draft-ietf-lamps-eai-addresses-13.txt   draft-ietf-lamps-eai-addresses-14.txt 
LAMPS A. Melnikov, Ed. LAMPS A. Melnikov, Ed.
Internet-Draft Isode Ltd Internet-Draft Isode Ltd
Intended status: Standards Track W. Chuang, Ed. Intended status: Standards Track W. Chuang, Ed.
Expires: March 3, 2018 Google, Inc. Expires: March 7, 2018 Google, Inc.
August 30, 2017 September 3, 2017
Internationalized Email Addresses in X.509 certificates Internationalized Email Addresses in X.509 certificates
draft-ietf-lamps-eai-addresses-13 draft-ietf-lamps-eai-addresses-14
Abstract Abstract
This document defines a new name form for inclusion in the otherName This document defines a new name form for inclusion in the otherName
field of an X.509 Subject Alternative Name and Issuer Alternative field of an X.509 Subject Alternative Name and Issuer Alternative
Name extension that allows a certificate subject to be associated Name extension that allows a certificate subject to be associated
with an Internationalized Email Address. with an Internationalized Email Address.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 3, 2018. This Internet-Draft will expire on March 7, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 20 skipping to change at page 2, line 20
4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Matching of Internationalized Email Addresses in X.509 5. Matching of Internationalized Email Addresses in X.509
certificates . . . . . . . . . . . . . . . . . . . . . . . . 4 certificates . . . . . . . . . . . . . . . . . . . . . . . . 4
6. Name constraints in path validation . . . . . . . . . . . . . 5 6. Name constraints in path validation . . . . . . . . . . . . . 5
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . 8 9.1. Normative References . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9
Appendix B. Example of SmtpUTF8Name . . . . . . . . . . . . . . 10 Appendix B. Example of SmtpUTF8Mailbox . . . . . . . . . . . . . 10
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 11 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
[RFC5280] defines the rfc822Name subjectAltName name type for [RFC5280] defines the rfc822Name subjectAltName name type for
representing [RFC5321] email addresses. The syntax of rfc822Name is representing [RFC5321] email addresses. The syntax of rfc822Name is
restricted to a subset of US-ASCII characters and thus can't be used restricted to a subset of US-ASCII characters and thus can't be used
to represent Internationalized Email addresses [RFC6531]. This to represent Internationalized Email addresses [RFC6531]. This
document defines a new otherName variant to represent document defines a new otherName variant to represent
skipping to change at page 2, line 48 skipping to change at page 2, line 48
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
The formal syntax uses the Augmented Backus-Naur Form (ABNF) The formal syntax uses the Augmented Backus-Naur Form (ABNF)
[RFC5234] notation. [RFC5234] notation.
3. Name Definitions 3. Name Definitions
The GeneralName structure is defined in [RFC5280], and supports many The GeneralName structure is defined in [RFC5280], and supports many
different name forms including otherName for extensibility. This different name forms including otherName for extensibility. This
section specifies the SmtpUTF8Name name form of otherName, so that section specifies the SmtpUTF8Mailbox name form of otherName, so that
Internationalized Email addresses can appear in the subjectAltName of Internationalized Email addresses can appear in the subjectAltName of
a certificate, the issuerAltName of a certificate, or anywhere else a certificate, the issuerAltName of a certificate, or anywhere else
that GeneralName is used. that GeneralName is used.
id-on-SmtpUTF8Name OBJECT IDENTIFIER ::= { id-on 9 } id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 }
SmtpUTF8Name ::= UTF8String (SIZE (1..MAX)) SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX))
-- SmtpUTF8Name conforms to Mailbox as specified -- SmtpUTF8Mailbox conforms to Mailbox as specified
-- in Section 3.3 of RFC 6531. -- in Section 3.3 of RFC 6531.
When the subjectAltName (or issuerAltName) extension contains an When the subjectAltName (or issuerAltName) extension contains an
Internationalized Email address with a non-ASCII local-part, the Internationalized Email address with a non-ASCII local-part, the
address MUST be stored in the SmtpUTF8Name name form of otherName. address MUST be stored in the SmtpUTF8Mailbox name form of otherName.
The format of SmtpUTF8Name is defined as the ABNF rule The format of SmtpUTF8Mailbox is defined as the ABNF rule
SmtpUTF8Mailbox. SmtpUTF8Mailbox is a modified version of the SmtpUTF8Mailbox. SmtpUTF8Mailbox is a modified version of the
Internationalized Mailbox which was defined in Section 3.3 of Internationalized Mailbox which was defined in Section 3.3 of
[RFC6531] which was itself derived from SMTP Mailbox from [RFC6531] which was itself derived from SMTP Mailbox from
Section 4.1.2 of [RFC5321]. [RFC6531] defines the following ABNF Section 4.1.2 of [RFC5321]. [RFC6531] defines the following ABNF
rules for Mailbox whose parts are modified for internationalization: rules for Mailbox whose parts are modified for internationalization:
<Local-part>, <Dot-string>, <Quoted-string>, <QcontentSMTP>, <Local-part>, <Dot-string>, <Quoted-string>, <QcontentSMTP>,
<Domain>, and <Atom>. In particular, <Local-part> was updated to <Domain>, and <Atom>. In particular, <Local-part> was updated to
also support UTF8-non-ascii. UTF8-non-ascii was described by also support UTF8-non-ascii. UTF8-non-ascii was described by
Section 3.1 of [RFC6532]. Also, domain was extended to support Section 3.1 of [RFC6532]. Also, domain was extended to support
U-labels, as defined in [RFC5890]. U-labels, as defined in [RFC5890].
skipping to change at page 3, line 40 skipping to change at page 3, line 40
need to determine which label encoding A- or U-label is present in need to determine which label encoding A- or U-label is present in
the Domain. As per Section 2.3.2.1 of [RFC5890], U-label are encoded the Domain. As per Section 2.3.2.1 of [RFC5890], U-label are encoded
as UTF-8 [RFC3629] in Normalization Form C and other properties as UTF-8 [RFC3629] in Normalization Form C and other properties
specified there. In SmtpUTF8Mailbox, domain labels that solely use specified there. In SmtpUTF8Mailbox, domain labels that solely use
ASCII characters (meaning not A- nor U-labels) SHALL use NR-LDH ASCII characters (meaning not A- nor U-labels) SHALL use NR-LDH
restrictions as specified by Section 2.3.1 of [RFC5890] and SHALL be restrictions as specified by Section 2.3.1 of [RFC5890] and SHALL be
restricted to lower case letters. NR-LDH stands for "Non-Reserved restricted to lower case letters. NR-LDH stands for "Non-Reserved
Letters Digits Hyphen" and is the set of LDH labels that do not have Letters Digits Hyphen" and is the set of LDH labels that do not have
"--" characters in the third and forth character position, which "--" characters in the third and forth character position, which
excludes "tagged domain names" such as A-labels. Consistent with the excludes "tagged domain names" such as A-labels. Consistent with the
treatment of rfc822Name in [RFC5280], SmtpUTF8Name is an envelope treatment of rfc822Name in [RFC5280], SmtpUTF8Mailbox is an envelope
<Mailbox> and has no phrase (such as a common name) before it, has no <Mailbox> and has no phrase (such as a common name) before it, has no
comment (text surrounded in parentheses) after it, and is not comment (text surrounded in parentheses) after it, and is not
surrounded by "<" and ">". surrounded by "<" and ">".
Due to operational reasons to be described shortly and name Due to operational reasons to be described shortly and name
constraint compatibility reasons described in Section 6, SmtpUTF8Name constraint compatibility reasons described in Section 6,
subjectAltName MUST only be used when the local part of the email SmtpUTF8Mailbox subjectAltName MUST only be used when the local part
address contains contains non-ASCII characters. When the local-part of the email address contains contains non-ASCII characters. When
is ASCII, rfc822Name subjectAltName MUST be used instead of the local-part is ASCII, rfc822Name subjectAltName MUST be used
SmtpUTF8Name. This is compatible with legacy software that supports instead of SmtpUTF8Mailbox. This is compatible with legacy software
only rfc822Name (and not SmtpUTF8Name). that supports only rfc822Name (and not SmtpUTF8Mailbox).
SmtpUTF8Name is encoded as UTF8String. The UTF8String encoding MUST SmtpUTF8Mailbox is encoded as UTF8String. The UTF8String encoding
NOT contain a Byte-Order- Mark (BOM) [RFC3629] to aid consistency MUST NOT contain a Byte-Order- Mark (BOM) [RFC3629] to aid
across implementations particularly for comparison. consistency across implementations particularly for comparison.
4. IDNA2008 4. IDNA2008
To facilitate comparison between email addresses, all email address To facilitate comparison between email addresses, all email address
domains in X.509 certificates MUST conform to IDNA2008 [RFC5890] (and domains in X.509 certificates MUST conform to IDNA2008 [RFC5890] (and
avoids any "mappings" mentioned in that document). Use of non- avoids any "mappings" mentioned in that document). Use of non-
conforming email address domains introduces the possibility of conforming email address domains introduces the possibility of
conversion errors between alternate forms. This applies to conversion errors between alternate forms. This applies to
SmtpUTF8Name and rfc822Name in subjectAltName, issuerAltName and SmtpUTF8Mailbox and rfc822Name in subjectAltName, issuerAltName and
anywhere else that these are used. anywhere else that these are used.
5. Matching of Internationalized Email Addresses in X.509 certificates 5. Matching of Internationalized Email Addresses in X.509 certificates
In equivalence comparison with SmtpUTF8Name, there may be some setup In equivalence comparison with SmtpUTF8Mailbox, there may be some
work on one or both inputs depending of whether the input is already setup work on one or both inputs depending of whether the input is
in comparison form. Comparing SmtpUTF8Names consists of a domain already in comparison form. Comparing SmtpUTF8Mailboxs consists of a
part step and a local-part step. The comparison form for local-parts domain part step and a local-part step. The comparison form for
is always UTF-8. The comparison form for domain parts depends on local-parts is always UTF-8. The comparison form for domain parts
context. While some contexts such as certificate path validation in depends on context. While some contexts such as certificate path
[RFC5280] specify transforming domain to A-label (Section 7.5 and 7.2 validation in [RFC5280] specify transforming domain to A-label
in [RFC5280] as updated by [ID-lamps-rfc5280-i18n-update]), this (Section 7.5 and 7.2 in [RFC5280] as updated by
document RECOMMENDS transforming to UTF-8 U-label instead. This [ID-lamps-rfc5280-i18n-update]), this document recommends
reduces the likelihood of errors by reducing conversions as more transforming to UTF-8 U-label instead. This reduces the likelihood
implementations natively support U-label domains. of errors by reducing conversions as more implementations natively
support U-label domains.
Comparison of two SmtpUTF8Name is straightforward with no setup work Comparison of two SmtpUTF8Mailbox is straightforward with no setup
needed. They are considered equivalent if there is an exact octet- work needed. They are considered equivalent if there is an exact
for-octet match. Comparison with email addresses such as octet-for-octet match. Comparison with email addresses such as
Internationalized email address or rfc822Name requires additional Internationalized email address or rfc822Name requires additional
setup steps for domain part and local-part. The initial preparation setup steps for domain part and local-part. The initial preparation
for the email addresses is to remove any phrases or comments, as well for the email addresses is to remove any phrases or comments, as well
as "<" and ">" present. This document calls for comparison of domain as "<" and ">" present. This document calls for comparison of domain
labels that include non-ASCII characters be transformed to U-label if labels that include non-ASCII characters be transformed to U-label if
not already in that form. The first step is to detect use of the not already in that form. The first step is to detect use of the
A-label by using Section 5.1 of [RFC5891]. Next if necessary, A-label by using Section 5.1 of [RFC5891]. Next if necessary,
transform any A-labels to U-labels Unicode as specified in transform any A-labels to U-labels Unicode as specified in
Section 5.2 of [RFC5891]. Finally if necessary convert the Unicode Section 5.2 of [RFC5891]. Finally if necessary convert the Unicode
to UTF-8 as specified in Section 3 of [RFC3629]. For ASCII NR-LDH to UTF-8 as specified in Section 3 of [RFC3629]. For ASCII NR-LDH
skipping to change at page 5, line 18 skipping to change at page 5, line 19
To summarize non-normatively, the comparison steps including setup To summarize non-normatively, the comparison steps including setup
are: are:
1. If the domain contains A-labels, transform them to U-labels. 1. If the domain contains A-labels, transform them to U-labels.
2. If the domain contains ASCII NR-LDH labels, lowercase them. 2. If the domain contains ASCII NR-LDH labels, lowercase them.
3. Compare strings octet-for-octet for equivalence. 3. Compare strings octet-for-octet for equivalence.
This specification expressly does not define any wildcard characters This specification expressly does not define any wildcard characters
and SmtpUTF8Name comparison implementations MUST NOT interpret any and SmtpUTF8Mailbox comparison implementations MUST NOT interpret any
character as wildcards. Instead, to specify multiple email addresses character as wildcards. Instead, to specify multiple email addresses
through SmtpUTF8Name, the certificate MUST use multiple through SmtpUTF8Mailbox, the certificate MUST use multiple
subjectAltNames or issuerAltNames to explicitly carry any additional subjectAltNames or issuerAltNames to explicitly carry any additional
email addresses. email addresses.
6. Name constraints in path validation 6. Name constraints in path validation
This section updates Section 4.2.1.10 of [RFC5280] to extend This section updates Section 4.2.1.10 of [RFC5280] to extend
rfc822Name name constraints to SmtpUTF8Name subjectAltNames. A rfc822Name name constraints to SmtpUTF8Mailbox subjectAltNames. A
SmtpUTF8Name aware path validators will apply name constraint SmtpUTF8Mailbox aware path validators will apply name constraint
comparison to the subject distinguished name and both forms of comparison to the subject distinguished name and both forms of
subject alternative name rfc822Name and SmtpUTF8Name. subject alternative name rfc822Name and SmtpUTF8Mailbox.
Both rfc822Name and SmtpUTF8Name subject alternative names represent Both rfc822Name and SmtpUTF8Mailbox subject alternative names
the same underlying email address namespace. Since legacy CAs represent the same underlying email address namespace. Since legacy
constrained to issue certificates for a specific set of domains would CAs constrained to issue certificates for a specific set of domains
lack corresponding UTF-8 constraints, [ID-lamps-rfc5280-i18n-update] would lack corresponding UTF-8 constraints,
updates modifies and extends rfc822Name name constraints defined in [ID-lamps-rfc5280-i18n-update] updates modifies and extends
[RFC5280] to cover SmtpUTF8Name subject alternative names. This rfc822Name name constraints defined in [RFC5280] to cover
ensures that the introduction of SmtpUTF8Name does not violate SmtpUTF8Mailbox subject alternative names. This ensures that the
existing name constraints. Since it is not valid to include non- introduction of SmtpUTF8Mailbox does not violate existing name
ASCII UTF-8 characters in the local-part of rfc822Name name constraints. Since it is not valid to include non-ASCII UTF-8
constraints, and since name constraints that include a local-part are characters in the local-part of rfc822Name name constraints, and
rarely, if at all, used in practice, name constraints updated in since name constraints that include a local-part are rarely, if at
all, used in practice, name constraints updated in
[ID-lamps-rfc5280-i18n-update] admit the forms that represent all [ID-lamps-rfc5280-i18n-update] admit the forms that represent all
addresses at a host or all mailboxes in a domain, and deprecates addresses at a host or all mailboxes in a domain, and deprecates
rfc822Name name constraints that represent a particular mailbox. rfc822Name name constraints that represent a particular mailbox.
That is, rfc822Name constraints with a local-part SHOULD NOT be used. That is, rfc822Name constraints with a local-part SHOULD NOT be used.
Constraint comparison with SmtpUTF8Name subjectAltName starts with Constraint comparison with SmtpUTF8Mailbox subjectAltName starts with
the setup steps defined by Section 5. Setup converts the inputs of the setup steps defined by Section 5. Setup converts the inputs of
the comparison which is one of a subject distinguished name or a the comparison which is one of a subject distinguished name or a
rfc822Name or SmtpUTF8Name subjectAltName, and one of a rfc822Name rfc822Name or SmtpUTF8Mailbox subjectAltName, and one of a rfc822Name
name constraint, to constraint comparison form. For rfc822Name name name constraint, to constraint comparison form. For rfc822Name name
constraint, this will convert any domain A-labels to U-labels. For constraint, this will convert any domain A-labels to U-labels. For
both the name constraint and the subject, this will lower case any both the name constraint and the subject, this will lower case any
domain NR-LDH labels. Strip the local-part and "@" separator from domain NR-LDH labels. Strip the local-part and "@" separator from
each rfc822Name and SmtpUTF8Name, leaving just the domain-part. each rfc822Name and SmtpUTF8Mailbox, leaving just the domain-part.
After setup, this follows the comparison steps defined in 4.2.1.10 of After setup, this follows the comparison steps defined in 4.2.1.10 of
[RFC5280] as follows. If the resulting name constraint domain starts [RFC5280] as follows. If the resulting name constraint domain starts
with a "." character, then for the name constraint to match, a suffix with a "." character, then for the name constraint to match, a suffix
of the resulting subject alternative name domain MUST match the name of the resulting subject alternative name domain MUST match the name
constraint (including the leading ".") octet for octet. If the constraint (including the leading ".") octet for octet. If the
resulting name constraint domain does not start with a "." character, resulting name constraint domain does not start with a "." character,
then for the name constraint to match, the entire resulting subject then for the name constraint to match, the entire resulting subject
alternative name domain MUST match the name constraint octet for alternative name domain MUST match the name constraint octet for
octet. octet.
Certificate Authorities that wish to issue CA certificates with email Certificate Authorities that wish to issue CA certificates with email
address name constraint MUST use rfc822Name subject alternative names address name constraint MUST use rfc822Name subject alternative names
only. These MUST be IDNA2008 conformant names with no mappings, and only. These MUST be IDNA2008 conformant names with no mappings, and
with non-ASCII domains encoded in A-labels only. with non-ASCII domains encoded in A-labels only.
The name constraint requirement with SmtpUTF8Name subject alternative The name constraint requirement with SmtpUTF8Mailbox subject
name is illustrated in the non-normative diagram Figure 1. The first alternative name is illustrated in the non-normative diagram
example (1) illustrates a permitted rfc822Name ASCII only hostname Figure 1. The first example (1) illustrates a permitted rfc822Name
name constraint, and the corresponding valid rfc822Name ASCII only hostname name constraint, and the corresponding valid
subjectAltName and SmtpUTF8Name subjectAltName email addresses. The rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email
second example (2) illustrates a permitted rfc822Name hostname name addresses. The second example (2) illustrates a permitted rfc822Name
constraint with A-label, and the corresponding valid rfc822Name hostname name constraint with A-label, and the corresponding valid
subjectAltName and SmtpUTF8Name subjectAltName email addresses. Note rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email
that an email address with ASCII only local-part is encoded as addresses. Note that an email address with ASCII only local-part is
rfc822Name despite also having unicode present in the domain. encoded as rfc822Name despite also having unicode present in the
domain.
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Root CA Cert | | Root CA Cert |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| |
v v
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Intermediate CA Cert | | Intermediate CA Cert |
| Permitted | | Permitted |
| rfc822Name: elementary.school.example.com (1) | | rfc822Name: elementary.school.example.com (1) |
| | | |
| rfc822Name: xn--pss25c.example.com (2) | | rfc822Name: xn--pss25c.example.com (2) |
| | | |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| |
v v
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Entity Cert (w/explicitly permitted subjects) | | Entity Cert (w/explicitly permitted subjects) |
| SubjectAltName Extension | | SubjectAltName Extension |
| rfc822Name: student@elemenary.school.example.com (1) | | rfc822Name: student@elemenary.school.example.com (1) |
| SmtpUTF8Name: u+5B66u+751F@elementary.school.example.com (1) | | SmtpUTF8Mailbox: u+5B66u+751F@elementary.school.example.com |
| (1) |
| | | |
| rfc822Name: student@xn--pss25c.example.com (2) | | rfc822Name: student@xn--pss25c.example.com (2) |
| SmtpUTF8Name: u+533Bu+751F@u+5927u+5B66.example.com (2) | | SmtpUTF8Mailbox: u+533Bu+751F@u+5927u+5B66.example.com (2) |
| | | |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
Name constraints with SmtpUTF8Name and rfc822Name Name constraints with SmtpUTF8Name and rfc822Name
Figure 1 Figure 1
7. Security Considerations 7. Security Considerations
Use of SmtpUTF8Name for certificate subjectAltName (and Use of SmtpUTF8Mailbox for certificate subjectAltName (and
issuerAltName) will incur many of the same security considerations as issuerAltName) will incur many of the same security considerations as
in Section 8 in [RFC5280], but introduces a new issue by permitting in Section 8 in [RFC5280], but introduces a new issue by permitting
non-ASCII characters in the email address local-part. This issue, as non-ASCII characters in the email address local-part. This issue, as
mentioned in Section 4.4 of [RFC5890] and in Section 4 of [RFC6532], mentioned in Section 4.4 of [RFC5890] and in Section 4 of [RFC6532],
is that use of Unicode introduces the risk of visually similar and is that use of Unicode introduces the risk of visually similar and
identical characters which can be exploited to deceive the recipient. identical characters which can be exploited to deceive the recipient.
The former document references some means to mitigate against these The former document references some means to mitigate against these
attacks. attacks.
8. IANA Considerations 8. IANA Considerations
In Section 3 and the ASN.1 module identifier defined in Appendix A. In Section 3 and the ASN.1 module identifier defined in Appendix A.
IANA is kindly requested to make the following assignments for: IANA is kindly requested to make the following assignments for:
The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for
PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).
The SmtpUTF8Name otherName in the "PKIX Other Name Forms" registry The SmtpUTF8Mailbox otherName in the "PKIX Other Name Forms"
(1.3.6.1.5.5.7.8). registry (1.3.6.1.5.5.7.8).
9. References 9. References
9.1. Normative References 9.1. Normative References
[ID-lamps-rfc5280-i18n-update] [ID-lamps-rfc5280-i18n-update]
Housley, R., "Internationalization Updates to RFC 5280", Housley, R., "Internationalization Updates to RFC 5280",
June 2017, <https://datatracker.ietf.org/doc/draft- June 2017, <https://datatracker.ietf.org/doc/draft-
housley-rfc5280-i18n-update/>. housley-rfc5280-i18n-update/>.
skipping to change at page 9, line 26 skipping to change at page 9, line 26
9.2. Informative References 9.2. Informative References
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010, <https://www.rfc- DOI 10.17487/RFC5912, June 2010, <https://www.rfc-
editor.org/info/rfc5912>. editor.org/info/rfc5912>.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
The following ASN.1 module normatively specifies the SmtpUTF8Name The following ASN.1 module normatively specifies the SmtpUTF8Mailbox
structure. This specification uses the ASN.1 definitions from structure. This specification uses the ASN.1 definitions from
[RFC5912] with the 2002 ASN.1 notation used in that document. [RFC5912] with the 2002 ASN.1 notation used in that document.
[RFC5912] updates normative documents using older ASN.1 notation. [RFC5912] updates normative documents using older ASN.1 notation.
LAMPS-EaiAddresses-2016 LAMPS-EaiAddresses-2016
{ iso(1) identified-organization(3) dod(6) { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-lamps-eai-addresses-2016(TBD) } id-mod-lamps-eai-addresses-2016(TBD) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
skipping to change at page 10, line 31 skipping to change at page 10, line 31
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ; mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ;
-- --
-- otherName carries additional name types for subjectAltName, -- otherName carries additional name types for subjectAltName,
-- issuerAltName, and other uses of GeneralNames. -- issuerAltName, and other uses of GeneralNames.
-- --
id-on OBJECT IDENTIFIER ::= { id-pkix 8 } id-on OBJECT IDENTIFIER ::= { id-pkix 8 }
SmtpUtf8OtherNames OTHER-NAME ::= { on-SmtpUTF8Name, ... } SmtpUtf8OtherNames OTHER-NAME ::= { on-SmtpUTF8Mailbox, ... }
on-SmtpUTF8Name OTHER-NAME ::= { on-SmtpUTF8Mailbox OTHER-NAME ::= {
SmtpUTF8Name IDENTIFIED BY id-on-SmtpUTF8Name SmtpUTF8Mailbox IDENTIFIED BY id-on-SmtpUTF8Mailbox
} }
id-on-SmtpUTF8Name OBJECT IDENTIFIER ::= { id-on 9 } id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 }
SmtpUTF8Name ::= UTF8String (SIZE (1..MAX)) SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX))
-- SmtpUTF8Mailbox conforms to Mailbox as specified
-- in Section 3.3 of RFC 6531.
END END
Appendix B. Example of SmtpUTF8Name Appendix B. Example of SmtpUTF8Mailbox
This non-normative example demonstrates using SmtpUTF8Name as an This non-normative example demonstrates using SmtpUTF8Mailbox as an
otherName in GeneralName to encode the email address otherName in GeneralName to encode the email address
"u+8001u+5E2B@example.com". "u+8001u+5E2B@example.com".
The hexadecimal DER encoding of the email address is: The hexadecimal DER encoding of the email address is:
A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861 A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861
6D706C65 2E636F6D 6D706C65 2E636F6D
The text decoding is: The text decoding is:
0 34: [0] { 0 34: [0] {
2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9' 2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9'
 End of changes. 34 change blocks. 
78 lines changed or deleted 84 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/