName for extensibility. This different names forms including otherName for extensibility. This
section specifies the smtputf8Name name form of otherName, so that section specifies the smtpUtf8Name name form of otherName, so that
Internationalized Email addresses can appear in the subjectAltName of Internationalized Email addresses can appear in the subjectAltName of
a certificate, the issuerAltName of a certificate, or anywhere else a certificate, the issuerAltName of a certificate, or anywhere else
that GeneralName is used. that GeneralName is used.
id-on-smtputf8Name OBJECT IDENTIFIER ::= { id-on TBD } id-on-smtpUtf8Name OBJECT IDENTIFIER ::= { id-on 9 }
Smtputf8Name ::= UTF8String (SIZE (1..MAX)) smtpUtf8Name ::= UTF8String (SIZE (1..MAX))
When the subjectAltName (or issuerAltName) extension contains an When the subjectAltName (or issuerAltName) extension contains an
Internationalized Email address, the address MUST be stored in the Internationalized Email address, the address MUST be stored in the
smtputf8Name name form of otherName. The format of smtputf8Name is smtpUtf8Name name form of otherName. The format of smtpUtf8Name is
defined as the ABNF rule smtputf8Mailbox. smtputf8Mailbox is a defined as the ABNF rule smtputf8Mailbox. smtputf8Mailbox is a
modified version of the Internationalized Mailbox which is defined in modified version of the Internationalized Mailbox which is defined in
Section 3.3 of [RFC6531] which is itself derived from SMTP Mailbox Section 3.3 of [RFC6531] which is itself derived from SMTP Mailbox
from Section 4.1.2 of [RFC5321]. [RFC6531] defines the following from Section 4.1.2 of [RFC5321]. [RFC6531] defines the following
ABNF rules for Mailbox whose parts are modified for ABNF rules for Mailbox whose parts are modified for
internationalization: <Local-part>, <Dot-string>, <Quoted-string>, internationalization: <Local-part>, <Dot-string>, <Quoted-string>,
<QcontentSMTP>, <Domain>, and <Atom>. In particular <Local-part> was <QcontentSMTP>, <Domain>, and <Atom>. In particular, <Local-part>
updated to also support UTF8-non-ascii. UTF8-non-ascii is described was updated to also support UTF8-non-ascii. UTF8-non-ascii is
by Section 3.1 of [RFC6532]. Also sub-domain is extended to support described by Section 3.1 of [RFC6532]. Also, sub-domain is extended
U-label, as defined in [RFC5890] to support U-label, as defined in [RFC5890]
This document further refines Internationalized [RFC6531] Mailbox This document further refines Internationalized [RFC6531] Mailbox
ABNF rules and calls this smtputf8Mailbox. In smtputf8Mailbox, sub- ABNF rules and calls this smtputf8Mailbox. In smtputf8Mailbox, sub-
domain that encode non-ascii characters SHALL use U-label Unicode domain that encode non-ascii characters SHALL use U-label Unicode
native character labels and MUST NOT use A-label [RFC5890]. This native character labels and MUST NOT use A-label [RFC5890]. This
restriction prevents having to determine which label encoding A- or restriction prevents having to determine which label encoding A- or
U-label is present in the Domain. As per Section 2.3.2.1 of U-label is present in the Domain. As per Section 2.3.2.1 of
[RFC5890], U-label use UTF-8 [RFC3629] with Normalization Form C and [RFC5890], U-label use UTF-8 [RFC3629] with Normalization Form C and
other properties specified there. In smtputf8Mailbox, sub-domain other properties specified there. In smtputf8Mailbox, sub-domain
that encode solely ASCII character labels SHALL use NR-LDH that encode solely ASCII character labels SHALL use NR-LDH
skipping to change at page 3, line 41 skipping to change at page 3, line 41
no comment (text surrounded in parentheses) after it, and is not no comment (text surrounded in parentheses) after it, and is not
surrounded by "<" and ">". surrounded by "<" and ">".
In the context of building name constraint as needed by [RFC5280], In the context of building name constraint as needed by [RFC5280],
the smtputf8Mailbox rules are modified to allow partial productions the smtputf8Mailbox rules are modified to allow partial productions
to allow for additional forms required by Section 5. Name to allow for additional forms required by Section 5. Name
constraints may specify a complete email address, host name, or constraints may specify a complete email address, host name, or
domain. This means that the local-part may be missing, and domain domain. This means that the local-part may be missing, and domain
partially specified. partially specified.
smtputf8Name is encoded as UTF8String. The UTF8String encoding MUST smtpUtf8Name is encoded as UTF8String. The UTF8String encoding MUST
NOT contain a Byte-Order-Mark (BOM) [RFC3629] to aid consistency NOT contain a Byte-Order-Mark (BOM) [RFC3629] to aid consistency
across implementations particularly for comparison. across implementations particularly for comparison.
4. Matching of Internationalized Email Addresses in X.509 certificates 4. Matching of Internationalized Email Addresses in X.509 certificates
In equivalence comparison with smtputf8Name, there may be some setup In equivalence comparison with smtpUtf8Name, there may be some setup
work to enable the comparison i.e. processing of the smtputf8Name work to enable the comparison i.e. processing of the smtpUtf8Name
content or the email address that is being compared against. The content or the email address that is being compared against. The
process for setup for comparing with smtputf8Name is split into process for setup for comparing with smtpUtf8Name is split into
domain steps and local-part steps. The comparison form for local- domain steps and local-part steps. The comparison form for local-
part always is UTF-8. The comparison form for domain depends on part always is UTF-8. The comparison form for domain depends on
context. While some contexts such as certificate path validation in context. While some contexts such as certificate path validation in
[RFC5280] specify transforming to A-label, this document RECOMMENDS [RFC5280] specify transforming domain to A-label, this document
transforming to UTF-8 U-label even in place of those other RECOMMENDS transforming to UTF-8 U-label instead. This reduces the
specifications. As more implementations natively support U-label likelihood of errors by reducing conversions as more implementations
domain, requiring U-label reduces conversions required, which then natively support U-label domains.
reduces likelihood of errors caused by bugs in implementation.
Comparison of two smtputf8Name can be straightforward. No setup work Comparison of two smtpUtf8Name can be straightforward. No setup work
is needed and it can be an octet for octet comparison. For other is needed and it can be an octet for octet comparison. For other
email address forms such as Internationalized email address or email address forms such as Internationalized email address or
rfc822Name, the comparison requires additional setup to convert the rfc822Name, the comparison requires additional setup to convert the
format for comparison. Domain setup is particularly important for format for comparison. Domain setup is particularly important for
forms that may contain A- or U-label such as International email forms that may contain A- or U-label such as International email
address, or A-label only forms such as rfc822Name. This document address, or A-label only forms such as rfc822Name. This document
specifies the process to transform the domain to U-label. (To specifies the process to transform the domain to U-label. (To
convert the domain to A-label, follow the process process specified convert the domain to A-label, follow the process specified in
in section 7.5 and 7.2 in [RFC5280]) The first step is to detect section 7.5 and 7.2 in [RFC5280]) The first step is to detect A-label
A-label by using section 5.1 of [RFC5891]. Next if necessary, by using section 5.1 of [RFC5891]. Next if necessary, transform the
transform the A-label to U-label Unicode as specified in section 5.2 A-label to U-label Unicode as specified in section 5.2 of [RFC5891].
of [RFC5891]. Finally if necessary convert the Unicode to UTF-8 as Finally if necessary convert the Unicode to UTF-8 as specified in
specified in section 3 of [RFC3629]. In setup for smtputf8Mailbox, section 3 of [RFC3629]. In setup for smtputf8Mailbox, the email
the email address local-part MUST be converted to UTF-8 if it is not address local-part MUST be converted to UTF-8 if it is not already.
already. The <Local-part> part of an Internationalized email address The <Local-part> part of an Internationalized email address is
is already in UTF-8. For the rfc822Name local-part is IA5String already in UTF-8. For the rfc822Name local-part is IA5String
(ASCII), and conversion to UTF-8 is trivial since ASCII octets maps (ASCII), and conversion to UTF-8 is trivial since ASCII octets maps
to UTF-8 without change. Once the setup is completed, comparison is to UTF-8 without change. Once the setup is completed, comparison is
an octet for octet comparison. an octet for octet comparison.
This specification expressly does not define any wildcards characters This specification expressly does not define any wildcards characters
and smtputf8Name comparison implementations MUST NOT interpret any and smtpUtf8Name comparison implementations MUST NOT interpret any
character as wildcards. Instead, to specify multiple specifying character as wildcards. Instead, to specify multiple specifying
multiple email addresses through smtputf8Name, the certificate should multiple email addresses through smtpUtf8Name, the certificate should
use multiple subjectAltNames or issuerAltNames to explicitly carry use multiple subjectAltNames or issuerAltNames to explicitly carry
those email addresses. those email addresses.
5. Name constraints in path validation 5. Name constraints in path validation
This section defines use of smtputf8Name name for name constraints. This section defines use of smtpUtf8Name name for name constraints.
The format for smtputf8Name in name constraints is identical to the The format for smtpUtf8Name in name constraints is identical to the
use in subjectAltName as specified in Section 3 with the extension as use in subjectAltName as specified in Section 3 with the extension as
noted there for partial productions. noted there for partial productions.
Constraint comparison on complete email address with smtputf8Name Constraint comparison on complete email address with smtpUtf8Name
name uses the matching procedure defined by Section 4. As with name uses the matching procedure defined by Section 4. As with
rfc822Name name constraints as specified in Section 4.2.1.10 of rfc822Name name constraints as specified in Section 4.2.1.10 of
[RFC5280], smtputf8Name name can specify a particular mailbox, all [RFC5280], smtpUtf8Name name can specify a particular mailbox, all
addresses at a host, or all mailboxes in a domain by specifying the addresses at a host, or all mailboxes in a domain by specifying the
complete email address, a host name, or a domain. complete email address, a host name, or a domain.
Name constraint comparisons in the context [RFC5280] is specified Name constraint comparisons in the context [RFC5280] is specified
with smtputf8Name name are only done on the subjectAltName (and with smtpUtf8Name name are only done on the subjectAltName (and
issuerAltName) smtputf8Name name, and says nothing more about issuerAltName) smtpUtf8Name name, and says nothing more about
constaints on other email address forms such as rfc822Name. constraints on other email address forms such as rfc822Name.
Consequently it may be necessary to include other name constraints Consequently it may be necessary to include other name constraints
such as rfc822Name in addition to smtputf8Name to constrain all such as rfc822Name in addition to smtpUtf8Name to constrain all
potential email addresses. For example a domain with both ascii and potential email addresses. For example a domain with both ascii and
non-ascii local-part email addresses may require both rfc822Name and non-ascii local-part email addresses may require both rfc822Name and
smtputf8Name name constraints. This can be illustrated in the smtpUtf8Name name constraints. This can be illustrated in the
following non-normative diagram Figure 1 which shows a name following non-normative diagram Figure 1 which shows a name
constraint set in the intermediate CA certificate, which then applies constraint set in the intermediate CA certificate, which then applies
to the children entity certificates. Note that a constraint on to the children entity certificates. Note that a constraint on
rfc822Name does not apply to smtputf8Name and vice versa. rfc822Name does not apply to smtpUtf8Name and vice versa.
+------------------------------------------------------+ +--------------------------------------------------------------+
| Root CA Cert | | Root CA Cert |
+------------------------------------------------------+ +--------------------------------------------------------------+
| |
v v
+------------------------------------------------------+ +--------------------------------------------------------------+
| Intermediate CA Cert | | Intermediate CA Cert |
| Name Constraint Extension | | Name Constraint Extension |
| Permitted | | Permitted |
| rfc822Name: allowed.example.com | | rfc822Name: allowed.example.com |
| smtputf8Name: allowed.example.com | | smtpUtf8Name: allowed.example.com |
| Excluded | | Excluded |
| rfc822Name: ignored.example.com | | rfc822Name: ignored.allowed.example.com |
+------------------------------------------------------+ +--------------------------------------------------------------+
| | | |
v | v |
+------------------------------------------------------+ +--------------------------------------------------------------+
| Entity Cert (w/explicitly permitted subjects) | | Entity Cert (w/explicitly permitted subjects) |
| SubjectAltName Extension | | SubjectAltName Extension |
| rfc822Name: student@allowed.example.com | | rfc822Name: student@allowed.example.com |
| smtputf8Name: \u8001\u5E2B@allowed.example.com | | smtpUtf8Name: \u8001\u5E2B@allowed.example.com |
+------------------------------------------------------+ +--------------------------------------------------------------+
| |
v v
+------------------------------------------------------+ +--------------------------------------------------------------+
| Entity Cert (w/permitted subject- excluded | | Entity Cert (w/permitted subject- excluded rfc822Name |
| rfc822Name does not exclude smtputf8Name) | | does not exclude smtpUtf8Name) |
| SubjectAltName Extension | | SubjectAltName Extension |
| smtputf8Name: \u4E0D\u5C0D@ignored.example.com | | smtpUtf8Name: \u4E0D\u5C0D@ignored.allowed.example.com |
+------------------------------------------------------+ +--------------------------------------------------------------+
Figure 1 Figure 1
6. Resource Considerations 6. Deployment Considerations
For email addresses whose local-part is ASCII it may be more For email addresses whose local-part is ASCII it may be more
reasonable to continue using rfc822Name instead of smtputf8Name. Use reasonable to continue using rfc822Name instead of smtpUtf8Name. The
of smtputf8Name incurs higher byte representation overhead due to use of rfc822Name rather than smtputf8Name is currently more likely
encoding with otherName and the additional OID needed. This document to be supported. Also use of smtpUtf8Name incurs higher byte
RECOMMENDS using smtputf8Name when local-part contains non-ASCII representation overhead due to encoding with otherName and the
characters, and otherwise rfc822Name. additional OID needed. This may be offset if domain requires non-
ASCII characters as smptUtf8Name supports U-label whereas rfc822Name
supports A-label. This document RECOMMENDS using smtpUtf8Name when
local-part contains non-ASCII characters, and otherwise rfc822Name.
7. Security Considerations 7. Security Considerations
Use for smtputf8Name for certificate subjectAltName (and Use for smtpUtf8Name for certificate subjectAltName (and
issuerAltName) will incur many of the same security considerations of issuerAltName) will incur many of the same security considerations of
Section 8 in [RFC5280] but further complicated by permitting non- Section 8 in [RFC5280] but further complicated by permitting non-
ASCII characters in the email address local-part. As mentioned in ASCII characters in the email address local-part. As mentioned in
Section 4.4 of [RFC5890] and in Section 4 of [RFC6532] Unicode Section 4.4 of [RFC5890] and in Section 4 of [RFC6532] Unicode
introduces the risk for visually similar characters which can be introduces the risk for visually similar characters which can be
exploited to deceive the recipient. The former document references exploited to deceive the recipient. The former document references
some means to mitigate against these attacks. some means to mitigate against these attacks.
8. IANA Considerations 8. IANA Considerations
This document makes use of object identifiers for the smtputf8Name This document makes use of object identifiers for the smtpUtf8Name
defined in Section Section 3 and the ASN.1 module identifier defined defined in Section Section 3 and the ASN.1 module identifier defined
in Section Appendix A. IANA is kindly requested to make the in Section Appendix A. IANA is kindly requested to make the
following assignments for: following assignments for:
The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for
PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).
The smtputf8Name otherName in the "PKIX Other Name Forms" registry The smtpUtf8Name otherName in the "PKIX Other Name Forms" registry
(1.3.6.1.5.5.7.8). (1.3.6.1.5.5.7.8).
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 8, line 36 skipping to change at page 8, line 7
2012, <http://www.rfc-editor.org/info/rfc6532>. 2012, <http://www.rfc-editor.org/info/rfc6532>.
9.2. Informative References 9.2. Informative References
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
DOI 10.17487/RFC5322, October 2008, DOI 10.17487/RFC5322, October 2008,
<http://www.rfc-editor.org/info/rfc5322>. <http://www.rfc-editor.org/info/rfc5322>.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
The following ASN.1 module normatively specifies the Smtputf8Name The following ASN.1 module normatively specifies the smtpUtf8Name
structure. This specification uses the ASN.1 definitions from structure. This specification uses the ASN.1 definitions from
[RFC5912] with the 2002 ASN.1 notation used in that document. [RFC5912] with the 2002 ASN.1 notation used in that document.
LAMPS-EaiAddresses-2016 LAMPS-EaiAddresses-2016
{ iso(1) identified-organization(3) dod(6) { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-lamps-eai-addresses-2016(TBD) } id-mod-lamps-eai-addresses-2016(TBD) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
OTHER-NAME
FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
id-pkix OBJECT IDENTIFIER ::= id-pkix
{iso(1) identified-organization(3) dod(6) internet(1) security(5) FROM PKIX1Explicit-2009
mechanisms(5) pkix(7)} { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
-- --
-- otherName carries additional name types for subjectAltName, issuerAltName, -- otherName carries additional name types for subjectAltName, issuerAltName,
-- and other uses of GeneralNames. -- and other uses of GeneralNames.
-- --
id-on OBJECT IDENTIFIER ::= { id-pkix 8 } id-on OBJECT IDENTIFIER ::= { id-pkix 8 }
SmtpUtf8OtherNames OTHER-NAME ::= { on-smtputf8Name, ... } SmtpUtf8OtherNames OTHER-NAME ::= { on-smtpUtf8Name, ... }
on-smtputf8Name OTHER-NAME ::= { on-smtpUtf8Name OTHER-NAME ::= {
SmtpUtf8Name IDENTIFIED BY id-on-smtputf8Name smtpUtf8Name IDENTIFIED BY id-on-smtpUtf8Name
} }
id-on-smtputf8Name OBJECT IDENTIFIER ::= { id-on TBD } id-on-smtpUtf8Name OBJECT IDENTIFIER ::= { id-on 9 }
SmtpUtf8Name ::= UTF8String (SIZE (1..MAX)) SmtpUtf8Name ::= UTF8String (SIZE (1..MAX))
END END
Figure 2 Figure 2
Appendix B. Acknowledgements Appendix B. Example of smtpUtf8Name
This non-normative example demonstrates using smtpUtf8Name as an
otherName in GeneralName to encode the email address
"\u8001\u5E2B@example.com".
The hexidecimal DER encoding of the email address is:
A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861 6D706C65 2E636F6D
The text decoding is:
0 34: [0] {
2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9'
14 20: [0] {
16 18: UTF8String '..@example.com'
: }
: }
Figure 3
The example was encoded on the OSS Nokalva ASN.1 Playground and the
above text decoding is an output of Peter Gutmann's "dumpasn1"
program.
Appendix C. Acknowledgements
Thank you to Magnus Nystrom for motivating this document. Thanks to Thank you to Magnus Nystrom for motivating this document. Thanks to
Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean
Leonard, Sean Turner, and Jim Schaad for their feedback. Also thanks Leonard, and Sean Turner for their feedback. Also special thanks to
to John Klensin for his valuable input on internationalization, John Klensin for his valuable input on internationalization, Unicode
Unicode and ABNF formatting. and ABNF formatting, and to Jim Schaad for his help with the ASN.1
example and his helpful feedback.
Authors' Addresses Authors' Addresses
Alexey Melnikov (editor) Alexey Melnikov (editor)
Isode Ltd Isode Ltd
14 Castle Mews 14 Castle Mews
Hampton, Middlesex TW12 2NP Hampton, Middlesex TW12 2NP
UK UK
Email: Alexey.Melnikov@isode.com Email: Alexey.Melnikov@isode.com
Weihaw Chuang (editor) Weihaw Chuang (editor)
Google, Inc. Google, Inc.
1600 Amphitheatre Parkway 1600 Amphitheatre Parkway
Mountain View, CA 94043 Mountain View, CA 94043
US US
Email: weihaw@google.com Email: weihaw@google.com
 End of changes. 46 change blocks. 
99 lines changed or deleted 131 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/