Skip to main content

Last Call Review of draft-ietf-lamps-rfc8398bis-03
review-ietf-lamps-rfc8398bis-03-artart-lc-levine-2024-01-30-00

Request Review of draft-ietf-lamps-rfc8398bis
Requested revision No specific revision (document currently at 05)
Type Last Call Review
Team ART Area Review Team (artart)
Deadline 2024-02-02
Requested 2024-01-19
Authors Alexey Melnikov , Wei Chuang , Corey Bonnell
I-D last updated 2024-01-30
Completed reviews Artart Telechat review of -04 by John R. Levine (diff)
Dnsdir Last Call review of -03 by Peter van Dijk (diff)
Genart Last Call review of -03 by Vijay K. Gurbani (diff)
Secdir Last Call review of -03 by Rich Salz (diff)
Artart Last Call review of -03 by John R. Levine (diff)
Assignment Reviewer John R. Levine
State Completed
Request Last Call review on draft-ietf-lamps-rfc8398bis by ART Area Review Team Assigned
Posted at https://mailarchive.ietf.org/arch/msg/art/BqXdMs-WU_rZ8h-t6DBT13AGwh8
Reviewed revision 03 (document currently at 05)
Result Ready w/nits
Completed 2024-01-30
review-ietf-lamps-rfc8398bis-03-artart-lc-levine-2024-01-30-00
This minor update is fine.

Unicode often provides vast numbers of ways to encode a string of text, and
some rules like NFC and NFD to try to choose preferred encodings. But RFC6531
allows most UTF-8 code points in a local part and says nothing about preferred
encodings. (I don't blame them, since anything they said would have been at
bast a guess, and there are way worse problems than NFC like you cannot fold
upper and lower case without knowing what language the string is in and
sometimes not even then.) Also, even though IDNA says U-labels and A-labels are
equivalent, a lot of mail software doesn't treat them that way so you often
have to alias the A- and U- versions of local domains in the mail system
configuration to deliver them to the same place.

This means that it is dismayingly easy to put an address in a SmtpUTF8Mailbox
which looks exactly like the address on the From: line but is different UTF-8.
I'm not sure there's anything you can do about that other than perhaps warn
people of the problems and encourage them to be sure the address they put in
the certificate is the same as the one in the mail system.