idnits 2.17.1 draft-ietf-lamps-eai-addresses-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 12, 2017) is 2573 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 564 Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 LAMPS A. Melnikov, Ed. 3 Internet-Draft Isode Ltd 4 Intended status: Standards Track W. Chuang, Ed. 5 Expires: September 13, 2017 Google, Inc. 6 March 12, 2017 8 Internationalized Email Addresses in X.509 certificates 9 draft-ietf-lamps-eai-addresses-08 11 Abstract 13 This document defines a new name form for inclusion in the otherName 14 field of an X.509 Subject Alternative Name and Issuer Alternate Name 15 extension that allows a certificate subject to be associated with an 16 Internationalized Email Address. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on September 13, 2017. 35 Copyright Notice 37 Copyright (c) 2017 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 54 3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 2 55 4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 5. Matching of Internationalized Email Addresses in X.509 57 certificates . . . . . . . . . . . . . . . . . . . . . . . . 4 58 6. Name constraints in path validation . . . . . . . . . . . . . 5 59 7. Deployment Considerations . . . . . . . . . . . . . . . . . . 10 60 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 61 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 62 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 63 10.1. Normative References . . . . . . . . . . . . . . . . . . 10 64 10.2. Informative References . . . . . . . . . . . . . . . . . 11 65 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12 66 Appendix B. Example of SmtpUTF8Name . . . . . . . . . . . . . . 13 67 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 13 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 70 1. Introduction 72 [RFC5280] defines rfc822Name subjectAltName choice for representing 73 [RFC5321] email addresses. This form is restricted to a subset of 74 US-ASCII characters and thus can't be used to represent 75 Internationalized Email addresses [RFC6531]. To facilitate use of 76 these Internationalized Email addresses with X.509 certificates, this 77 document specifies a new name form in otherName so that 78 subjectAltName and issuerAltName can carry them. In addition this 79 document calls for all email address domain in X.509 certificates to 80 conform to IDNA2008 [RFC5890]. 82 2. Conventions Used in This Document 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 86 document are to be interpreted as described in [RFC2119]. 88 The formal syntax use the Augmented Backus-Naur Form (ABNF) [RFC5234] 89 notation. 91 3. Name Definitions 93 The GeneralName structure is defined in [RFC5280], and supports many 94 different names forms including otherName for extensibility. This 95 section specifies the SmtpUTF8Name name form of otherName, so that 96 Internationalized Email addresses can appear in the subjectAltName of 97 a certificate, the issuerAltName of a certificate, or anywhere else 98 that GeneralName is used. 100 id-on-SmtpUTF8Name OBJECT IDENTIFIER ::= { id-on 9 } 102 SmtpUTF8Name ::= UTF8String (SIZE (1..MAX)) 104 When the subjectAltName (or issuerAltName) extension contains an 105 Internationalized Email address, the address MUST be stored in the 106 SmtpUTF8Name name form of otherName. The format of SmtpUTF8Name is 107 defined as the ABNF rule SmtpUTF8Mailbox. SmtpUTF8Mailbox is a 108 modified version of the Internationalized Mailbox which was defined 109 in Section 3.3 of [RFC6531] which was itself derived from SMTP 110 Mailbox from Section 4.1.2 of [RFC5321]. [RFC6531] defines the 111 following ABNF rules for Mailbox whose parts are modified for 112 internationalization: , , , 113 , , and . In particular, 114 was updated to also support UTF8-non-ascii. UTF8-non-ascii was 115 described by Section 3.1 of [RFC6532]. Also, sub-domain was extended 116 to support U-label, as defined in [RFC5890]. 118 This document further refines Internationalized [RFC6531] Mailbox 119 ABNF rules and calls this SmtpUTF8Mailbox. In SmtpUTF8Mailbox, sub- 120 domain that encode non-ASCII characters SHALL use U-label Unicode 121 native character labels and MUST NOT use A-label [RFC5890]. This 122 restriction prevents having to determine which label encoding A- or 123 U-label is present in the Domain. As per Section 2.3.2.1 of 124 [RFC5890], U-label use UTF-8 [RFC3629] with Normalization Form C and 125 other properties specified there. In SmtpUTF8Mailbox, sub-domain 126 that encode ASCII character labels SHALL use NR-LDH restrictions as 127 specified by section 2.3.1 of [RFC5890] and SHALL be restricted to 128 lower case letters. One suggested approach to apply these sub- 129 domains restriction is to restrict sub-domain so that labels not 130 start with two letters followed by two hyphen-minus characters. 131 Consistent with the treatment of rfc822Name in [RFC5280], 132 SmtpUTF8Name is an envelope and has no phrase (such as a 133 common name) before it, has no comment (text surrounded in 134 parentheses) after it, and is not surrounded by "<" and ">". 136 In the context of building name constraint as needed by [RFC5280], 137 the SmtpUTF8Mailbox rules are modified to allow partial productions 138 to allow for additional forms required by Section 6. Name 139 constraints may specify a complete email address, host name, or 140 domain. This means that the local-part may be missing, and domain 141 partially specified. 143 SmtpUTF8Name is encoded as UTF8String. The UTF8String encoding MUST 144 NOT contain a Byte-Order- Mark (BOM) [RFC3629] to aid consistency 145 across implementations particularly for comparison. 147 4. IDNA2008 149 To facilitate comparison between email addresses, all email address 150 domain in X.509 certificates MUST conform to IDNA2008 [RFC5890]. 151 Otherwise non-conforming email address domains introduces the 152 possibility of conversion errors between alternate forms. This 153 applies to SmtpUTF8Mailbox and rfc822Name in subjectAltName, 154 issuerAltName and anywhere else that GeneralName is used. 156 5. Matching of Internationalized Email Addresses in X.509 certificates 158 In equivalence comparison with SmtpUTF8Name, there may be some setup 159 work to enable the comparison i.e. processing of the SmtpUTF8Name 160 content or the email address that is being compared against. The 161 process for setup for comparing with SmtpUTF8Name is split into 162 domain steps and local- part steps. The comparison form for local- 163 part always is UTF-8. The comparison form for domain depends on 164 context. While some contexts such as certificate path validation in 165 [RFC5280] specify transforming domain to A-label, this document 166 RECOMMENDS transforming to UTF-8 U-label instead. This reduces the 167 likelihood of errors by reducing conversions as more implementations 168 natively support U-label domains. 170 Comparison of two SmtpUTF8Name is straightforward with no setup work 171 needed. They are considered equivalent if there is an exact octet- 172 for-octet match. Comparison with other email address forms such as 173 Internationalized email address or rfc822Name requires additional 174 setup steps. Domain setup is particularly important for forms that 175 may contain A- or U-label such as International email address, or 176 A-label only forms such as rfc822Name. This document specifies the 177 process to transform the domain to U-label. (To convert the domain 178 to A-label, follow the process specified in section 7.5 and 7.2 in 179 [RFC5280]) The first step is to detect A-label by using section 5.1 180 of [RFC5891]. Next if necessary, transform the A-label to U-label 181 Unicode as specified in section 5.2 of [RFC5891]. Finally if 182 necessary convert the Unicode to UTF-8 as specified in section 3 of 183 [RFC3629]. For ASCII NR-LDH labels, upper case letters are converted 184 to lower case letters. In setup for SmtpUTF8Mailbox, the email 185 address local-part MUST conform to the requirements of [RFC6530] and 186 [RFC6531], including being a string in UTF-8 form. In particular, 187 the local-part MUST NOT be transformed in any way, such as by doing 188 case folding or normalization of any kind. The part of 189 an Internationalized email address is already in UTF-8. For 190 rfc822Name the local-part, which is IA5String (ASCII), trivially maps 191 to UTF-8 without change. Once setup is complete, they are again 192 compared octet-for-octet. 194 To summarize non-normatively, the comparison steps including setup 195 are: 197 1. If the domain contains A-labels, transform them to U-label. 199 2. If the domain contains ASCII NR-LDH labels, lowercase them. 201 3. Ensure local-part is UTF-8. 203 4. Compare strings octet-for-octet for equivalence. 205 This specification expressly does not define any wildcards characters 206 and SmtpUTF8Name comparison implementations MUST NOT interpret any 207 character as wildcards. Instead, to specify multiple email addresses 208 through SmtpUTF8Name, the certificate SHOULD use multiple 209 subjectAltNames or issuerAltNames to explicitly carry those email 210 addresses. 212 6. Name constraints in path validation 214 This section defines use of SmtpUTF8Name name for name constraints. 215 The format for SmtpUTF8Name in name constraints is identical to the 216 use in subjectAltName as specified in Section 3 with the extension as 217 noted there for partial productions. 219 Constraint comparison on complete email address with SmtpUTF8Name 220 name uses the matching procedure defined by Section 5. As with 221 rfc822Name name constraints as specified in Section 4.2.1.10 of 222 [RFC5280], SmtpUTF8Name name can specify a particular mailbox, all 223 addresses at a host, or all mailboxes in a domain by specifying the 224 complete email address, a host name, or a domain. Name constraint 225 comparisons in the context of [RFC5280] that are specified with 226 SmtpUTF8Name name are only done on the subjectAltName SmtpUTF8Name 227 name and not on other forms. Similarly rfc822Name name constraints 228 do not apply to subjectAltName SmtpUTF8Name name. This imposes 229 requirements on the certificate issuer as described next. 231 When name constraints are used with SmtpUTF8Name subject alternative 232 names, the constraints are specified by the following changes to the 233 path validator to prevent bypass of the name constraints. The email 234 address path validator in Section 6 of [RFC5280] is modified to 235 consider: 237 1. When neither rfc822Name nor SmtpUTF8Name name constraints are 238 present in any issuer CA certificate, then path validation does 239 not add restrictions on children certificates with rfc822Name or 240 SmtpUTF8Name subject alternative names. That is any combination 241 of rfc822Name or SmtpUTF8Name subject alternative names may be 242 present. 244 2. If issuer CA certificates contain only rfc822Name name 245 constraints, then those constraints apply to rfc822Name subject 246 alternative name in children certificates. SmtpUTF8Name subject 247 alternative name are prohibited in those same certificates, that 248 is those certificates MUST be rejected by the path verifier. 250 3. When both rfc822Name and SmtpUTF8Name name constraints are 251 present in all issuer CA certificates that have either form, then 252 the path verifier applies the constraint of the subject 253 alternative name form in children certificates. This allows any 254 combination of rfc822Name or SmtpUTF8Name subject alternative 255 names to be present and implies that the issuer has applied 256 appropriate name constraints. While commonly the alternative 257 forms will be equivalent, they need not be, as the forms can 258 represent features not present in its counterpart. One instance 259 of this is when the issuer wants to name constrain domain or 260 hostname using the rules of a particular form. 262 4. If some issuer CA certificates contain only SmtpUTF8Name name 263 constraints, then those are at risk of bypass with rfc822Name 264 subject alternative names when processed by legacy verifiers. To 265 prevent this, issuers MUST also publish rfc822Name name 266 constraint that prevent those bypasses. This occurs when both 267 rfc822Name and SmtpUTF8Name constraint forms can represents the 268 same host, domain or email address, and both are needed. Even 269 when the constraints are asymmetric such as when the issuer 270 wishes to constrain an email address with an UTF-8 local part, a 271 non empty rfc822Name name constraint may be needed if there isn't 272 one already so that the path verifier initializes correctly. 274 When both name constraints are present, the contents depends on the 275 usage. If the issuer desires to represent the same NR-LDH host or 276 domain, then it is the same string in both rfc822Name and 277 SmtpUTF8Name. If the host or domain labels contain UTF-8, then the 278 labels may be used directly in SmtpUTF8Name noting the restriction in 279 Section 5 and transformed to A-label for rfc822Name using the process 280 described in [RFC5280]. Email addresses that use ASCII local-part 281 use the same processing procedures for host or domain. 283 If the issuer wishes to represent the name constraint asymmetrically, 284 with either rfc822Name or SmtpUTF8Name to respectively represent some 285 A-label or U-label in the domain or host, the alternate name 286 constraint form must still be present. If nothing needs be 287 represented by the alternate form, then empty name constraint can 288 described by the "invalid" TLD that helps initialize the name 289 constraint path validation set. Or alternatively it may be omitted 290 if some other name constraint pair, provides a name constraint of 291 that form. In particular this initialization may be needed when 292 SmtpUTF8Name is used to represent an email address name constraint 293 with an UTF-8 local-part and rfc822Name cannot represent such a email 294 address constraint. 296 The name constraint requirement with SmtpUTF8Name subject alternative 297 name is illustrated in the non-normative diagram Figure 1 with 298 several examples. (3a) shows an issuer constraining a NR-LDH 299 hostname with rfc822Name and SmtpUTF8Name so that they can issue 300 ASCII and UTF-8 local-name email addresses certificates. (3b) shows 301 an issuer constraining a hostname containing a non-ASCII label for 302 u+5C0Fu+5B66 (elementary school). (3c) demonstrates that a hostname 303 constraint with an rfc822Name is distinguishable from its 304 SmtpUTF8Name constraint, and that only the rfc822Name form is 305 permitted. No 'invalid' SmtpUTF8Name constraint is needed since 306 other SmtpUTF8Name constraints are present. (3d) similarly 307 demonstrates this capability to restrict a name constraint to 308 SmtpUTF8Name only. (3e) shows that a non-ASCII local- part email 309 address can also be constrained to be permitted using SmtpUTF8Name. 310 It too does not need an 'invalid' rfc822Name as other rfc822Name 311 constrains are present. Diagram Figure 2 illustrates (non- 312 normatively) a different certificate chain that does need the 313 'invalid' name constraint. (3f) constrains a non-ASCII local-part 314 email address using a SmtpUTF8Name name constraint but requires a 315 rfc822Name 'invalid' constraint because it lacks any other rfc822Name 316 constraints needed to initialize the name constraint path 317 verification. The next non-normative diagram Figure 3 illustrates 318 legacy name constraints that contrasts the changes this document 319 specifies. The legacy approach (2) has only a single rfc822Name name 320 email address name constraint. 322 +-------------------------------------------------------------------+ 323 | Root CA Cert | 324 +-------------------------------------------------------------------+ 325 | 326 v 327 +-------------------------------------------------------------------+ 328 | Intermediate CA Cert | 329 | Permitted | 330 | rfc822Name: nr.ldh.host.example.com (3a) | 331 | SmtpUTF8Name: nr.ldh.host.example.com (3a) | 332 | | 333 | rfc822Name: u+5C0Fu+5B66.host.example.com (3b) | 334 | SmtpUTF8Name: xn--48s3o.host.example.com (3b) | 335 | | 336 | rfc822Name: xn--pss25c.a.label.example.com (3c) | 337 | | 338 | SmtpUTF8Name: u+4E2Du+5B66.u.label.example.com (3d) | 339 | | 340 | SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3e) | 341 +-------------------------------------------------------------------+ 342 | 343 v 344 +-------------------------------------------------------------------+ 345 | Entity Cert (w/explicitly permitted subjects) | 346 | SubjectAltName Extension | 347 | rfc822Name: student@nr.ldh.host.example.com (3a) | 348 | SmtpUTF8Name: u+5B66u+751F@nr.ldh.host.example.com (3a) | 349 | | 350 | rfc822Name: student@u+5C0Fu+5B66.host.example.com (3b) | 351 | SmtpUTF8Name: u+5B66u+751F@xn--48s3o.host.example.com (3b) | 352 | | 353 | rfc822Name: student@xn--pss25c.a.label.example.com (3c) | 354 | | 355 | SmtpUTF8Name: student@u+4E2Du+5B66.u.label.example.com (3d) | 356 | | 357 | SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3e) | 358 +-------------------------------------------------------------------+ 360 Name constraints with SmtpUTF8Name and rfc822Name 362 Figure 1 364 +-------------------------------------------------------------------+ 365 | Root CA Cert | 366 +-------------------------------------------------------------------+ 367 | 368 v 369 +-------------------------------------------------------------------+ 370 | Intermediate CA Cert | 371 | Name Constraint Extension | 372 | Permitted | 373 | rfc822Name: invalid (3f) | 374 | SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3f) | 375 +-------------------------------------------------------------------+ 376 | 377 v 378 +-------------------------------------------------------------------+ 379 | Entity Cert (w/explicitly permitted subjects) | 380 | SubjectAltName Extension | 381 | SmtpUTF8Name: u+8001u+5E2B@i18n.email.example.com (3f) | 382 +-------------------------------------------------------------------+ 384 Name constraints with SmtpUTF8Name email address and empty rfc822Name 386 Figure 2 388 +-------------------------------------------------------------------+ 389 | Root CA Cert | 390 +-------------------------------------------------------------------+ 391 | 392 v 393 +-------------------------------------------------------------------+ 394 | Intermediate CA Cert | 395 | Name Constraint Extension | 396 | Permitted | 397 | rfc822Name: student@email.example.com (2) | 398 +-------------------------------------------------------------------+ 399 | 400 v 401 +-------------------------------------------------------------------+ 402 | Entity Cert (w/explicitly permitted subjects) | 403 | SubjectAltName Extension | 404 | rfc822Name: student@email.example.com (2) | 405 +-------------------------------------------------------------------+ 407 Legacy name constraints with rfc822Name 409 Figure 3 411 7. Deployment Considerations 413 For email addresses whose local-part is ASCII it may be more 414 reasonable to continue using rfc822Name instead of SmtpUTF8Name. The 415 use of rfc822Name rather than SmtpUTF8Name is currently more likely 416 to be supported. Also use of SmtpUTF8Name incurs higher byte 417 representation overhead due to encoding with otherName and the 418 additional OID needed. This may be offset if domain requires non- 419 ASCII characters as SmtpUTF8Name supports U-label whereas rfc822Name 420 supports A-label. This document RECOMMENDS using SmtpUTF8Name when 421 local-part contains non-ASCII characters, and otherwise rfc822Name. 423 8. Security Considerations 425 Use for SmtpUTF8Name for certificate subjectAltName (and 426 issuerAltName) will incur many of the same security considerations of 427 Section 8 in [RFC5280] but is further complicated by permitting non- 428 ASCII characters in the email address local-part. This complication, 429 as mentioned in Section 4.4 of [RFC5890] and in Section 4 of 430 [RFC6532], is that use of Unicode introduces the risk of visually 431 similar and identical characters which can be exploited to deceive 432 the recipient. The former document references some means to mitigate 433 against these attacks. 435 9. IANA Considerations 437 in Section Section 3 and the ASN.1 module identifier defined in 438 Section Appendix A. IANA is kindly requested to make the following 439 assignments for: 441 The LAMPS-EaiAddresses-2016 ASN.1 module in the "SMI Security for 442 PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). 444 The SmtpUTF8Name otherName in the "PKIX Other Name Forms" registry 445 (1.3.6.1.5.5.7.8). 447 10. References 449 10.1. Normative References 451 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 452 Requirement Levels", BCP 14, RFC 2119, 453 DOI 10.17487/RFC2119, March 1997, 454 . 456 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 457 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 458 2003, . 460 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 461 Specifications: ABNF", STD 68, RFC 5234, 462 DOI 10.17487/RFC5234, January 2008, 463 . 465 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 466 Housley, R., and W. Polk, "Internet X.509 Public Key 467 Infrastructure Certificate and Certificate Revocation List 468 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 469 . 471 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 472 DOI 10.17487/RFC5321, October 2008, 473 . 475 [RFC5890] Klensin, J., "Internationalized Domain Names for 476 Applications (IDNA): Definitions and Document Framework", 477 RFC 5890, DOI 10.17487/RFC5890, August 2010, 478 . 480 [RFC5891] Klensin, J., "Internationalized Domain Names in 481 Applications (IDNA): Protocol", RFC 5891, 482 DOI 10.17487/RFC5891, August 2010, 483 . 485 [RFC6530] Klensin, J. and Y. Ko, "Overview and Framework for 486 Internationalized Email", RFC 6530, DOI 10.17487/RFC6530, 487 February 2012, . 489 [RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized 490 Email", RFC 6531, DOI 10.17487/RFC6531, February 2012, 491 . 493 [RFC6532] Yang, A., Steele, S., and N. Freed, "Internationalized 494 Email Headers", RFC 6532, DOI 10.17487/RFC6532, February 495 2012, . 497 10.2. Informative References 499 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 500 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 501 DOI 10.17487/RFC5912, June 2010, 502 . 504 Appendix A. ASN.1 Module 506 The following ASN.1 module normatively specifies the SmtpUTF8Name 507 structure. This specification uses the ASN.1 definitions from 508 [RFC5912] with the 2002 ASN.1 notation used in that document. 509 [RFC5912] updates normative documents using older ASN.1 notation. 511 LAMPS-EaiAddresses-2016 512 { iso(1) identified-organization(3) dod(6) 513 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 514 id-mod-lamps-eai-addresses-2016(TBD) } 516 DEFINITIONS IMPLICIT TAGS ::= 517 BEGIN 519 IMPORTS 520 OTHER-NAME 521 FROM PKIX1Implicit-2009 522 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 523 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 525 id-pkix 526 FROM PKIX1Explicit-2009 527 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 528 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ; 530 -- 531 -- otherName carries additional name types for subjectAltName, 532 -- issuerAltName, and other uses of GeneralNames. 533 -- 535 id-on OBJECT IDENTIFIER ::= { id-pkix 8 } 537 SmtpUtf8OtherNames OTHER-NAME ::= { on-SmtpUTF8Name, ... } 539 on-SmtpUTF8Name OTHER-NAME ::= { 540 SmtpUTF8Name IDENTIFIED BY id-on-SmtpUTF8Name 541 } 543 id-on-SmtpUTF8Name OBJECT IDENTIFIER ::= { id-on 9 } 545 SmtpUTF8Name ::= UTF8String (SIZE (1..MAX)) 547 END 549 Figure 4 551 Appendix B. Example of SmtpUTF8Name 553 This non-normative example demonstrates using SmtpUTF8Name as an 554 otherName in GeneralName to encode the email address 555 "u+8001u+5E2B@example.com". 557 The hexadecimal DER encoding of the email address is: 558 A022060A 2B060105 05070012 0809A014 0C12E880 81E5B8AB 40657861 559 6D706C65 2E636F6D 561 The text decoding is: 562 0 34: [0] { 563 2 10: OBJECT IDENTIFIER '1 3 6 1 5 5 7 0 18 8 9' 564 14 20: [0] { 565 16 18: UTF8String '..@example.com' 566 : } 567 : } 569 Figure 5 571 The example was encoded on the OSS Nokalva ASN.1 Playground and the 572 above text decoding is an output of Peter Gutmann's "dumpasn1" 573 program. 575 Appendix C. Acknowledgements 577 Thank you to Magnus Nystrom for motivating this document. Thanks to 578 Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean 579 Leonard, Sean Turner, John Levine, and Patrik Falstrom for their 580 feedback. Also special thanks to John Klensin for his valuable input 581 on internationalization, Unicode and ABNF formatting, to Jim Schaad 582 for his help with the ASN.1 example and his helpful feedback, and to 583 Viktor Dukhovni for his help with name constraints. 585 Authors' Addresses 587 Alexey Melnikov (editor) 588 Isode Ltd 589 14 Castle Mews 590 Hampton, Middlesex TW12 2NP 591 UK 593 Email: Alexey.Melnikov@isode.com 594 Weihaw Chuang (editor) 595 Google, Inc. 596 1600 Amphitheatre Parkway 597 Mountain View, CA 94043 598 US 600 Email: weihaw@google.com