--- 1/draft-ietf-lamps-eai-addresses-07.txt 2017-03-12 15:13:45.124794725 -0700 +++ 2/draft-ietf-lamps-eai-addresses-08.txt 2017-03-12 15:13:45.160795585 -0700 @@ -1,19 +1,19 @@ LAMPS A. Melnikov, Ed. Internet-Draft Isode Ltd Intended status: Standards Track W. Chuang, Ed. -Expires: September 9, 2017 Google, Inc. - March 8, 2017 +Expires: September 13, 2017 Google, Inc. + March 12, 2017 Internationalized Email Addresses in X.509 certificates - draft-ietf-lamps-eai-addresses-07 + draft-ietf-lamps-eai-addresses-08 Abstract This document defines a new name form for inclusion in the otherName field of an X.509 Subject Alternative Name and Issuer Alternate Name extension that allows a certificate subject to be associated with an Internationalized Email Address. Status of This Memo @@ -23,21 +23,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 9, 2017. + This Internet-Draft will expire on September 13, 2017. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -49,30 +49,30 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2 4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. Matching of Internationalized Email Addresses in X.509 certificates . . . . . . . . . . . . . . . . . . . . . . . . 4 6. Name constraints in path validation . . . . . . . . . . . . . 5 - 7. Deployment Considerations . . . . . . . . . . . . . . . . . . 8 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 - 10.1. Normative References . . . . . . . . . . . . . . . . . . 9 - 10.2. Informative References . . . . . . . . . . . . . . . . . 10 - Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 - Appendix B. Example of SmtpUTF8Name . . . . . . . . . . . . . . 11 - Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 12 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 + 7. Deployment Considerations . . . . . . . . . . . . . . . . . . 10 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 10.1. Normative References . . . . . . . . . . . . . . . . . . 10 + 10.2. Informative References . . . . . . . . . . . . . . . . . 11 + Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12 + Appendix B. Example of SmtpUTF8Name . . . . . . . . . . . . . . 13 + Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 13 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction [RFC5280] defines rfc822Name subjectAltName choice for representing [RFC5321] email addresses. This form is restricted to a subset of US-ASCII characters and thus can't be used to represent Internationalized Email addresses [RFC6531]. To facilitate use of these Internationalized Email addresses with X.509 certificates, this document specifies a new name form in otherName so that subjectAltName and issuerAltName can carry them. In addition this @@ -221,124 +221,209 @@ rfc822Name name constraints as specified in Section 4.2.1.10 of [RFC5280], SmtpUTF8Name name can specify a particular mailbox, all addresses at a host, or all mailboxes in a domain by specifying the complete email address, a host name, or a domain. Name constraint comparisons in the context of [RFC5280] that are specified with SmtpUTF8Name name are only done on the subjectAltName SmtpUTF8Name name and not on other forms. Similarly rfc822Name name constraints do not apply to subjectAltName SmtpUTF8Name name. This imposes requirements on the certificate issuer as described next. - When name constraints are used with SmtpUTF8Name subjectAltName - names, they are specified in the following profile to prevent - bypassing of name constraints. Host name and domain constraints MUST - use both rfc822Name and SmtpUTF8Name forms in the issuing certificate - with the constraint. Complete email address constraint with UTF-8 - local-part MUST only use SmtpUTF8Name form. Complete email address - constraint with ASCII local-part MUST use both rfc822Name and - SmtpUTF8Name forms. When both rfc822Name and SmtpUTF8Name name - constraints forms are present, they MUST carry the equivalent - constraints as defined by Section 5 and MUST be found in the same - node and in the same permittedSubtrees or excludedSubtrees. This - specification intentionally leaves unchanged rfc822Name name - constraint processing as described in Section 4.2.1.10 of [RFC5280]. + When name constraints are used with SmtpUTF8Name subject alternative + names, the constraints are specified by the following changes to the + path validator to prevent bypass of the name constraints. The email + address path validator in Section 6 of [RFC5280] is modified to + consider: - This document specifies that SmtpUTF8Name aware path validators check - for SmtpUTF8Name name constraint profiles as an additional path - validation step in Section 6 of [RFC5280]. SmtpUTF8Name aware - validators MUST NOT accept any certificate whose path contains an - issuing certificate whose rfc822Name or SmtpUTF8Name name constraints - do not match the above profile. That is the path validator verifies - that a rfc822Name name constraint has a corresponding SmtpUTF8Name - constraint and that a SmtpUTF8Name name constraint has a - corresponding rfc822Name constraint when the constraint contains host - name, domain or email address with an ASCII local-part. This - correspondence is required to be in the same issuing certificate node - and in the same nameConstraint permittedSubtrees or excludedSubtrees. + 1. When neither rfc822Name nor SmtpUTF8Name name constraints are + present in any issuer CA certificate, then path validation does + not add restrictions on children certificates with rfc822Name or + SmtpUTF8Name subject alternative names. That is any combination + of rfc822Name or SmtpUTF8Name subject alternative names may be + present. - The name constraint requirement with SmtpUTF8Name subjectAltName is - illustrated in the following non-normative diagram Figure 1. This - show a SmtpUTF8Name aware issuer that constrained the intermediate CA - with host name and email address name constraints. In particular the - email address constraint with UTF8 local-part only used a single - SmtpUTF8Name name constraint, while the email address constraint with - ASCII local-part used both rfc822Name and SmtpUTF8Name name - constraints. The next non-normative diagram Figure 2 illustrates - legacy name constraints to contrasts the changes this document - specifies. The legacy approach has only a single rfc822Name name + 2. If issuer CA certificates contain only rfc822Name name + constraints, then those constraints apply to rfc822Name subject + alternative name in children certificates. SmtpUTF8Name subject + alternative name are prohibited in those same certificates, that + is those certificates MUST be rejected by the path verifier. + + 3. When both rfc822Name and SmtpUTF8Name name constraints are + present in all issuer CA certificates that have either form, then + the path verifier applies the constraint of the subject + alternative name form in children certificates. This allows any + combination of rfc822Name or SmtpUTF8Name subject alternative + names to be present and implies that the issuer has applied + appropriate name constraints. While commonly the alternative + forms will be equivalent, they need not be, as the forms can + represent features not present in its counterpart. One instance + of this is when the issuer wants to name constrain domain or + hostname using the rules of a particular form. + + 4. If some issuer CA certificates contain only SmtpUTF8Name name + constraints, then those are at risk of bypass with rfc822Name + subject alternative names when processed by legacy verifiers. To + prevent this, issuers MUST also publish rfc822Name name + constraint that prevent those bypasses. This occurs when both + rfc822Name and SmtpUTF8Name constraint forms can represents the + same host, domain or email address, and both are needed. Even + when the constraints are asymmetric such as when the issuer + wishes to constrain an email address with an UTF-8 local part, a + non empty rfc822Name name constraint may be needed if there isn't + one already so that the path verifier initializes correctly. + + When both name constraints are present, the contents depends on the + usage. If the issuer desires to represent the same NR-LDH host or + domain, then it is the same string in both rfc822Name and + SmtpUTF8Name. If the host or domain labels contain UTF-8, then the + labels may be used directly in SmtpUTF8Name noting the restriction in + Section 5 and transformed to A-label for rfc822Name using the process + described in [RFC5280]. Email addresses that use ASCII local-part + use the same processing procedures for host or domain. + + If the issuer wishes to represent the name constraint asymmetrically, + with either rfc822Name or SmtpUTF8Name to respectively represent some + A-label or U-label in the domain or host, the alternate name + constraint form must still be present. If nothing needs be + represented by the alternate form, then empty name constraint can + described by the "invalid" TLD that helps initialize the name + constraint path validation set. Or alternatively it may be omitted + if some other name constraint pair, provides a name constraint of + that form. In particular this initialization may be needed when + SmtpUTF8Name is used to represent an email address name constraint + with an UTF-8 local-part and rfc822Name cannot represent such a email + address constraint. + + The name constraint requirement with SmtpUTF8Name subject alternative + name is illustrated in the non-normative diagram Figure 1 with + several examples. (3a) shows an issuer constraining a NR-LDH + hostname with rfc822Name and SmtpUTF8Name so that they can issue + ASCII and UTF-8 local-name email addresses certificates. (3b) shows + an issuer constraining a hostname containing a non-ASCII label for + u+5C0Fu+5B66 (elementary school). (3c) demonstrates that a hostname + constraint with an rfc822Name is distinguishable from its + SmtpUTF8Name constraint, and that only the rfc822Name form is + permitted. No 'invalid' SmtpUTF8Name constraint is needed since + other SmtpUTF8Name constraints are present. (3d) similarly + demonstrates this capability to restrict a name constraint to + SmtpUTF8Name only. (3e) shows that a non-ASCII local- part email + address can also be constrained to be permitted using SmtpUTF8Name. + It too does not need an 'invalid' rfc822Name as other rfc822Name + constrains are present. Diagram Figure 2 illustrates (non- + normatively) a different certificate chain that does need the + 'invalid' name constraint. (3f) constrains a non-ASCII local-part + email address using a SmtpUTF8Name name constraint but requires a + rfc822Name 'invalid' constraint because it lacks any other rfc822Name + constraints needed to initialize the name constraint path + verification. The next non-normative diagram Figure 3 illustrates + legacy name constraints that contrasts the changes this document + specifies. The legacy approach (2) has only a single rfc822Name name email address name constraint. - +--------------------------------------------------------------+ + +-------------------------------------------------------------------+ | Root CA Cert | - +--------------------------------------------------------------+ + +-------------------------------------------------------------------+ | v - +--------------------------------------------------------------+ + +-------------------------------------------------------------------+ | Intermediate CA Cert | - | Name Constraint Extension | | Permitted | - | rfc822Name: allowed_host.example.com | - | SmtpUTF8Name: allowed_host.example.com | + | rfc822Name: nr.ldh.host.example.com (3a) | + | SmtpUTF8Name: nr.ldh.host.example.com (3a) | | | - | SmtpUTF8Name: u+8001u+5E2B@allowed_email.example.com | + | rfc822Name: u+5C0Fu+5B66.host.example.com (3b) | + | SmtpUTF8Name: xn--48s3o.host.example.com (3b) | | | - | rfc822Name: student@allowed_email.example.com | - | SmtpUTF8Name: student@allowed_email.example.com | - +--------------------------------------------------------------+ + | rfc822Name: xn--pss25c.a.label.example.com (3c) | + | | + | SmtpUTF8Name: u+4E2Du+5B66.u.label.example.com (3d) | + | | + | SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3e) | + +-------------------------------------------------------------------+ | v - +--------------------------------------------------------------+ + +-------------------------------------------------------------------+ | Entity Cert (w/explicitly permitted subjects) | | SubjectAltName Extension | - | SmtpUTF8Name: u+533Bu+751F@allowed_host.example.com | + | rfc822Name: student@nr.ldh.host.example.com (3a) | + | SmtpUTF8Name: u+5B66u+751F@nr.ldh.host.example.com (3a) | | | - | SmtpUTF8Name: u+8001u+5E2B@allowed_email.example.com | + | rfc822Name: student@u+5C0Fu+5B66.host.example.com (3b) | + | SmtpUTF8Name: u+5B66u+751F@xn--48s3o.host.example.com (3b) | | | - | rfc822Name: student@allowed_email.example.com | - +--------------------------------------------------------------+ + | rfc822Name: student@xn--pss25c.a.label.example.com (3c) | + | | + | SmtpUTF8Name: student@u+4E2Du+5B66.u.label.example.com (3d) | + | | + | SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3e) | + +-------------------------------------------------------------------+ - Name constraints with SmtpUTF8Name + Name constraints with SmtpUTF8Name and rfc822Name Figure 1 - +--------------------------------------------------------------+ + +-------------------------------------------------------------------+ | Root CA Cert | - +--------------------------------------------------------------+ + +-------------------------------------------------------------------+ | v - +--------------------------------------------------------------+ + +-------------------------------------------------------------------+ | Intermediate CA Cert | | Name Constraint Extension | | Permitted | - | rfc822Name: allowed_host.example.com | - +--------------------------------------------------------------+ + | rfc822Name: invalid (3f) | + | SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3f) | + +-------------------------------------------------------------------+ | v - +--------------------------------------------------------------+ + +-------------------------------------------------------------------+ | Entity Cert (w/explicitly permitted subjects) | | SubjectAltName Extension | - | rfc822Name: student@allowed_host.example.com | - +--------------------------------------------------------------+ + | SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3f) | + +-------------------------------------------------------------------+ - Legacy name constraints with rfc822Name + Name constraints with SmtpUTF8Name email address and empty rfc822Name Figure 2 + +-------------------------------------------------------------------+ + | Root CA Cert | + +-------------------------------------------------------------------+ + | + v + +-------------------------------------------------------------------+ + | Intermediate CA Cert | + | Name Constraint Extension | + | Permitted | + | rfc822Name: student@email.example.com (2) | + +-------------------------------------------------------------------+ + | + v + +-------------------------------------------------------------------+ + | Entity Cert (w/explicitly permitted subjects) | + | SubjectAltName Extension | + | rfc822Name: student@email.example.com (2) | + +-------------------------------------------------------------------+ + + Legacy name constraints with rfc822Name + + Figure 3 + 7. Deployment Considerations For email addresses whose local-part is ASCII it may be more reasonable to continue using rfc822Name instead of SmtpUTF8Name. The use of rfc822Name rather than SmtpUTF8Name is currently more likely to be supported. Also use of SmtpUTF8Name incurs higher byte representation overhead due to encoding with otherName and the additional OID needed. This may be offset if domain requires non- - ASCII characters as smptUtf8Name supports U-label whereas rfc822Name + ASCII characters as SmtpUTF8Name supports U-label whereas rfc822Name supports A-label. This document RECOMMENDS using SmtpUTF8Name when local-part contains non-ASCII characters, and otherwise rfc822Name. 8. Security Considerations Use for SmtpUTF8Name for certificate subjectAltName (and issuerAltName) will incur many of the same security considerations of Section 8 in [RFC5280] but is further complicated by permitting non- ASCII characters in the email address local-part. This complication, as mentioned in Section 4.4 of [RFC5890] and in Section 4 of @@ -454,55 +539,55 @@ on-SmtpUTF8Name OTHER-NAME ::= { SmtpUTF8Name IDENTIFIED BY id-on-SmtpUTF8Name } id-on-SmtpUTF8Name OBJECT IDENTIFIER ::= { id-on 9 } SmtpUTF8Name ::= UTF8String (SIZE (1..MAX)) END - Figure 3 + Figure 4 Appendix B. Example of SmtpUTF8Name This non-normative example demonstrates using SmtpUTF8Name as an otherName in GeneralName to encode the email address "u+8001u+5E2B@example.com". The hexadecimal DER encoding of the email address is: A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861 6D706C65 2E636F6D The text decoding is: 0 34: [0] { 2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9' 14 20: [0] { 16 18: UTF8String '..@example.com' : } : } - Figure 4 + Figure 5 The example was encoded on the OSS Nokalva ASN.1 Playground and the above text decoding is an output of Peter Gutmann's "dumpasn1" program. Appendix C. Acknowledgements Thank you to Magnus Nystrom for motivating this document. Thanks to Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean - Leonard, Sean Turner, John Levine, Viktor Dukhovni and Patrik - Falstrom for their feedback. Also special thanks to John Klensin for - his valuable input on internationalization, Unicode and ABNF - formatting, and to Jim Schaad for his help with the ASN.1 example and - his helpful feedback. + Leonard, Sean Turner, John Levine, and Patrik Falstrom for their + feedback. Also special thanks to John Klensin for his valuable input + on internationalization, Unicode and ABNF formatting, to Jim Schaad + for his help with the ASN.1 example and his helpful feedback, and to + Viktor Dukhovni for his help with name constraints. Authors' Addresses Alexey Melnikov (editor) Isode Ltd 14 Castle Mews Hampton, Middlesex TW12 2NP UK Email: Alexey.Melnikov@isode.com