idnits 2.17.1 draft-ietf-lamps-eai-addresses-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 11 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 27, 2016) is 2670 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 393 ** Downref: Normative reference to an Informational RFC: RFC 5912 Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 LAMPS A. Melnikov, Ed. 3 Internet-Draft Isode Ltd 4 Intended status: Standards Track W. Chuang, Ed. 5 Expires: June 30, 2017 Google, Inc. 6 December 27, 2016 8 Internationalized Email Addresses in X.509 certificates 9 draft-ietf-lamps-eai-addresses-05 11 Abstract 13 This document defines a new name form for inclusion in the otherName 14 field of an X.509 Subject Alternative Name and Issuer Alternate Name 15 extension that allows a certificate subject to be associated with an 16 Internationalized Email Address. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on June 30, 2017. 35 Copyright Notice 37 Copyright (c) 2016 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 54 3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2 55 4. Matching of Internationalized Email Addresses in X.509 56 certificates . . . . . . . . . . . . . . . . . . . . . . . . 3 57 5. Name constraints in path validation . . . . . . . . . . . . . 4 58 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 6 59 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 60 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 61 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 9.1. Normative References . . . . . . . . . . . . . . . . . . 6 63 9.2. Informative References . . . . . . . . . . . . . . . . . 7 64 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 8 65 Appendix B. Example of SmtpUtf8Name . . . . . . . . . . . . . . 9 66 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 9 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 69 1. Introduction 71 [RFC5280] defines rfc822Name subjectAltName choice for representing 72 [RFC5322] email addresses. This form is restricted to a subset of 73 US-ASCII characters and thus can't be used to represent 74 Internationalized Email addresses [RFC6531]. To facilitate use of 75 these Internationalized Email addresses with X.509 certificates, this 76 document specifies a new name form in otherName so that 77 subjectAltName and issuerAltName can carry them. 79 2. Conventions Used in This Document 81 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 82 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 83 document are to be interpreted as described in [RFC2119]. 85 The formal syntax use the Augmented Backus-Naur Form (ABNF) [RFC5234] 86 notation. 88 3. Name Definitions 90 The GeneralName structure is defined in [RFC5280], and supports many 91 different names forms including otherName for extensibility. This 92 section specifies the SmtpUtf8Name name form of otherName, so that 93 Internationalized Email addresses can appear in the subjectAltName of 94 a certificate, the issuerAltName of a certificate, or anywhere else 95 that GeneralName is used. 97 id-on-smtpUtf8Name OBJECT IDENTIFIER ::= { id-on 9 } 98 SmtpUtf8Name ::= UTF8String (SIZE (1..MAX)) 100 When the subjectAltName (or issuerAltName) extension contains an 101 Internationalized Email address, the address MUST be stored in the 102 SmtpUtf8Name name form of otherName. The format of SmtpUtf8Name is 103 defined as the ABNF rule SmtpUtf8Mailbox. SmtpUtf8Mailbox is a 104 modified version of the Internationalized Mailbox which is defined in 105 Section 3.3 of [RFC6531] which is itself derived from SMTP Mailbox 106 from Section 4.1.2 of [RFC5321]. [RFC6531] defines the following 107 ABNF rules for Mailbox whose parts are modified for 108 internationalization: , , , 109 , , and . In particular, 110 was updated to also support UTF8-non-ascii. UTF8-non-ascii is 111 described by Section 3.1 of [RFC6532]. Also, sub-domain is extended 112 to support U-label, as defined in [RFC5890] 114 This document further refines Internationalized [RFC6531] Mailbox 115 ABNF rules and calls this SmtpUtf8Mailbox. In SmtpUtf8Mailbox, sub- 116 domain that encode non-ascii characters SHALL use U-label Unicode 117 native character labels and MUST NOT use A-label [RFC5890]. This 118 restriction prevents having to determine which label encoding A- or 119 U-label is present in the Domain. As per Section 2.3.2.1 of 120 [RFC5890], U-label use UTF-8 [RFC3629] with Normalization Form C and 121 other properties specified there. In SmtpUtf8Mailbox, sub-domain 122 that encode solely ASCII character labels SHALL use NR-LDH 123 restrictions as specified by section 2.3.1 of [RFC5890]. Note that a 124 SmtpUtf8Mailbox has no phrase (such as a common name) before it, has 125 no comment (text surrounded in parentheses) after it, and is not 126 surrounded by "<" and ">". 128 In the context of building name constraint as needed by [RFC5280], 129 the SmtpUtf8Mailbox rules are modified to allow partial productions 130 to allow for additional forms required by Section 5. Name 131 constraints may specify a complete email address, host name, or 132 domain. This means that the local-part may be missing, and domain 133 partially specified. 135 SmtpUtf8Name is encoded as UTF8String. The UTF8String encoding MUST 136 NOT contain a Byte-Order-Mark (BOM) [RFC3629] to aid consistency 137 across implementations particularly for comparison. 139 4. Matching of Internationalized Email Addresses in X.509 certificates 141 In equivalence comparison with SmtpUtf8Name, there may be some setup 142 work to enable the comparison i.e. processing of the SmtpUtf8Name 143 content or the email address that is being compared against. The 144 process for setup for comparing with SmtpUtf8Name is split into 145 domain steps and local-part steps. The comparison form for local- 146 part always is UTF-8. The comparison form for domain depends on 147 context. While some contexts such as certificate path validation in 148 [RFC5280] specify transforming domain to A-label, this document 149 RECOMMENDS transforming to UTF-8 U-label instead. This reduces the 150 likelihood of errors by reducing conversions as more implementations 151 natively support U-label domains. 153 Comparison of two SmtpUtf8Name can be straightforward. No setup work 154 is needed and it can be an octet for octet comparison. For other 155 email address forms such as Internationalized email address or 156 rfc822Name, the comparison requires additional setup to convert the 157 format for comparison. Domain setup is particularly important for 158 forms that may contain A- or U-label such as International email 159 address, or A-label only forms such as rfc822Name. This document 160 specifies the process to transform the domain to U-label. (To 161 convert the domain to A-label, follow the process specified in 162 section 7.5 and 7.2 in [RFC5280]) The first step is to detect A-label 163 by using section 5.1 of [RFC5891]. Next if necessary, transform the 164 A-label to U-label Unicode as specified in section 5.2 of [RFC5891]. 165 Finally if necessary convert the Unicode to UTF-8 as specified in 166 section 3 of [RFC3629]. In setup for SmtpUtf8Mailbox, the email 167 address local-part MUST be converted to UTF-8 if it is not already. 168 The part of an Internationalized email address is 169 already in UTF-8. For the rfc822Name local-part is IA5String 170 (ASCII), and conversion to UTF-8 is trivial since ASCII octets maps 171 to UTF-8 without change. Once the setup is completed, comparison is 172 an octet for octet comparison. 174 This specification expressly does not define any wildcards characters 175 and SmtpUtf8Name comparison implementations MUST NOT interpret any 176 character as wildcards. Instead, to specify multiple specifying 177 multiple email addresses through SmtpUtf8Name, the certificate should 178 use multiple subjectAltNames or issuerAltNames to explicitly carry 179 those email addresses. 181 5. Name constraints in path validation 183 This section defines use of SmtpUtf8Name name for name constraints. 184 The format for SmtpUtf8Name in name constraints is identical to the 185 use in subjectAltName as specified in Section 3 with the extension as 186 noted there for partial productions. 188 Constraint comparison on complete email address with SmtpUtf8Name 189 name uses the matching procedure defined by Section 4. As with 190 rfc822Name name constraints as specified in Section 4.2.1.10 of 191 [RFC5280], SmtpUtf8Name name can specify a particular mailbox, all 192 addresses at a host, or all mailboxes in a domain by specifying the 193 complete email address, a host name, or a domain. 195 Name constraint comparisons in the context [RFC5280] is specified 196 with SmtpUtf8Name name are only done on the subjectAltName (and 197 issuerAltName) SmtpUtf8Name name, and says nothing more about 198 constraints on other email address forms such as rfc822Name. 199 Consequently it may be necessary to include other name constraints 200 such as rfc822Name in addition to SmtpUtf8Name to constrain all 201 potential email addresses. For example a domain with both ascii and 202 non-ascii local-part email addresses may require both rfc822Name and 203 SmtpUtf8Name name constraints. This can be illustrated in the 204 following non-normative diagram Figure 1 which shows a name 205 constraint set in the intermediate CA certificate, which then applies 206 to the children entity certificates. Note that a constraint on 207 rfc822Name does not apply to SmtpUtf8Name and vice versa. 209 +--------------------------------------------------------------+ 210 | Root CA Cert | 211 +--------------------------------------------------------------+ 212 | 213 v 214 +--------------------------------------------------------------+ 215 | Intermediate CA Cert | 216 | Name Constraint Extension | 217 | Permitted | 218 | rfc822Name: allowed.example.com | 219 | SmtpUtf8Name: allowed.example.com | 220 | Excluded | 221 | rfc822Name: ignored.allowed.example.com | 222 +--------------------------------------------------------------+ 223 | | 224 v | 225 +--------------------------------------------------------------+ 226 | Entity Cert (w/explicitly permitted subjects) | 227 | SubjectAltName Extension | 228 | rfc822Name: student@allowed.example.com | 229 | SmtpUtf8Name: \u8001\u5E2B@allowed.example.com | 230 +--------------------------------------------------------------+ 231 | 232 v 233 +--------------------------------------------------------------+ 234 | Entity Cert (w/permitted subject- excluded rfc822Name | 235 | does not exclude SmtpUtf8Name) | 236 | SubjectAltName Extension | 237 | SmtpUtf8Name: \u4E0D\u5C0D@ignored.allowed.example.com | 238 +--------------------------------------------------------------+ 240 Figure 1 242 6. Deployment Considerations 244 For email addresses whose local-part is ASCII it may be more 245 reasonable to continue using rfc822Name instead of SmtpUtf8Name. The 246 use of rfc822Name rather than SmtpUtf8Name is currently more likely 247 to be supported. Also use of SmtpUtf8Name incurs higher byte 248 representation overhead due to encoding with otherName and the 249 additional OID needed. This may be offset if domain requires non- 250 ASCII characters as smptUtf8Name supports U-label whereas rfc822Name 251 supports A-label. This document RECOMMENDS using SmtpUtf8Name when 252 local-part contains non-ASCII characters, and otherwise rfc822Name. 254 7. Security Considerations 256 Use for SmtpUtf8Name for certificate subjectAltName (and 257 issuerAltName) will incur many of the same security considerations of 258 Section 8 in [RFC5280] but further complicated by permitting non- 259 ASCII characters in the email address local-part. As mentioned in 260 Section 4.4 of [RFC5890] and in Section 4 of [RFC6532] Unicode 261 introduces the risk for visually similar characters which can be 262 exploited to deceive the recipient. The former document references 263 some means to mitigate against these attacks. 265 8. IANA Considerations 267 This document makes use of object identifiers for the SmtpUtf8Name 268 defined in Section Section 3 and the ASN.1 module identifier defined 269 in Section Appendix A. IANA is kindly requested to make the 270 following assignments for: 272 The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for 273 PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). 275 The SmtpUtf8Name otherName in the "PKIX Other Name Forms" registry 276 (1.3.6.1.5.5.7.8). 278 9. References 280 9.1. Normative References 282 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 283 Requirement Levels", BCP 14, RFC 2119, 284 DOI 10.17487/RFC2119, March 1997, 285 . 287 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 288 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 289 2003, . 291 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 292 Specifications: ABNF", STD 68, RFC 5234, 293 DOI 10.17487/RFC5234, January 2008, 294 . 296 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 297 Housley, R., and W. Polk, "Internet X.509 Public Key 298 Infrastructure Certificate and Certificate Revocation List 299 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 300 . 302 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 303 DOI 10.17487/RFC5321, October 2008, 304 . 306 [RFC5890] Klensin, J., "Internationalized Domain Names for 307 Applications (IDNA): Definitions and Document Framework", 308 RFC 5890, DOI 10.17487/RFC5890, August 2010, 309 . 311 [RFC5891] Klensin, J., "Internationalized Domain Names in 312 Applications (IDNA): Protocol", RFC 5891, 313 DOI 10.17487/RFC5891, August 2010, 314 . 316 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 317 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 318 DOI 10.17487/RFC5912, June 2010, 319 . 321 [RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized 322 Email", RFC 6531, DOI 10.17487/RFC6531, February 2012, 323 . 325 [RFC6532] Yang, A., Steele, S., and N. Freed, "Internationalized 326 Email Headers", RFC 6532, DOI 10.17487/RFC6532, February 327 2012, . 329 9.2. Informative References 331 [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, 332 DOI 10.17487/RFC5322, October 2008, 333 . 335 Appendix A. ASN.1 Module 337 The following ASN.1 module normatively specifies the SmtpUtf8Name 338 structure. This specification uses the ASN.1 definitions from 339 [RFC5912] with the 2002 ASN.1 notation used in that document. 341 LAMPS-EaiAddresses-2016 342 { iso(1) identified-organization(3) dod(6) 343 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 344 id-mod-lamps-eai-addresses-2016(TBD) } 346 DEFINITIONS IMPLICIT TAGS ::= 347 BEGIN 349 IMPORTS 350 OTHER-NAME 351 FROM PKIX1Implicit-2009 352 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 353 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 355 id-pkix 356 FROM PKIX1Explicit-2009 357 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 358 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ; 360 -- 361 -- otherName carries additional name types for subjectAltName, issuerAltName, 362 -- and other uses of GeneralNames. 363 -- 365 id-on OBJECT IDENTIFIER ::= { id-pkix 8 } 367 SmtpUtf8OtherNames OTHER-NAME ::= { on-smtpUtf8Name, ... } 369 on-smtpUtf8Name OTHER-NAME ::= { 370 SmtpUtf8Name IDENTIFIED BY id-on-smtpUtf8Name 371 } 373 id-on-smtpUtf8Name OBJECT IDENTIFIER ::= { id-on 9 } 375 SmtpUtf8Name ::= UTF8String (SIZE (1..MAX)) 377 END 379 Figure 2 381 Appendix B. Example of SmtpUtf8Name 383 This non-normative example demonstrates using SmtpUtf8Name as an 384 otherName in GeneralName to encode the email address 385 "\u8001\u5E2B@example.com". 387 The hexidecimal DER encoding of the email address is: 388 A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861 6D706C65 2E636F6D 390 The text decoding is: 391 0 34: [0] { 392 2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9' 393 14 20: [0] { 394 16 18: UTF8String '..@example.com' 395 : } 396 : } 398 Figure 3 400 The example was encoded on the OSS Nokalva ASN.1 Playground and the 401 above text decoding is an output of Peter Gutmann's "dumpasn1" 402 program. 404 Appendix C. Acknowledgements 406 Thank you to Magnus Nystrom for motivating this document. Thanks to 407 Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean 408 Leonard, and Sean Turner for their feedback. Also special thanks to 409 John Klensin for his valuable input on internationalization, Unicode 410 and ABNF formatting, and to Jim Schaad for his help with the ASN.1 411 example and his helpful feedback. 413 Authors' Addresses 415 Alexey Melnikov (editor) 416 Isode Ltd 417 14 Castle Mews 418 Hampton, Middlesex TW12 2NP 419 UK 421 Email: Alexey.Melnikov@isode.com 422 Weihaw Chuang (editor) 423 Google, Inc. 424 1600 Amphitheatre Parkway 425 Mountain View, CA 94043 426 US 428 Email: weihaw@google.com