draft-ietf-lamps-eai-addresses-18.txt   rfc8398.txt 
LAMPS A. Melnikov, Ed. Internet Engineering Task Force (IETF) A. Melnikov, Ed.
Internet-Draft Isode Ltd Request for Comments: 8398 Isode Ltd
Updates: 5280 (if approved) W. Chuang, Ed. Updates: 5280 W. Chuang, Ed.
Intended status: Standards Track Google, Inc. Category: Standards Track Google, Inc.
Expires: September 5, 2018 March 4, 2018 ISSN: 2070-1721 May 2018
Internationalized Email Addresses in X.509 certificates Internationalized Email Addresses in X.509 Certificates
draft-ietf-lamps-eai-addresses-18
Abstract Abstract
This document defines a new name form for inclusion in the otherName This document defines a new name form for inclusion in the otherName
field of an X.509 Subject Alternative Name and Issuer Alternative field of an X.509 Subject Alternative Name and Issuer Alternative
Name extension that allows a certificate subject to be associated Name extension that allows a certificate subject to be associated
with an Internationalized Email Address. with an internationalized email address.
This document updates RFC 5280. This document updates RFC 5280.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on September 5, 2018. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8398.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 2
3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2 3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 3
4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Matching of Internationalized Email Addresses in X.509 5. Matching of Internationalized Email Addresses in X.509
certificates . . . . . . . . . . . . . . . . . . . . . . . . 4 Certificates . . . . . . . . . . . . . . . . . . . . . . . . 4
6. Name constraints in path validation . . . . . . . . . . . . . 5 6. Name Constraints in Path Validation . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . 8 9.1. Normative References . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10
Appendix B. Example of SmtpUTF8Mailbox . . . . . . . . . . . . . 10 Appendix B. Example of SmtpUTF8Mailbox . . . . . . . . . . . . . 11
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 11 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
[RFC5280] defines the rfc822Name subjectAltName name type for [RFC5280] defines the rfc822Name subjectAltName name type for
representing [RFC5321] email addresses. The syntax of rfc822Name is representing email addresses as described in [RFC5321]. The syntax
restricted to a subset of US-ASCII characters and thus can't be used of rfc822Name is restricted to a subset of US-ASCII characters and
to represent Internationalized Email addresses [RFC6531]. This thus can't be used to represent internationalized email addresses
document defines a new otherName variant to represent [RFC6531]. This document defines a new otherName variant to
Internationalized Email addresses. In addition this document represent internationalized email addresses. In addition this
requires all email address domains in X.509 certificates to conform document requires all email address domains in X.509 certificates to
to IDNA2008 [RFC5890]. conform to IDNA2008 [RFC5890].
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
The formal syntax uses the Augmented Backus-Naur Form (ABNF) The formal syntax uses the Augmented Backus-Naur Form (ABNF)
[RFC5234] notation. [RFC5234] notation.
3. Name Definitions 3. Name Definitions
The GeneralName structure is defined in [RFC5280], and supports many The GeneralName structure is defined in [RFC5280] and supports many
different name forms including otherName for extensibility. This different name forms including otherName for extensibility. This
section specifies the SmtpUTF8Mailbox name form of otherName, so that section specifies the SmtpUTF8Mailbox name form of otherName so that
Internationalized Email addresses can appear in the subjectAltName of internationalized email addresses can appear in the subjectAltName of
a certificate, the issuerAltName of a certificate, or anywhere else a certificate, the issuerAltName of a certificate, or anywhere else
that GeneralName is used. that GeneralName is used.
id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 } id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 }
SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX)) SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX))
-- SmtpUTF8Mailbox conforms to Mailbox as specified -- SmtpUTF8Mailbox conforms to Mailbox as specified
-- in Section 3.3 of RFC 6531. -- in Section 3.3 of RFC 6531.
When the subjectAltName (or issuerAltName) extension contains an When the subjectAltName (or issuerAltName) extension contains an
Internationalized Email address with a non-ASCII local-part, the internationalized email address with a non-ASCII local-part, the
address MUST be stored in the SmtpUTF8Mailbox name form of otherName. address MUST be stored in the SmtpUTF8Mailbox name form of otherName.
The format of SmtpUTF8Mailbox is defined as the ABNF rule The format of SmtpUTF8Mailbox is defined as the ABNF rule
SmtpUTF8Mailbox. SmtpUTF8Mailbox is a modified version of the SmtpUTF8Mailbox. SmtpUTF8Mailbox is a modified version of the
Internationalized Mailbox which was defined in Section 3.3 of internationalized Mailbox that was defined in Section 3.3 of
[RFC6531] which was itself derived from SMTP Mailbox from [RFC6531], which was derived from Mailbox as defined in Section 4.1.2
Section 4.1.2 of [RFC5321]. [RFC6531] defines the following ABNF of [RFC5321]. [RFC6531] defines the following ABNF rules for Mailbox
rules for Mailbox whose parts are modified for internationalization: whose parts are modified for internationalization: <Local-part>,
<Local-part>, <Dot-string>, <Quoted-string>, <QcontentSMTP>, <Dot-string>, <Quoted-string>, <QcontentSMTP>, <Domain>, and <Atom>.
<Domain>, and <Atom>. In particular, <Local-part> was updated to In particular, <Local-part> was updated to also support UTF8-non-
also support UTF8-non-ascii. UTF8-non-ascii was described by ascii. UTF8-non-ascii was described by Section 3.1 of [RFC6532].
Section 3.1 of [RFC6532]. Also, domain was extended to support Also, domain was extended to support U-labels, as defined in
U-labels, as defined in [RFC5890]. [RFC5890].
This document further refines Internationalized [RFC6531] Mailbox This document further refines internationalized Mailbox ABNF rules as
ABNF rules and calls this SmtpUTF8Mailbox. In SmtpUTF8Mailbox, described in [RFC6531] and calls this SmtpUTF8Mailbox. In
labels that include non-ASCII characters MUST be stored in U-label SmtpUTF8Mailbox, labels that include non-ASCII characters MUST be
(rather than A-label) [RFC5890] form. This restriction removes the stored in U-label (rather than A-label) form [RFC5890]. This
need to determine which label encoding A- or U-label is present in restriction removes the need to determine which label encoding, A- or
the Domain. As per Section 2.3.2.1 of [RFC5890], U-label are encoded U-label, is present in the domain. As per Section 2.3.2.1 of
as UTF-8 [RFC3629] in Normalization Form C and other properties [RFC5890], U-labels are encoded as UTF-8 [RFC3629] in Normalization
specified there. In SmtpUTF8Mailbox, domain labels that solely use Form C and other properties specified there. In SmtpUTF8Mailbox,
ASCII characters (meaning not A- nor U-labels) SHALL use NR-LDH domain labels that solely use ASCII characters (meaning neither A-
restrictions as specified by Section 2.3.1 of [RFC5890] and SHALL be nor U-labels) SHALL use NR-LDH restrictions as specified by
restricted to lower case letters. NR-LDH stands for "Non-Reserved Section 2.3.1 of [RFC5890] and SHALL be restricted to lowercase
Letters Digits Hyphen" and is the set of LDH labels that do not have letters. NR-LDH stands for "Non-Reserved Letters Digits Hyphen" and
"--" characters in the third and forth character position, which is the set of LDH labels that do not have "--" characters in the
excludes "tagged domain names" such as A-labels. Consistent with the third and forth character position, which excludes "tagged domain
treatment of rfc822Name in [RFC5280], SmtpUTF8Mailbox is an envelope names" such as A-labels. Consistent with the treatment of rfc822Name
<Mailbox> and has no phrase (such as a common name) before it, has no in [RFC5280], SmtpUTF8Mailbox is an envelope <Mailbox> and has no
comment (text surrounded in parentheses) after it, and is not phrase (such as a common name) before it, has no comment (text
surrounded by "<" and ">". surrounded in parentheses) after it, and is not surrounded by "<" and
">" characters.
Due to name constraint compatibility reasons described in Section 6, Due to name constraint compatibility reasons described in Section 6,
SmtpUTF8Mailbox subjectAltName MUST NOT be used unless the local-part SmtpUTF8Mailbox subjectAltName MUST NOT be used unless the local-part
of the email address contains non-ASCII characters. When the local- of the email address contains non-ASCII characters. When the local-
part is ASCII, rfc822Name subjectAltName MUST be used instead of part is ASCII, rfc822Name subjectAltName MUST be used instead of
SmtpUTF8Mailbox. This is compatible with legacy software that SmtpUTF8Mailbox. This is compatible with legacy software that
supports only rfc822Name (and not SmtpUTF8Mailbox). The appropriate supports only rfc822Name (and not SmtpUTF8Mailbox). The appropriate
usage of rfc822Name and SmtpUTF8Mailbox is summarized in Table 1 usage of rfc822Name and SmtpUTF8Mailbox is summarized in Table 1
below. below.
SmtpUTF8Mailbox is encoded as UTF8String. The UTF8String encoding SmtpUTF8Mailbox is encoded as UTF8String. The UTF8String encoding
MUST NOT contain a Byte-Order- Mark (BOM) [RFC3629] to aid MUST NOT contain a Byte-Order-Mark (BOM) [RFC3629] to aid consistency
consistency across implementations particularly for comparison. across implementations, particularly for comparison.
+-----------------+-------------+--------------+-----------------+ +-----------------+-------------+--------------+-----------------+
| local-part char | domain char | domain label | subjectAltName | | local-part char | domain char | domain label | subjectAltName |
+-----------------+-------------+--------------+-----------------+ +-----------------+-------------+--------------+-----------------+
| ASCII-only | ASCII-only | NR-LDH label | rfc822Name | | ASCII-only | ASCII-only | NR-LDH label | rfc822Name |
| non-ASCII | ASCII-only | NR-LDH label | SmtpUTF8Mailbox | | non-ASCII | ASCII-only | NR-LDH label | SmtpUTF8Mailbox |
| ASCII-only | non-ASCII | A-label | rfc822Name | | ASCII-only | non-ASCII | A-label | rfc822Name |
| non-ASCII | non-ASCII | U-label | SmtpUTF8Mailbox | | non-ASCII | non-ASCII | U-label | SmtpUTF8Mailbox |
+-----------------+-------------+--------------+-----------------+ +-----------------+-------------+--------------+-----------------+
non-ASCII may additionally include ASCII characters. Non-ASCII may additionally include ASCII characters.
Table 1: Email address formatting Table 1: Email Address Formatting
4. IDNA2008 4. IDNA2008
To facilitate comparison between email addresses, all email address To facilitate comparison between email addresses, all email address
domains in X.509 certificates MUST conform to IDNA2008 [RFC5890] (and domains in X.509 certificates MUST conform to IDNA2008 [RFC5890] (and
avoid any "mappings" mentioned in that document). Use of non- avoid any "mappings" mentioned in that document). Use of
conforming email address domains introduces the possibility of non-conforming email address domains introduces the possibility of
conversion errors between alternate forms. This applies to conversion errors between alternate forms. This applies to
SmtpUTF8Mailbox and rfc822Name in subjectAltName, issuerAltName and SmtpUTF8Mailbox and rfc822Name in subjectAltName, issuerAltName, and
anywhere else that these are used. anywhere else that these are used.
5. Matching of Internationalized Email Addresses in X.509 certificates 5. Matching of Internationalized Email Addresses in X.509 Certificates
In equivalence comparison with SmtpUTF8Mailbox, there may be some In equivalence comparison with SmtpUTF8Mailbox, there may be some
setup work on one or both inputs depending of whether the input is setup work on one or both inputs depending on whether the input is
already in comparison form. Comparing SmtpUTF8Mailboxs consists of a already in comparison form. Comparing SmtpUTF8Mailboxes consists of
domain part step and a local-part step. The comparison form for a domain part step and a local-part step. The comparison form for
local-parts is always UTF-8. The comparison form for domain parts local-parts is always UTF-8. The comparison form for domain parts
depends on context. While some contexts such as certificate path depends on context. While some contexts such as certificate path
validation in [RFC5280] specify transforming domain to A-label validation in [RFC5280] specify transforming domain to A-label
(Section 7.5 and 7.2 in [RFC5280] as updated by (Sections 7.2 and 7.5 in [RFC5280] as updated by [RFC8399]), this
[ID-lamps-rfc5280-i18n-update]), this document recommends document recommends transforming to UTF-8 U-label instead. This
transforming to UTF-8 U-label instead. This reduces the likelihood reduces the likelihood of errors by reducing conversions as more
of errors by reducing conversions as more implementations natively implementations natively support U-label domains.
support U-label domains.
Comparison of two SmtpUTF8Mailbox is straightforward with no setup Comparison of two SmtpUTF8Mailboxes is straightforward with no setup
work needed. They are considered equivalent if there is an exact work needed. They are considered equivalent if there is an exact
octet-for-octet match. Comparison with email addresses such as octet-for-octet match. Comparison with email addresses such as
Internationalized email address or rfc822Name requires additional internationalized email address or rfc822Name requires additional
setup steps for domain part and local-part. The initial preparation setup steps for domain part and local-part. The initial preparation
for the email addresses is to remove any phrases or comments, as well for the email addresses is to remove any phrases, comments, and "<"
as "<" and ">" present. This document calls for comparison of domain or ">" characters. This document calls for comparison of domain
labels that include non-ASCII characters be transformed to U-label if labels that include non-ASCII characters to be transformed to
not already in that form. The first step is to detect use of the U-labels if not already in that form. The first step is to detect
A-label by using Section 5.1 of [RFC5891]. Next if necessary, use of the A-label by using Section 5.1 of [RFC5891]. Next, if
transform any A-labels to U-labels Unicode as specified in necessary, transform any A-labels (US-ASCII) to U-labels (Unicode) as
Section 5.2 of [RFC5891]. Finally if necessary convert the Unicode specified in Section 5.2 of [RFC5891]. Finally, if necessary,
to UTF-8 as specified in Section 3 of [RFC3629]. For ASCII NR-LDH convert the Unicode to UTF-8 as specified in Section 3 of [RFC3629].
labels, upper case letters are converted to lower case letters. In For ASCII NR-LDH labels, uppercase letters are converted to lowercase
setup for SmtpUTF8Mailbox, the email address local-part MUST conform letters. In setup for SmtpUTF8Mailbox, the email address local-part
to the requirements of [RFC6530] and [RFC6531], including being a MUST conform to the requirements of [RFC6530] and [RFC6531],
string in UTF-8 form. In particular, the local-part MUST NOT be including being a string in UTF-8 form. In particular, the local-
transformed in any way, such as by doing case folding or part MUST NOT be transformed in any way, such as by doing case
normalization of any kind. The <Local-part> part of an folding or normalization of any kind. The <Local-part> part of an
Internationalized email address is already in UTF-8. For rfc822Name internationalized email address is already in UTF-8. For rfc822Name,
the local-part, which is IA5String (ASCII), trivially maps to UTF-8 the local-part, which is IA5String (ASCII), trivially maps to UTF-8
without change. Once setup is complete, they are again compared without change. Once setup is complete, they are again compared
octet-for-octet. octet for octet.
To summarize non-normatively, the comparison steps including setup To summarize non-normatively, the comparison steps, including setup,
are: are:
1. If the domain contains A-labels, transform them to U-labels. 1. If the domain contains A-labels, transform them to U-labels.
2. If the domain contains ASCII NR-LDH labels, lowercase them. 2. If the domain contains ASCII NR-LDH labels, lowercase them.
3. Compare strings octet-for-octet for equivalence. 3. Compare strings octet for octet for equivalence.
This specification expressly does not define any wildcard characters This specification expressly does not define any wildcard characters,
and SmtpUTF8Mailbox comparison implementations MUST NOT interpret any and SmtpUTF8Mailbox comparison implementations MUST NOT interpret any
character as wildcards. Instead, to specify multiple email addresses characters as wildcards. Instead, to specify multiple email
through SmtpUTF8Mailbox, the certificate MUST use multiple addresses through SmtpUTF8Mailbox, the certificate MUST use multiple
subjectAltNames or issuerAltNames to explicitly carry any additional subjectAltNames or issuerAltNames to explicitly carry any additional
email addresses. email addresses.
6. Name constraints in path validation 6. Name Constraints in Path Validation
This section updates Section 4.2.1.10 of [RFC5280] to extend This section updates Section 4.2.1.10 of [RFC5280] to extend
rfc822Name name constraints to SmtpUTF8Mailbox subjectAltNames. A rfc822Name name constraints to SmtpUTF8Mailbox subjectAltNames.
SmtpUTF8Mailbox aware path validators will apply name constraint SmtpUTF8Mailbox-aware path validators will apply name constraint
comparison to the subject distinguished name and both forms of comparison to the subject distinguished name and both forms of
subject alternative name rfc822Name and SmtpUTF8Mailbox. subject alternative names rfc822Name and SmtpUTF8Mailbox.
Both rfc822Name and SmtpUTF8Mailbox subject alternative names Both rfc822Name and SmtpUTF8Mailbox subject alternative names
represent the same underlying email address namespace. Since legacy represent the same underlying email address namespace. Since legacy
CAs constrained to issue certificates for a specific set of domains CAs constrained to issue certificates for a specific set of domains
would lack corresponding UTF-8 constraints, would lack corresponding UTF-8 constraints, [RFC8399] updates,
[ID-lamps-rfc5280-i18n-update] updates modifies and extends modifies, and extends rfc822Name name constraints defined in
rfc822Name name constraints defined in [RFC5280] to cover [RFC5280] to cover SmtpUTF8Mailbox subject alternative names. This
SmtpUTF8Mailbox subject alternative names. This ensures that the ensures that the introduction of SmtpUTF8Mailbox does not violate
introduction of SmtpUTF8Mailbox does not violate existing name existing name constraints. Since it is not valid to include
constraints. Since it is not valid to include non-ASCII UTF-8 non-ASCII UTF-8 characters in the local-part of rfc822Name name
characters in the local-part of rfc822Name name constraints, and constraints, and since name constraints that include a local-part are
since name constraints that include a local-part are rarely, if at rarely, if at all, used in practice, name constraints updated in
all, used in practice, name constraints updated in [RFC8399] allow the forms that represent all addresses at a host or
[ID-lamps-rfc5280-i18n-update] admit the forms that represent all all mailboxes in a domain and deprecates rfc822Name name constraints
addresses at a host or all mailboxes in a domain, and deprecates that represent a particular mailbox. That is, rfc822Name constraints
rfc822Name name constraints that represent a particular mailbox. with a local-part SHOULD NOT be used.
That is, rfc822Name constraints with a local-part SHOULD NOT be used.
Constraint comparison with SmtpUTF8Mailbox subjectAltName starts with Constraint comparison with SmtpUTF8Mailbox subjectAltName starts with
the setup steps defined by Section 5. Setup converts the inputs of the setup steps defined by Section 5. Setup converts the inputs of
the comparison which is one of a subject distinguished name or a the comparison (which is one of a subject distinguished name, an
rfc822Name or SmtpUTF8Mailbox subjectAltName, and one of a rfc822Name rfc822Name, or an SmtpUTF8Mailbox subjectAltName, and one of an
name constraint, to constraint comparison form. For rfc822Name name rfc822Name name constraint) to constraint comparison form. For an
constraint, this will convert any domain A-labels to U-labels. For rfc822Name name constraint, this will convert any domain A-labels to
both the name constraint and the subject, this will lower case any U-labels. For both the name constraint and the subject, this will
domain NR-LDH labels. Strip the local-part and "@" separator from lowercase any domain NR-LDH labels. Strip the local-part and "@"
each rfc822Name and SmtpUTF8Mailbox, leaving just the domain-part. separator from each rfc822Name and SmtpUTF8Mailbox, leaving just the
After setup, this follows the comparison steps defined in 4.2.1.10 of domain part. After setup, this follows the comparison steps defined
[RFC5280] as follows. If the resulting name constraint domain starts in Section 4.2.1.10 of [RFC5280] as follows. If the resulting name
with a "." character, then for the name constraint to match, a suffix constraint domain starts with a "." character, then for the name
of the resulting subject alternative name domain MUST match the name constraint to match, a suffix of the resulting subject alternative
constraint (including the leading ".") octet for octet. If the name domain MUST match the name constraint (including the leading
resulting name constraint domain does not start with a "." character, ".") octet for octet. If the resulting name constraint domain does
then for the name constraint to match, the entire resulting subject not start with a "." character, then for the name constraint to
alternative name domain MUST match the name constraint octet for match, the entire resulting subject alternative name domain MUST
octet. match the name constraint octet for octet.
Certificate Authorities that wish to issue CA certificates with email Certificate Authorities that wish to issue CA certificates with email
address name constraint MUST use rfc822Name subject alternative names address name constraints MUST use rfc822Name subject alternative
only. These MUST be IDNA2008 conformant names with no mappings, and names only. These MUST be IDNA2008-conformant names with no mappings
with non-ASCII domains encoded in A-labels only. and with non-ASCII domains encoded in A-labels only.
The name constraint requirement with SmtpUTF8Mailbox subject The name constraint requirement with SmtpUTF8Mailbox subject
alternative name is illustrated in the non-normative diagram alternative name is illustrated in the non-normative diagram in
Figure 1. The first example (1) illustrates a permitted rfc822Name Figure 1. The first example (1) illustrates a permitted rfc822Name
ASCII only hostname name constraint, and the corresponding valid ASCII-only host name name constraint and the corresponding valid
rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email
addresses. The second example (2) illustrates a permitted rfc822Name addresses. The second example (2) illustrates a permitted rfc822Name
hostname name constraint with A-label, and the corresponding valid host name name constraint with A-label, and the corresponding valid
rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email
addresses. Note that an email address with ASCII only local-part is addresses. Note that an email address with ASCII-only local-part is
encoded as rfc822Name despite also having unicode present in the encoded as rfc822Name despite also having Unicode present in the
domain. domain.
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Root CA Cert | | Root CA Cert |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| |
v v
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Intermediate CA Cert | | Intermediate CA Cert |
| Permitted | | Permitted |
skipping to change at page 7, line 34 skipping to change at page 7, line 44
| SubjectAltName Extension | | SubjectAltName Extension |
| rfc822Name: student@elemenary.school.example.com (1) | | rfc822Name: student@elemenary.school.example.com (1) |
| SmtpUTF8Mailbox: u+5B66u+751F@elementary.school.example.com | | SmtpUTF8Mailbox: u+5B66u+751F@elementary.school.example.com |
| (1) | | (1) |
| | | |
| rfc822Name: student@xn--pss25c.example.com (2) | | rfc822Name: student@xn--pss25c.example.com (2) |
| SmtpUTF8Mailbox: u+533Bu+751F@u+5927u+5B66.example.com (2) | | SmtpUTF8Mailbox: u+533Bu+751F@u+5927u+5B66.example.com (2) |
| | | |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
Name constraints with SmtpUTF8Name and rfc822Name Figure 1: Name Constraints with SmtpUTF8Name and rfc822Name
Figure 1
7. Security Considerations 7. Security Considerations
Use of SmtpUTF8Mailbox for certificate subjectAltName (and Use of SmtpUTF8Mailbox for certificate subjectAltName (and
issuerAltName) will incur many of the same security considerations as issuerAltName) will incur many of the same security considerations as
in Section 8 in [RFC5280], but introduces a new issue by permitting in Section 8 in [RFC5280], but it introduces a new issue by
non-ASCII characters in the email address local-part. This issue, as permitting non-ASCII characters in the email address local-part.
mentioned in Section 4.4 of [RFC5890] and in Section 4 of [RFC6532], This issue, as mentioned in Section 4.4 of [RFC5890] and in Section 4
is that use of Unicode introduces the risk of visually similar and of [RFC6532], is that use of Unicode introduces the risk of visually
identical characters which can be exploited to deceive the recipient. similar and identical characters that can be exploited to deceive the
The former document references some means to mitigate against these recipient. The former document references some means to mitigate
attacks. See [WEBER] for more background on security issues with against these attacks. See [WEBER] for more background on security
Unicode. issues with Unicode.
8. IANA Considerations 8. IANA Considerations
In Section 3 and the ASN.1 module identifier defined in Appendix A. As described in Section 3 and the ASN.1 module identifier defined in
IANA is kindly requested to make the following assignments for: Appendix A, IANA has assigned the values described here.
The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for o For the LAMPS-EaiAddresses-2016 ASN.1 module, IANA has registered
PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). value 92 for "id-mod-lamps-eai-addresses-2016" in the "SMI
Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry.
The SmtpUTF8Mailbox otherName in the "PKIX Other Name Forms" o For the SmtpUTF8Mailbox otherName, IANA has registered value 9 for
registry (1.3.6.1.5.5.7.8). {{ Note to IANA: id-on-smtputf8Name id-on-SmtpUTF8Mailbox in the "SMI Security for PKIX Other Name
was assigned based on an earlier version of this document. Please Forms" (1.3.6.1.5.5.7.8) registry.
change that entry to id-on-SmtpUTF8Mailbox. }}
9. References 9. References
9.1. Normative References 9.1. Normative References
[ID-lamps-rfc5280-i18n-update]
Housley, R., "Internationalization Updates to RFC 5280",
June 2017, <https://datatracker.ietf.org/doc/
draft-housley-rfc5280-i18n-update/>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/info/rfc3629>. 2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
skipping to change at page 9, line 27 skipping to change at page 9, line 27
February 2012, <https://www.rfc-editor.org/info/rfc6530>. February 2012, <https://www.rfc-editor.org/info/rfc6530>.
[RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized [RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized
Email", RFC 6531, DOI 10.17487/RFC6531, February 2012, Email", RFC 6531, DOI 10.17487/RFC6531, February 2012,
<https://www.rfc-editor.org/info/rfc6531>. <https://www.rfc-editor.org/info/rfc6531>.
[RFC6532] Yang, A., Steele, S., and N. Freed, "Internationalized [RFC6532] Yang, A., Steele, S., and N. Freed, "Internationalized
Email Headers", RFC 6532, DOI 10.17487/RFC6532, February Email Headers", RFC 6532, DOI 10.17487/RFC6532, February
2012, <https://www.rfc-editor.org/info/rfc6532>. 2012, <https://www.rfc-editor.org/info/rfc6532>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8399] Housley, R., "Internationalization Updates to RFC 5280",
RFC 8399, DOI 10.17487/RFC8399, May 2018,
<https://www.rfc-editor.org/info/rfc8399>.
9.2. Informative References 9.2. Informative References
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010, DOI 10.17487/RFC5912, June 2010,
<https://www.rfc-editor.org/info/rfc5912>. <https://www.rfc-editor.org/info/rfc5912>.
[WEBER] Weber, C., "Attacking Software Globalization", March 2010, [WEBER] Weber, C., "Attacking Software Globalization", March 2010,
<https://www.lookout.net/files/ <https://www.lookout.net/files/
Chris_Weber_Character%20Transformations%20v1.7_IUC33.pdf>. Chris_Weber_Character%20Transformations%20v1.7_IUC33.pdf>.
skipping to change at page 10, line 8 skipping to change at page 10, line 15
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
The following ASN.1 module normatively specifies the SmtpUTF8Mailbox The following ASN.1 module normatively specifies the SmtpUTF8Mailbox
structure. This specification uses the ASN.1 definitions from structure. This specification uses the ASN.1 definitions from
[RFC5912] with the 2002 ASN.1 notation used in that document. [RFC5912] with the 2002 ASN.1 notation used in that document.
[RFC5912] updates normative documents using older ASN.1 notation. [RFC5912] updates normative documents using older ASN.1 notation.
LAMPS-EaiAddresses-2016 LAMPS-EaiAddresses-2016
{ iso(1) identified-organization(3) dod(6) { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-lamps-eai-addresses-2016(TBD) } id-mod-lamps-eai-addresses-2016(92) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
OTHER-NAME OTHER-NAME
FROM PKIX1Implicit-2009 FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
skipping to change at page 11, line 23 skipping to change at page 11, line 29
16 18: UTF8String '..@example.com' 16 18: UTF8String '..@example.com'
: } : }
: } : }
Figure 2 Figure 2
The example was encoded on the OSS Nokalva ASN.1 Playground and the The example was encoded on the OSS Nokalva ASN.1 Playground and the
above text decoding is an output of Peter Gutmann's "dumpasn1" above text decoding is an output of Peter Gutmann's "dumpasn1"
program. program.
Appendix C. Acknowledgements Acknowledgements
Thank you to Magnus Nystrom for motivating this document. Thanks to Thank you to Magnus Nystrom for motivating this document. Thanks to
Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean
Leonard, Sean Turner, John Levine, and Patrik Falstrom for their Leonard, Sean Turner, John Levine, and Patrik Falstrom for their
feedback. Also special thanks to John Klensin for his valuable input feedback. Also special thanks to John Klensin for his valuable input
on internationalization, Unicode and ABNF formatting, to Jim Schaad on internationalization, Unicode, and ABNF formatting; to Jim Schaad
for his help with the ASN.1 example and his helpful feedback, and for his help with the ASN.1 example and his helpful feedback; and
especially to Viktor Dukhovni for helping us with name constraints especially to Viktor Dukhovni for helping us with name constraints
and his many detailed document reviews. and his many detailed document reviews.
Authors' Addresses Authors' Addresses
Alexey Melnikov (editor) Alexey Melnikov (editor)
Isode Ltd Isode Ltd
14 Castle Mews 14 Castle Mews
Hampton, Middlesex TW12 2NP Hampton, Middlesex TW12 2NP
UK United Kingdom
Email: Alexey.Melnikov@isode.com Email: Alexey.Melnikov@isode.com
Weihaw Chuang (editor) Weihaw Chuang (editor)
Google, Inc. Google, Inc.
1600 Amphitheater Parkway 1600 Amphitheater Parkway
Mountain View, CA 94043 Mountain View, CA 94043
US United States of America
Email: weihaw@google.com Email: weihaw@google.com
 End of changes. 54 change blocks. 
177 lines changed or deleted 175 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/