Re: [Uta] Security consideration for IDNs in draft-ietf-uta-rfc6125bis

Tue, 26 Jul 2022 15:22:36 -0700 

Yes, this looks right.

On 7/26/22 4:03 PM, Salz, Rich wrote:
I think you’re right, and that it was a mistake (caused by my ignorance of details of DNS/IDNA stuff) to not remove it. 

*From: *Corey Bonnell <Corey.Bonnell=40digicert....@dmarc.ietf.org>
*Date: *Tuesday, July 26, 2022 at 5:57 PM
*To: *"uta@ietf.org" <uta@ietf.org>

*Subject: *[Uta] Security consideration for IDNs in 
draft-ietf-uta-rfc6125bis


Hello,


Apologies for not flagging this sooner, but I did want to raise this 
while a revised I-D is needed for addressing IP-IDs so perhaps this 
could be addressed as well.


Section 7.2 [1] contains the following guidance:


“Allowing internationalized domain names can lead to visually similar 
characters, also referred to as "confusables", being included within 
certificates. For discussion, see for example [IDNA-DEFS 
<https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#IDNA-DEFS>], 
Section 4.4 <https://rfc-editor.org/rfc/rfc5890#section-4.4> and [UTS-39 
<https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#UTS-39>].”



This document obsoletes the use of CN-IDs which may contain U-Labels as 
a source of presented identifiers. All types of identifiers specified in 
the document (DNS-ID, SRV-ID, and URI-ID) will have IDNs encoded as 
A-labels in certificates due to the limited character repertoire of 
IA5String, so it is not possible to encode the U-label representation of 
IDNs in the SAN for these types.



Given this, I’m unsure of the value of having this consideration 
included, especially since the document describes an automated process 
of matching identifiers where the presence of “confusables” in the 
U-label representation of such identifiers has no bearing. Unless I’m 
missing something, I think this consideration should be removed.


Thanks,

Corey


[1] 
https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#section-7.2 
<https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#section-7.2>



_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta


_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta






















					Reply via email to