Skip to main content

Shepherd writeup

Shepherd Write-up for draft-ietf-lamps-rfc5280-i18n-update-02

1. Summary

The document shepherd is Phillip Hallam-Baker. The responsible Area Director is
Eric Rescorla.

This new RFC will update RFC 5280, which is a Proposed Standard.

This document specifies updates to RFC 5280 provide clarity on the handling of
Internationalized Domain Names (IDNs) and Internationalized Email Addresses in
X.509 Certificates. The changes in this document are essentially a changelog on
RFC 5280. Additional material relating to email addresses is presented
separately in draft-ietf-lamps-eai-addresses-11.txt

The actual encoding of internationalized characters in a certificate is almost
straightforward, Unicode works. One major complicating factor is that a PKIX
certificate is encoded in ASN.1 which provides multiple mechanisms for
character encoding and internationalized DNS names are encoded in yet another
encoding which provides multiple options.

For the purposes of PKIX, it is important that the specification pick one
encoding and stick to it. PKIX certificate signing certificates may contain
name constraints limiting the set of valid end entity certificates that can be
signed in a path that contains them. This is used in the field to mitigate the
potential damage resulting from compromise of an local issuer. So Carol CA may
issue a certificate to allowing it to issue certificates for S/MIME
users <any> using a locally held key but cannot (validly) sign any
other certificates.

The specification requires all the DNS labels to be encoded in ACE form which
is a canonical form for DNS labels. 5280 allowed constraints to be specific to
a particular address, this has been removed as rarely used and introducing
unnecessary complications.

The chief security problem faced in the use of internationalized characters in
a security specification is that multiple code points in the character set map
to identical or near identical glyphs. Attacks exploiting this feature are
known as homomorphic attacks and are widely understood as a problem in the
field. This document is largely a codification of restrictions that represent
common but largely undocumented practice.

This is addressed (although not necessarily for every conceivable corner case)
by RFC 5892 (known as IDNA2008) this is incorporated into the PKIX
specification in this draft and further consideration given to the issue in

2. Review and Consensus

This draft contains the uncomplicated and uncontroversial parts of the problem.
Some of the changes are already implied in prior RFCs. The remainder are of the
‘just pick one’ variety.

There has been little discussion on the list on this document but considerably
more on the companion. Patrik Fältström read and approved the document. Minor
updates made. Further minor updates were made to clear nits in the -02 version
in response to queries from the Shepherd. No nits remain, the four comments
being for known issues that are addressed.

The draft was discussed by the WG in Chicago as part of the general IDN

3. Intellectual Property

The author reports no IPR issues and none have been reported.

4. Other Points

Normative reference to draft-ietf-lamps-eai-addresses-11.txt

Proposed Document Announcement Write-Up:

  Technical Summary:

    This document provides updates to RFC 5280 regarding the handling of
    Internationalized Domain Names (IDNs) and Internationalized Email
    Addresses in X.509 Certificates.

  Working Group Summary:

    There is consensus for this document in the LAMPS WG.

  Document Quality:

    X.509 certificates are supported by many Certification Authorities
    and relying parties, especially browsers and S/MIME clients. Several
    implementers have said that they will implement the features in this