draft-ietf-lamps-eai-addresses-05.txt   draft-ietf-lamps-eai-addresses-06.txt 
LAMPS A. Melnikov, Ed. LAMPS A. Melnikov, Ed.
Internet-Draft Isode Ltd Internet-Draft Isode Ltd
Intended status: Standards Track W. Chuang, Ed. Intended status: Standards Track W. Chuang, Ed.
Expires: June 30, 2017 Google, Inc. Expires: August 5, 2017 Google, Inc.
December 27, 2016 February 1, 2017
Internationalized Email Addresses in X.509 certificates Internationalized Email Addresses in X.509 certificates
draft-ietf-lamps-eai-addresses-05 draft-ietf-lamps-eai-addresses-06
Abstract Abstract
This document defines a new name form for inclusion in the otherName This document defines a new name form for inclusion in the otherName
field of an X.509 Subject Alternative Name and Issuer Alternate Name field of an X.509 Subject Alternative Name and Issuer Alternate Name
extension that allows a certificate subject to be associated with an extension that allows a certificate subject to be associated with an
Internationalized Email Address. Internationalized Email Address.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 30, 2017. This Internet-Draft will expire on August 5, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 2
3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2 3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2
4. Matching of Internationalized Email Addresses in X.509 4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
certificates . . . . . . . . . . . . . . . . . . . . . . . . 3 5. Matching of Internationalized Email Addresses in X.509
5. Name constraints in path validation . . . . . . . . . . . . . 4 certificates . . . . . . . . . . . . . . . . . . . . . . . . 4
6. Deployment Considerations . . . . . . . . . . . . . . . . . . 6 6. Name constraints in path validation . . . . . . . . . . . . . 5
7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 7. Deployment Considerations . . . . . . . . . . . . . . . . . . 7
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . 6 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . 7 10.1. Normative References . . . . . . . . . . . . . . . . . . 8
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix B. Example of SmtpUtf8Name . . . . . . . . . . . . . . 9 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 9 Appendix B. Example of SmtpUtf8Name . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
[RFC5280] defines rfc822Name subjectAltName choice for representing [RFC5280] defines rfc822Name subjectAltName choice for representing
[RFC5322] email addresses. This form is restricted to a subset of [RFC5321] email addresses. This form is restricted to a subset of
US-ASCII characters and thus can't be used to represent US-ASCII characters and thus can't be used to represent
Internationalized Email addresses [RFC6531]. To facilitate use of Internationalized Email addresses [RFC6531]. To facilitate use of
these Internationalized Email addresses with X.509 certificates, this these Internationalized Email addresses with X.509 certificates, this
document specifies a new name form in otherName so that document specifies a new name form in otherName so that
subjectAltName and issuerAltName can carry them. subjectAltName and issuerAltName can carry them. In addition this
document calls for all email address domain in X.509 certificates to
conform to IDNA2008 [RFC5890].
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
The formal syntax use the Augmented Backus-Naur Form (ABNF) [RFC5234] The formal syntax use the Augmented Backus-Naur Form (ABNF) [RFC5234]
notation. notation.
skipping to change at page 3, line 18 skipping to change at page 3, line 23
SmtpUtf8Name name form of otherName. The format of SmtpUtf8Name is SmtpUtf8Name name form of otherName. The format of SmtpUtf8Name is
defined as the ABNF rule SmtpUtf8Mailbox. SmtpUtf8Mailbox is a defined as the ABNF rule SmtpUtf8Mailbox. SmtpUtf8Mailbox is a
modified version of the Internationalized Mailbox which is defined in modified version of the Internationalized Mailbox which is defined in
Section 3.3 of [RFC6531] which is itself derived from SMTP Mailbox Section 3.3 of [RFC6531] which is itself derived from SMTP Mailbox
from Section 4.1.2 of [RFC5321]. [RFC6531] defines the following from Section 4.1.2 of [RFC5321]. [RFC6531] defines the following
ABNF rules for Mailbox whose parts are modified for ABNF rules for Mailbox whose parts are modified for
internationalization: <Local-part>, <Dot-string>, <Quoted-string>, internationalization: <Local-part>, <Dot-string>, <Quoted-string>,
<QcontentSMTP>, <Domain>, and <Atom>. In particular, <Local-part> <QcontentSMTP>, <Domain>, and <Atom>. In particular, <Local-part>
was updated to also support UTF8-non-ascii. UTF8-non-ascii is was updated to also support UTF8-non-ascii. UTF8-non-ascii is
described by Section 3.1 of [RFC6532]. Also, sub-domain is extended described by Section 3.1 of [RFC6532]. Also, sub-domain is extended
to support U-label, as defined in [RFC5890] to support U-label, as defined in [RFC5890].
This document further refines Internationalized [RFC6531] Mailbox This document further refines Internationalized [RFC6531] Mailbox
ABNF rules and calls this SmtpUtf8Mailbox. In SmtpUtf8Mailbox, sub- ABNF rules and calls this SmtpUtf8Mailbox. In SmtpUtf8Mailbox, sub-
domain that encode non-ascii characters SHALL use U-label Unicode domain that encode non-ASCII characters SHALL use U-label Unicode
native character labels and MUST NOT use A-label [RFC5890]. This native character labels and MUST NOT use A-label [RFC5890]. This
restriction prevents having to determine which label encoding A- or restriction prevents having to determine which label encoding A- or
U-label is present in the Domain. As per Section 2.3.2.1 of U-label is present in the Domain. As per Section 2.3.2.1 of
[RFC5890], U-label use UTF-8 [RFC3629] with Normalization Form C and [RFC5890], U-label use UTF-8 [RFC3629] with Normalization Form C and
other properties specified there. In SmtpUtf8Mailbox, sub-domain other properties specified there. In SmtpUtf8Mailbox, sub-domain
that encode solely ASCII character labels SHALL use NR-LDH that encode solely ASCII character labels SHALL use NR-LDH
restrictions as specified by section 2.3.1 of [RFC5890]. Note that a restrictions as specified by section 2.3.1 of [RFC5890] and
SmtpUtf8Mailbox has no phrase (such as a common name) before it, has restricted to lower case letters. Note that a SmtpUtf8Mailbox has no
no comment (text surrounded in parentheses) after it, and is not phrase (such as a common name) before it, has no comment (text
surrounded by "<" and ">". surrounded in parentheses) after it, and is not surrounded by "<" and
">".
In the context of building name constraint as needed by [RFC5280], In the context of building name constraint as needed by [RFC5280],
the SmtpUtf8Mailbox rules are modified to allow partial productions the SmtpUtf8Mailbox rules are modified to allow partial productions
to allow for additional forms required by Section 5. Name to allow for additional forms required by Section 6. Name
constraints may specify a complete email address, host name, or constraints may specify a complete email address, host name, or
domain. This means that the local-part may be missing, and domain domain. This means that the local-part may be missing, and domain
partially specified. partially specified.
SmtpUtf8Name is encoded as UTF8String. The UTF8String encoding MUST SmtpUtf8Name is encoded as UTF8String. The UTF8String encoding MUST
NOT contain a Byte-Order-Mark (BOM) [RFC3629] to aid consistency NOT contain a Byte-Order-Mark (BOM) [RFC3629] to aid consistency
across implementations particularly for comparison. across implementations particularly for comparison.
4. Matching of Internationalized Email Addresses in X.509 certificates 4. IDNA2008
To facilitate comparison between email addresses, all email address
domain in X.509 certificates MUST conform to IDNA2008 [RFC5890].
Otherwise non-conforming email address domains introduces the
possibility of conversion errors between alternate forms. This
applies to SmtpUtf8Mailbox and rfc822Name in subjectAltName,
issuerAltName and anywhere else that GeneralName is used.
5. Matching of Internationalized Email Addresses in X.509 certificates
In equivalence comparison with SmtpUtf8Name, there may be some setup In equivalence comparison with SmtpUtf8Name, there may be some setup
work to enable the comparison i.e. processing of the SmtpUtf8Name work to enable the comparison i.e. processing of the SmtpUtf8Name
content or the email address that is being compared against. The content or the email address that is being compared against. The
process for setup for comparing with SmtpUtf8Name is split into process for setup for comparing with SmtpUtf8Name is split into
domain steps and local-part steps. The comparison form for local- domain steps and local-part steps. The comparison form for local-
part always is UTF-8. The comparison form for domain depends on part always is UTF-8. The comparison form for domain depends on
context. While some contexts such as certificate path validation in context. While some contexts such as certificate path validation in
[RFC5280] specify transforming domain to A-label, this document [RFC5280] specify transforming domain to A-label, this document
RECOMMENDS transforming to UTF-8 U-label instead. This reduces the RECOMMENDS transforming to UTF-8 U-label instead. This reduces the
skipping to change at page 4, line 24 skipping to change at page 4, line 41
rfc822Name, the comparison requires additional setup to convert the rfc822Name, the comparison requires additional setup to convert the
format for comparison. Domain setup is particularly important for format for comparison. Domain setup is particularly important for
forms that may contain A- or U-label such as International email forms that may contain A- or U-label such as International email
address, or A-label only forms such as rfc822Name. This document address, or A-label only forms such as rfc822Name. This document
specifies the process to transform the domain to U-label. (To specifies the process to transform the domain to U-label. (To
convert the domain to A-label, follow the process specified in convert the domain to A-label, follow the process specified in
section 7.5 and 7.2 in [RFC5280]) The first step is to detect A-label section 7.5 and 7.2 in [RFC5280]) The first step is to detect A-label
by using section 5.1 of [RFC5891]. Next if necessary, transform the by using section 5.1 of [RFC5891]. Next if necessary, transform the
A-label to U-label Unicode as specified in section 5.2 of [RFC5891]. A-label to U-label Unicode as specified in section 5.2 of [RFC5891].
Finally if necessary convert the Unicode to UTF-8 as specified in Finally if necessary convert the Unicode to UTF-8 as specified in
section 3 of [RFC3629]. In setup for SmtpUtf8Mailbox, the email section 3 of [RFC3629]. For ASCII NR-LDH labels, upper case letters
address local-part MUST be converted to UTF-8 if it is not already. are converted to lower case letters. In setup for SmtpUtf8Mailbox,
The <Local-part> part of an Internationalized email address is the email address local-part MUST conform to the requirements of
already in UTF-8. For the rfc822Name local-part is IA5String [RFC6530] and [RFC6531], including already being a string in UTF-8
(ASCII), and conversion to UTF-8 is trivial since ASCII octets maps form. In particular, the local-part MUST NOT be transformed in any
to UTF-8 without change. Once the setup is completed, comparison is way, such as by doing case folding or normalization of any kind. The
an octet for octet comparison. <Local-part> part of an Internationalized email address is already in
UTF-8. For rfc822Name the local-part, which is IA5String (ASCII),
trivially maps to UTF-8 without change. Once setup is completed,
comparison is again checking for octet for octet equivalence.
To summarize non-normatively the domain setup steps are:
1. if the domain contains A-labels, transform them to U-label
2. if the domain contains ASCII NR-LDH labels, lowercase them
This enables an octet for octet comparison.
This specification expressly does not define any wildcards characters This specification expressly does not define any wildcards characters
and SmtpUtf8Name comparison implementations MUST NOT interpret any and SmtpUtf8Name comparison implementations MUST NOT interpret any
character as wildcards. Instead, to specify multiple specifying character as wildcards. Instead, to specify multiple specifying
multiple email addresses through SmtpUtf8Name, the certificate should multiple email addresses through SmtpUtf8Name, the certificate should
use multiple subjectAltNames or issuerAltNames to explicitly carry use multiple subjectAltNames or issuerAltNames to explicitly carry
those email addresses. those email addresses.
5. Name constraints in path validation 6. Name constraints in path validation
This section defines use of SmtpUtf8Name name for name constraints. This section defines use of SmtpUtf8Name name for name constraints.
The format for SmtpUtf8Name in name constraints is identical to the The format for SmtpUtf8Name in name constraints is identical to the
use in subjectAltName as specified in Section 3 with the extension as use in subjectAltName as specified in Section 3 with the extension as
noted there for partial productions. noted there for partial productions.
Constraint comparison on complete email address with SmtpUtf8Name Constraint comparison on complete email address with SmtpUtf8Name
name uses the matching procedure defined by Section 4. As with name uses the matching procedure defined by Section 5. As with
rfc822Name name constraints as specified in Section 4.2.1.10 of rfc822Name name constraints as specified in Section 4.2.1.10 of
[RFC5280], SmtpUtf8Name name can specify a particular mailbox, all [RFC5280], SmtpUtf8Name name can specify a particular mailbox, all
addresses at a host, or all mailboxes in a domain by specifying the addresses at a host, or all mailboxes in a domain by specifying the
complete email address, a host name, or a domain. complete email address, a host name, or a domain.
Name constraint comparisons in the context [RFC5280] is specified Name constraint comparisons in the context [RFC5280] is specified
with SmtpUtf8Name name are only done on the subjectAltName (and with SmtpUtf8Name name are only done on the subjectAltName (and
issuerAltName) SmtpUtf8Name name, and says nothing more about issuerAltName) SmtpUtf8Name name, and says nothing more about
constraints on other email address forms such as rfc822Name. constraints on other email address forms such as rfc822Name.
Consequently it may be necessary to include other name constraints Consequently it may be necessary to include other name constraints
such as rfc822Name in addition to SmtpUtf8Name to constrain all such as rfc822Name in addition to SmtpUtf8Name to constrain all
potential email addresses. For example a domain with both ascii and potential email addresses. For example a domain with both ASCII and
non-ascii local-part email addresses may require both rfc822Name and non-ASCII local-part email addresses may require both rfc822Name and
SmtpUtf8Name name constraints. This can be illustrated in the SmtpUtf8Name name constraints. This can be illustrated in the
following non-normative diagram Figure 1 which shows a name following non-normative diagram Figure 1 which shows a name
constraint set in the intermediate CA certificate, which then applies constraint set in the intermediate CA certificate, which then applies
to the children entity certificates. Note that a constraint on to the children entity certificates. Note that a constraint on
rfc822Name does not apply to SmtpUtf8Name and vice versa. rfc822Name does not apply to SmtpUtf8Name and vice versa as is shown
in non-normative diagram Figure 2.
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| Root CA Cert | | Root CA Cert |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| |
v v
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| Intermediate CA Cert | | Intermediate CA Cert |
| Name Constraint Extension | | Name Constraint Extension |
| Permitted | | Permitted |
| rfc822Name: allowed.example.com | | rfc822Name: allowed.example.com |
| SmtpUtf8Name: allowed.example.com | | SmtpUtf8Name: allowed.example.com |
| Excluded | | Excluded |
| rfc822Name: ignored.allowed.example.com | | rfc822Name: ignored.allowed.example.com |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| | |
v | v
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| Entity Cert (w/explicitly permitted subjects) | | Entity Cert (w/explicitly permitted subjects) |
| SubjectAltName Extension | | SubjectAltName Extension |
| rfc822Name: student@allowed.example.com | | rfc822Name: student@allowed.example.com |
| SmtpUtf8Name: \u8001\u5E2B@allowed.example.com | | SmtpUtf8Name: u+8001u+5E2B@allowed.example.com |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
|
v Figure 1
+--------------------------------------------------------------+ +--------------------------------------------------------------+
| Entity Cert (w/permitted subject- excluded rfc822Name | | Root CA Cert |
+--------------------------------------------------------------+
|
v
+--------------------------------------------------------------+
| Intermediate CA Cert |
| Name Constraint Extension |
| Permitted |
| rfc822Name: allowed.example.com |
| SmtpUtf8Name: allowed.example.com |
| Excluded |
| rfc822Name: ignored.allowed.example.com |
+--------------------------------------------------------------+
|
v
+--------------------------------------------------------------+
| Entity Cert (w/permitted subject i.e. excluded rfc822Name |
| does not exclude SmtpUtf8Name) | | does not exclude SmtpUtf8Name) |
| SubjectAltName Extension | | SubjectAltName Extension |
| SmtpUtf8Name: \u4E0D\u5C0D@ignored.allowed.example.com | | SmtpUtf8Name: u+4E0Du+5C0D@ignored.allowed.example.com |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
Figure 1 Figure 2
6. Deployment Considerations 7. Deployment Considerations
For email addresses whose local-part is ASCII it may be more For email addresses whose local-part is ASCII it may be more
reasonable to continue using rfc822Name instead of SmtpUtf8Name. The reasonable to continue using rfc822Name instead of SmtpUtf8Name. The
use of rfc822Name rather than SmtpUtf8Name is currently more likely use of rfc822Name rather than SmtpUtf8Name is currently more likely
to be supported. Also use of SmtpUtf8Name incurs higher byte to be supported. Also use of SmtpUtf8Name incurs higher byte
representation overhead due to encoding with otherName and the representation overhead due to encoding with otherName and the
additional OID needed. This may be offset if domain requires non- additional OID needed. This may be offset if domain requires non-
ASCII characters as smptUtf8Name supports U-label whereas rfc822Name ASCII characters as smptUtf8Name supports U-label whereas rfc822Name
supports A-label. This document RECOMMENDS using SmtpUtf8Name when supports A-label. This document RECOMMENDS using SmtpUtf8Name when
local-part contains non-ASCII characters, and otherwise rfc822Name. local-part contains non-ASCII characters, and otherwise rfc822Name.
7. Security Considerations 8. Security Considerations
Use for SmtpUtf8Name for certificate subjectAltName (and Use for SmtpUtf8Name for certificate subjectAltName (and
issuerAltName) will incur many of the same security considerations of issuerAltName) will incur many of the same security considerations of
Section 8 in [RFC5280] but further complicated by permitting non- Section 8 in [RFC5280] but is further complicated by permitting non-
ASCII characters in the email address local-part. As mentioned in ASCII characters in the email address local-part. This complication,
Section 4.4 of [RFC5890] and in Section 4 of [RFC6532] Unicode as mentioned in Section 4.4 of [RFC5890] and in Section 4 of
introduces the risk for visually similar characters which can be [RFC6532], is that use of Unicode introduces the risk of visually
exploited to deceive the recipient. The former document references similar and identical characters which can be exploited to deceive
some means to mitigate against these attacks. the recipient. The former document references some means to mitigate
against these attacks.
8. IANA Considerations 9. IANA Considerations
This document makes use of object identifiers for the SmtpUtf8Name This document makes use of object identifiers for the SmtpUtf8Name
defined in Section Section 3 and the ASN.1 module identifier defined defined in Section Section 3 and the ASN.1 module identifier defined
in Section Appendix A. IANA is kindly requested to make the in Section Appendix A. IANA is kindly requested to make the
following assignments for: following assignments for:
The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for
PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).
The SmtpUtf8Name otherName in the "PKIX Other Name Forms" registry The SmtpUtf8Name otherName in the "PKIX Other Name Forms" registry
(1.3.6.1.5.5.7.8). (1.3.6.1.5.5.7.8).
9. References 10. References
9.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <http://www.rfc-editor.org/info/rfc3629>. 2003, <http://www.rfc-editor.org/info/rfc3629>.
skipping to change at page 7, line 30 skipping to change at page 9, line 10
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010, RFC 5890, DOI 10.17487/RFC5890, August 2010,
<http://www.rfc-editor.org/info/rfc5890>. <http://www.rfc-editor.org/info/rfc5890>.
[RFC5891] Klensin, J., "Internationalized Domain Names in [RFC5891] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", RFC 5891, Applications (IDNA): Protocol", RFC 5891,
DOI 10.17487/RFC5891, August 2010, DOI 10.17487/RFC5891, August 2010,
<http://www.rfc-editor.org/info/rfc5891>. <http://www.rfc-editor.org/info/rfc5891>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the [RFC6530] Klensin, J. and Y. Ko, "Overview and Framework for
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, Internationalized Email", RFC 6530, DOI 10.17487/RFC6530,
DOI 10.17487/RFC5912, June 2010, February 2012, <http://www.rfc-editor.org/info/rfc6530>.
<http://www.rfc-editor.org/info/rfc5912>.
[RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized [RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized
Email", RFC 6531, DOI 10.17487/RFC6531, February 2012, Email", RFC 6531, DOI 10.17487/RFC6531, February 2012,
<http://www.rfc-editor.org/info/rfc6531>. <http://www.rfc-editor.org/info/rfc6531>.
[RFC6532] Yang, A., Steele, S., and N. Freed, "Internationalized [RFC6532] Yang, A., Steele, S., and N. Freed, "Internationalized
Email Headers", RFC 6532, DOI 10.17487/RFC6532, February Email Headers", RFC 6532, DOI 10.17487/RFC6532, February
2012, <http://www.rfc-editor.org/info/rfc6532>. 2012, <http://www.rfc-editor.org/info/rfc6532>.
9.2. Informative References 10.2. Informative References
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
DOI 10.17487/RFC5322, October 2008, Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
<http://www.rfc-editor.org/info/rfc5322>. DOI 10.17487/RFC5912, June 2010,
<http://www.rfc-editor.org/info/rfc5912>.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
The following ASN.1 module normatively specifies the SmtpUtf8Name The following ASN.1 module normatively specifies the SmtpUtf8Name
structure. This specification uses the ASN.1 definitions from structure. This specification uses the ASN.1 definitions from
[RFC5912] with the 2002 ASN.1 notation used in that document. [RFC5912] with the 2002 ASN.1 notation used in that document.
[RFC5912] updates normative documents using older ASN.1 notation.
LAMPS-EaiAddresses-2016 LAMPS-EaiAddresses-2016
{ iso(1) identified-organization(3) dod(6) { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-lamps-eai-addresses-2016(TBD) } id-mod-lamps-eai-addresses-2016(TBD) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
skipping to change at page 8, line 31 skipping to change at page 10, line 25
FROM PKIX1Implicit-2009 FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
id-pkix id-pkix
FROM PKIX1Explicit-2009 FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ; mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ;
-- --
-- otherName carries additional name types for subjectAltName, issuerAltName, -- otherName carries additional name types for subjectAltName,
-- and other uses of GeneralNames. -- issuerAltName, and other uses of GeneralNames.
-- --
id-on OBJECT IDENTIFIER ::= { id-pkix 8 } id-on OBJECT IDENTIFIER ::= { id-pkix 8 }
SmtpUtf8OtherNames OTHER-NAME ::= { on-smtpUtf8Name, ... } SmtpUtf8OtherNames OTHER-NAME ::= { on-smtpUtf8Name, ... }
on-smtpUtf8Name OTHER-NAME ::= { on-smtpUtf8Name OTHER-NAME ::= {
SmtpUtf8Name IDENTIFIED BY id-on-smtpUtf8Name SmtpUtf8Name IDENTIFIED BY id-on-smtpUtf8Name
} }
id-on-smtpUtf8Name OBJECT IDENTIFIER ::= { id-on 9 } id-on-smtpUtf8Name OBJECT IDENTIFIER ::= { id-on 9 }
SmtpUtf8Name ::= UTF8String (SIZE (1..MAX)) SmtpUtf8Name ::= UTF8String (SIZE (1..MAX))
END END
Figure 2 Figure 3
Appendix B. Example of SmtpUtf8Name Appendix B. Example of SmtpUtf8Name
This non-normative example demonstrates using SmtpUtf8Name as an This non-normative example demonstrates using SmtpUtf8Name as an
otherName in GeneralName to encode the email address otherName in GeneralName to encode the email address
"\u8001\u5E2B@example.com". "u+8001u+5E2B@example.com".
The hexidecimal DER encoding of the email address is: The hexidecimal DER encoding of the email address is:
A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861 6D706C65 2E636F6D A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861
6D706C65 2E636F6D
The text decoding is: The text decoding is:
0 34: [0] { 0 34: [0] {
2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9' 2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9'
14 20: [0] { 14 20: [0] {
16 18: UTF8String '..@example.com' 16 18: UTF8String '..@example.com'
: } : }
: } : }
Figure 3 Figure 4
The example was encoded on the OSS Nokalva ASN.1 Playground and the The example was encoded on the OSS Nokalva ASN.1 Playground and the
above text decoding is an output of Peter Gutmann's "dumpasn1" above text decoding is an output of Peter Gutmann's "dumpasn1"
program. program.
Appendix C. Acknowledgements Appendix C. Acknowledgements
Thank you to Magnus Nystrom for motivating this document. Thanks to Thank you to Magnus Nystrom for motivating this document. Thanks to
Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean
Leonard, and Sean Turner for their feedback. Also special thanks to Leonard, Sean Turner, John Levine, Viktor Dukhovni and Patrik
John Klensin for his valuable input on internationalization, Unicode Falstrom for their feedback. Also special thanks to John Klensin for
and ABNF formatting, and to Jim Schaad for his help with the ASN.1 his valuable input on internationalization, Unicode and ABNF
example and his helpful feedback. formatting, and to Jim Schaad for his help with the ASN.1 example and
his helpful feedback.
Authors' Addresses Authors' Addresses
Alexey Melnikov (editor) Alexey Melnikov (editor)
Isode Ltd Isode Ltd
14 Castle Mews 14 Castle Mews
Hampton, Middlesex TW12 2NP Hampton, Middlesex TW12 2NP
UK UK
Email: Alexey.Melnikov@isode.com Email: Alexey.Melnikov@isode.com
 End of changes. 41 change blocks. 
87 lines changed or deleted 133 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/