Shepherd Write-up for draft-ietf-lamps-rfc5280-i18n-update-02
The document shepherd is Phillip Hallam-Baker. The responsible Area Director is Eric Rescorla.
This new RFC will update RFC 5280, which is a Proposed Standard.
This document specifies updates to RFC 5280 provide clarity on the handling of Internationalized Domain Names (IDNs) and Internationalized Email Addresses in X.509 Certificates. The changes in this document are essentially a changelog on RFC 5280. Additional material relating to email addresses is presented separately in draft-ietf-lamps-eai-addresses-11.txt
The actual encoding of internationalized characters in a certificate is almost straightforward, Unicode works. One major complicating factor is that a PKIX certificate is encoded in ASN.1 which provides multiple mechanisms for character encoding and internationalized DNS names are encoded in yet another encoding which provides multiple options.
For the purposes of PKIX, it is important that the specification pick one encoding and stick to it. PKIX certificate signing certificates may contain name constraints limiting the set of valid end entity certificates that can be signed in a path that contains them. This is used in the field to mitigate the potential damage resulting from compromise of an local issuer. So Carol CA may issue a certificate to example.com allowing it to issue certificates for S/MIME users <any>@example.com using a locally held key but cannot (validly) sign any other certificates.
The specification requires all the DNS labels to be encoded in ACE form which is a canonical form for DNS labels. 5280 allowed constraints to be specific to a particular address, this has been removed as rarely used and introducing unnecessary complications.
The chief security problem faced in the use of internationalized characters in a security specification is that multiple code points in the character set map to identical or near identical glyphs. Attacks exploiting this feature are known as homomorphic attacks and are widely understood as a problem in the field. This document is largely a codification of restrictions that represent common but largely undocumented practice.
This is addressed (although not necessarily for every conceivable corner case) by RFC 5892 (known as IDNA2008) this is incorporated into the PKIX specification in this draft and further consideration given to the issue in draft-ietf-lamps-eai-addresses-11.txt.
2. Review and Consensus
This draft contains the uncomplicated and uncontroversial parts of the problem. Some of the changes are already implied in prior RFCs. The remainder are of the ‘just pick one’ variety.
There has been little discussion on the list on this document but considerably more on the companion. Patrik Fältström read and approved the document. Minor updates made. Further minor updates were made to clear nits in the -02 version in response to queries from the Shepherd. No nits remain, the four comments being for known issues that are addressed.
The draft was discussed by the WG in Chicago as part of the general IDN discussion.
3. Intellectual Property
The author reports no IPR issues and none have been reported.
4. Other Points
Normative reference to draft-ietf-lamps-eai-addresses-11.txt
Proposed Document Announcement Write-Up:
This document provides updates to RFC 5280 regarding the handling of
Internationalized Domain Names (IDNs) and Internationalized Email
Addresses in X.509 Certificates.
Working Group Summary:
There is consensus for this document in the LAMPS WG.
X.509 certificates are supported by many Certification Authorities
and relying parties, especially browsers and S/MIME clients. Several
implementers have said that they will implement the features in this