rfc9598.original   rfc9598.txt 
Network Working Group A. Melnikov Internet Engineering Task Force (IETF) A. Melnikov
Internet-Draft Isode Ltd Request for Comments: 9598 Isode Ltd
Obsoletes: 8398 (if approved) W. Chuang Obsoletes: 8398 W. Chuang
Updates: 5280 (if approved) Google, Inc. Updates: 5280 Google, Inc.
Intended status: Standards Track C. Bonnell Category: Standards Track C. Bonnell
Expires: 16 August 2024 DigiCert ISSN: 2070-1721 DigiCert
13 February 2024 May 2024
Internationalized Email Addresses in X.509 Certificates Internationalized Email Addresses in X.509 Certificates
draft-ietf-lamps-rfc8398bis-05
Abstract Abstract
This document defines a new name form for inclusion in the otherName This document defines a new name form for inclusion in the otherName
field of an X.509 Subject Alternative Name and Issuer Alternative field of an X.509 Subject Alternative Name and Issuer Alternative
Name extension that allows a certificate subject to be associated Name extension that allows a certificate subject to be associated
with an internationalized email address. with an internationalized email address.
This document updates RFC 5280 and obsoletes RFC 8398. This document updates RFC 5280 and obsoletes RFC 8398.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at
https://CBonnell.github.io/draft-lamps-rfc8398-bis/draft-bonnell-
lamps-rfc8398bis.html. Status information for this document may be
found at https://datatracker.ietf.org/doc/draft-ietf-lamps-
rfc8398bis/.
Discussion of this document takes place on the Limited Additional
Mechanisms for PKIX and SMIME (lamps) Working Group mailing list
(mailto:spasm@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/spasm/. Subscribe at
https://www.ietf.org/mailman/listinfo/spasm/.
Source for this draft and an issue tracker can be found at
https://github.com/CBonnell/draft-lamps-rfc8398-bis.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 16 August 2024. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9598.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 2. Conventions Used in This Document
3. Name Definitions . . . . . . . . . . . . . . . . . . . . . . 3 3. Name Definitions
4. IDNA2008 . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. IDNA2008
5. Matching of Internationalized Email Addresses in X.509 5. Matching of Internationalized Email Addresses in X.509
Certificates . . . . . . . . . . . . . . . . . . . . . . 5 Certificates
6. Name Constraints in Path Validation . . . . . . . . . . . . . 7 6. Name Constraints in Path Validation
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations
8. Differences from RFC 8398 . . . . . . . . . . . . . . . . . . 9 8. Differences from RFC 8398
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 9. IANA Considerations
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 10. References
10.1. Normative References . . . . . . . . . . . . . . . . . . 10 10.1. Normative References
10.2. Informative References . . . . . . . . . . . . . . . . . 11 10.2. Informative References
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 11 Appendix A. ASN.1 Module
Appendix B. Example of SmtpUTF8Mailbox . . . . . . . . . . . . . 13 Appendix B. Example of SmtpUTF8Mailbox
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 13 Acknowledgments
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses
1. Introduction 1. Introduction
[RFC5280] defines the rfc822Name subjectAltName name type for [RFC5280] defines the rfc822Name subjectAltName name type for
representing email addresses as described in [RFC5321]. The syntax representing email addresses as described in [RFC5321]. The syntax
of rfc822Name is restricted to a subset of US-ASCII characters and of rfc822Name is restricted to a subset of US-ASCII characters and
thus can't be used to represent internationalized email addresses thus can't be used to represent internationalized email addresses
[RFC6531]. This document defines a new otherName variant to [RFC6531]. This document defines a new otherName variant to
represent internationalized email addresses. In addition this represent internationalized email addresses. In addition, this
document requires all email address domains in X.509 certificates to document requires all email address domains in X.509 certificates to
conform to IDNA2008 [RFC5890]. conform to IDNA2008 [RFC5890].
This document obsoletes [RFC8398]. The primary motivation for This document obsoletes [RFC8398]. The primary motivation of this
publication of this document is to simplify the encoding of domain document is to simplify the encoding of domain labels found in the
labels found in the domain part of internationalized email addresses. domain part of internationalized email addresses. In particular,
In particular, [RFC8398] specifies that domain labels are [RFC8398] specifies that domain labels are conditionally encoded
conditionally encoded using either A-labels or U-labels. This using either A-labels or U-labels. This specification simplifies
specification simplifies encoding and processing of domain labels by encoding and processing of domain labels by mandating that the
mandating that the A-label representation be used in all cases. A-label representation be used in all cases.
2. Conventions and Definitions 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in BCP
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Name Definitions 3. Name Definitions
The GeneralName structure is defined in [RFC5280] and supports many The GeneralName structure [RFC5280] supports many different name
different name forms including otherName for extensibility. This forms including otherName for extensibility. This section specifies
section specifies the SmtpUTF8Mailbox name form of otherName so that the SmtpUTF8Mailbox name form of otherName so that internationalized
internationalized email addresses can appear in the subjectAltName of email addresses can appear in the subjectAltName of a certificate,
a certificate, the issuerAltName of a certificate, or anywhere else the issuerAltName of a certificate, or anywhere else that GeneralName
that GeneralName is used. is used.
id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 } id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 }
SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX)) SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX))
-- SmtpUTF8Mailbox conforms to Mailbox as specified -- SmtpUTF8Mailbox conforms to Mailbox as specified
-- in Section 3.3 of RFC 6531. Additionally, all domain -- in Section 3.3 of RFC 6531. Additionally, all domain
-- labels included in the SmtpUTF8Mailbox value are -- labels included in the SmtpUTF8Mailbox value are
-- encoded as LDH-labels. In particular, domain labels -- encoded as LDH labels. In particular, domain labels
-- are not encoded as U-labels and instead are encoded -- are not encoded as U-labels and instead are encoded
-- using their A-label representation. -- using their A-label representation.
When the subjectAltName (or issuerAltName) extension contains an When the subjectAltName (or issuerAltName) extension contains an
internationalized email address with a non-ASCII Local-part, the internationalized email address with a non-ASCII Local-part, the
address MUST be stored in the SmtpUTF8Mailbox name form of otherName. address MUST be stored in the SmtpUTF8Mailbox name form of otherName.
The format of SmtpUTF8Mailbox is a modified version of the The format of SmtpUTF8Mailbox is a modified version of the
internationalized Mailbox that was defined in Section 3.3 of internationalized Mailbox that was defined in Section 3.3 of
[RFC6531], which was derived from Mailbox as defined in Section 4.1.2 [RFC6531], which was derived from Mailbox as defined in Section 4.1.2
of [RFC5321]. [RFC6531] defines the following ABNF rules for Mailbox of [RFC5321]. [RFC6531] defines the following ABNF rules for Mailbox
skipping to change at page 4, line 29 skipping to change at line 140
described in [RFC6531] and calls this SmtpUTF8Mailbox. In described in [RFC6531] and calls this SmtpUTF8Mailbox. In
SmtpUTF8Mailbox, labels that include non-ASCII characters MUST be SmtpUTF8Mailbox, labels that include non-ASCII characters MUST be
stored in A-label (rather than U-label) form [RFC5890]. This stored in A-label (rather than U-label) form [RFC5890]. This
restriction reduces complexity for implementations of the restriction reduces complexity for implementations of the
certification path validation algorithm defined in Section 6 of certification path validation algorithm defined in Section 6 of
[RFC5280]. In SmtpUTF8Mailbox, domain labels that solely use ASCII [RFC5280]. In SmtpUTF8Mailbox, domain labels that solely use ASCII
characters (meaning neither A- nor U-labels) SHALL use NR-LDH characters (meaning neither A- nor U-labels) SHALL use NR-LDH
restrictions as specified by Section 2.3.1 of [RFC5890]. NR-LDH restrictions as specified by Section 2.3.1 of [RFC5890]. NR-LDH
stands for "Non-Reserved Letters Digits Hyphen" and is the set of LDH stands for "Non-Reserved Letters Digits Hyphen" and is the set of LDH
labels that do not have "--" characters in the third and forth labels that do not have "--" characters in the third and forth
character position, which excludes "tagged domain names" such as character positions, which excludes "tagged domain names" such as
A-labels. To facilitate octet-for-octet comparisons of A-labels. To facilitate octet-for-octet comparisons of
SmtpUTF8Mailbox values, all NR-LDH and A-label labels which SmtpUTF8Mailbox values, all NR-LDH and A-label labels that constitute
constitute the domain part SHALL only be encoded with lowercase the domain part SHALL only be encoded with lowercase letters.
letters. Consistent with the treatment of rfc822Name in [RFC5280], Consistent with the treatment of rfc822Name in [RFC5280],
SmtpUTF8Mailbox is an envelope Mailbox and has no phrase (such as a SmtpUTF8Mailbox is an envelope Mailbox and has no phrase (such as a
common name) before it, has no comment (text surrounded in common name) before it, has no comment (text surrounded in
parentheses) after it, and is not surrounded by "<" and ">" parentheses) after it, and is not surrounded by "<" and ">"
characters. characters.
Due to name constraint compatibility reasons described in Section 6, Due to name constraint compatibility reasons described in Section 6,
SmtpUTF8Mailbox subjectAltName MUST NOT be used unless the Local-part SmtpUTF8Mailbox subjectAltName MUST NOT be used unless the Local-part
of the email address contains non-ASCII characters. When the Local- of the email address contains non-ASCII characters. When the Local-
part is ASCII, rfc822Name subjectAltName MUST be used instead of part is ASCII, rfc822Name subjectAltName MUST be used instead of
SmtpUTF8Mailbox. This is compatible with legacy software that SmtpUTF8Mailbox. This is compatible with legacy software that
supports only rfc822Name (and not SmtpUTF8Mailbox). The appropriate supports only rfc822Name (and not SmtpUTF8Mailbox). The appropriate
usage of rfc822Name and SmtpUTF8Mailbox is summarized in Table 1 usage of rfc822Name and SmtpUTF8Mailbox is summarized in Table 1
below. below.
SmtpUTF8Mailbox is encoded as UTF8String. The UTF8String encoding SmtpUTF8Mailbox is encoded as UTF8String. The UTF8String encoding
MUST NOT contain a Byte-Order-Mark (BOM) [RFC3629] to aid consistency MUST NOT contain a Byte Order Mark (BOM) [RFC3629] to aid consistency
across implementations, particularly for comparison. across implementations, particularly for comparison.
+=================+=================+ +=================+=================+
| Local-part char | subjectAltName | | Local-part char | subjectAltName |
+=================+=================+ +=================+=================+
| ASCII-only | rfc822Name | | ASCII-only | rfc822Name |
+-----------------+-----------------+ +-----------------+-----------------+
| non-ASCII | SmtpUTF8Mailbox | | non-ASCII | SmtpUTF8Mailbox |
+-----------------+-----------------+ +-----------------+-----------------+
skipping to change at page 5, line 33 skipping to change at line 191
conforming email address domains introduces the possibility of conforming email address domains introduces the possibility of
conversion errors between alternate forms. This applies to conversion errors between alternate forms. This applies to
SmtpUTF8Mailbox and rfc822Name in subjectAltName, issuerAltName, and SmtpUTF8Mailbox and rfc822Name in subjectAltName, issuerAltName, and
anywhere else that these are used. anywhere else that these are used.
5. Matching of Internationalized Email Addresses in X.509 Certificates 5. Matching of Internationalized Email Addresses in X.509 Certificates
Equivalence comparisons with SmtpUTF8Mailbox consist of a domain part Equivalence comparisons with SmtpUTF8Mailbox consist of a domain part
step and a Local-part step. The comparison form for Local-parts is step and a Local-part step. The comparison form for Local-parts is
always UTF-8. The comparison form for domain parts is always always UTF-8. The comparison form for domain parts is always
performed with the LDH-label ([RFC5890]) encoding of the relevant performed with the LDH label ([RFC5890]) encoding of the relevant
domain labels. The comparison of LDH-labels in domain parts reduces domain labels. The comparison of LDH labels in domain parts reduces
complexity for implementations of the certification path validation complexity for implementations of the certification path validation
algorithm as defined in Section 6 of [RFC5280] by obviating the need algorithm as defined in Section 6 of [RFC5280] by obviating the need
to convert domain labels to their Unicode representation. to convert domain labels to their Unicode representation.
Comparison of two SmtpUTF8Mailboxes is straightforward with no setup Comparison of two SmtpUTF8Mailboxes is straightforward with no setup
work needed. They are considered equivalent if there is an exact work needed. They are considered equivalent if there is an exact
octet-for-octet match. octet-for-octet match.
Comparison of a SmtpUTF8Mailbox and rfc822Name will always fail. Comparison of an SmtpUTF8Mailbox and rfc822Name will always fail.
SmtpUTF8Mailbox values SHALL contain a Local-part which includes one SmtpUTF8Mailbox values SHALL contain a Local-part that includes one
or more non-ASCII characters, while rfc822Names only include ASCII or more non-ASCII characters, while rfc822Names only includes ASCII
characters (including the Local-part). Thus, a SmtpUTF8Mailbox and characters (including the Local-part). Thus, an SmtpUTF8Mailbox and
rfc822Name will never match. rfc822Name will never match.
Comparison of SmtpUTF8Mailbox values with internationalized email Comparison of SmtpUTF8Mailbox values with internationalized email
addresses from other sources (such as received email messages, user addresses from other sources (such as received email messages, user
input, etc.) requires additional setup steps for domain part and input, etc.) requires additional setup steps for domain part and
Local-part. The initial preparation for the email address to compare Local-part. The initial preparation for the email address to compare
with the SmtpUTF8Mailbox value is to remove any phrases, comments, with the SmtpUTF8Mailbox value is to remove any phrases, comments,
and "<" or ">" characters. and "<" or ">" characters.
For the setup of the domain part, the following conversions SHALL be For the setup of the domain part, the following conversions SHALL be
performed: performed:
1. Convert all labels which constitute the domain part that include 1. Convert all labels that constitute the domain part that include
non-ASCII characters to A-labels if not already in that form. non-ASCII characters to A-labels, if not already in that form.
a. Detect all U-labels present within the domain part using a. Detect all U-labels present within the domain part using
Section 5.1 of [RFC5891]. Section 5.1 of [RFC5891].
b. Transform all detected U-labels (Unicode) to A-labels (ASCII) b. Transform all detected U-labels (Unicode) to A-labels (ASCII)
as specified in Section 5.5 of [RFC5891]. as specified in Section 5.5 of [RFC5891].
2. Convert all uppercase letters found within the NR-LDH and A-label 2. Convert all uppercase letters found within the NR-LDH and A-label
labels which constitute the domain part to lowercase letters. labels that constitute the domain part to lowercase letters.
For the setup of the Local-part, the Local-part MUST be verified to For the setup of the Local-part, the Local-part MUST be verified to
conform to the requirements of [RFC6530] and [RFC6531], including conform to the requirements of [RFC6530] and [RFC6531], including
being a string in UTF-8 form. In particular, the Local- part MUST being a string in UTF-8 form. In particular, the Local- part MUST
NOT be transformed in any way, such as by doing case folding or NOT be transformed in any way, such as by doing case folding or
normalization of any kind. The Local-part part of an normalization of any kind. The Local-part of an internationalized
internationalized email address is already in UTF-8. Once setup is email address is already in UTF-8. Once setup is complete, they are
complete, they are again compared octet-for-octet. again compared octet for octet.
To summarize non-normatively, the comparison steps, including setup, To summarize non-normatively, the comparison steps, including setup,
are: are:
1. If the domain contains U-labels, transform them to A-labels. 1. If the domain contains U-labels, transform them to A-labels.
2. If any NR-LDH or A-label domain label in the domain part contains 2. If any NR-LDH or A-label domain label in the domain part contains
uppercase letters, lowercase them. uppercase letters, lowercase them.
3. Compare strings octet-for-octet for equivalence. 3. Compare strings octet for octet for equivalence.
This specification expressly does not define any wildcard characters, This specification expressly does not define any wildcard characters,
and SmtpUTF8Mailbox comparison implementations MUST NOT interpret any and SmtpUTF8Mailbox comparison implementations MUST NOT interpret any
characters as wildcards. Instead, to specify multiple email characters as wildcards. Instead, to specify multiple email
addresses through SmtpUTF8Mailbox, the certificate MUST use multiple addresses through SmtpUTF8Mailbox, the certificate MUST use multiple
subjectAltNames or issuerAltNames to explicitly carry any additional subjectAltNames or issuerAltNames to explicitly carry any additional
email addresses. email addresses.
6. Name Constraints in Path Validation 6. Name Constraints in Path Validation
This section updates Section 4.2.1.10 of [RFC5280] to extend This section updates Section 4.2.1.10 of [RFC5280] to extend
rfc822Name name constraints to SmtpUTF8Mailbox subjectAltNames. rfc822Name name constraints to SmtpUTF8Mailbox subjectAltNames.
SmtpUTF8Mailbox-aware path validators will apply name constraint SmtpUTF8Mailbox-aware path validators will apply name constraint
comparison to the subject distinguished name and both forms of comparison to the subject distinguished name and both forms of
subject alternative names rfc822Name and SmtpUTF8Mailbox. subject alternative names, rfc822Name and SmtpUTF8Mailbox.
Both rfc822Name and SmtpUTF8Mailbox subject alternative names Both rfc822Name and SmtpUTF8Mailbox subject alternative names
represent the same underlying email address namespace. Since legacy represent the same underlying email address namespace. Since legacy
CAs constrained to issue certificates for a specific set of domains Certification Authorities (CAs) constrained to issue certificates for
would lack corresponding UTF-8 constraints, [RFC8399BIS] updates, a specific set of domains would lack corresponding UTF-8 constraints,
modifies, and extends rfc822Name name constraints defined in [RFC9549] updates, modifies, and extends rfc822Name name constraints
[RFC5280] to cover SmtpUTF8Mailbox subject alternative names. This defined in [RFC5280] to cover SmtpUTF8Mailbox subject alternative
ensures that the introduction of SmtpUTF8Mailbox does not violate names. This ensures that the introduction of SmtpUTF8Mailbox does
existing name constraints. Since it is not valid to include non- not violate existing name constraints. Since it is not valid to
ASCII UTF-8 characters in the Local-part of rfc822Name name include non-ASCII UTF-8 characters in the Local-part of rfc822Name
constraints, and since name constraints that include a Local-part are name constraints, and since name constraints that include a Local-
rarely, if at all, used in practice, name constraints updated in part are rarely, if at all, used in practice, name constraints
[RFC8399BIS] allow the forms that represent all addresses at a host updated in [RFC9549] allow the forms that represent all addresses at
or all mailboxes in a domain and deprecates rfc822Name name a host, or all mailboxes in a domain and deprecates rfc822Name name
constraints that represent a particular mailbox. That is, rfc822Name constraints that represent a particular mailbox. That is, rfc822Name
constraints with a Local-part SHOULD NOT be used. constraints with a Local-part SHOULD NOT be used.
Constraint comparison with SmtpUTF8Mailbox subjectAltName starts with Constraint comparison with SmtpUTF8Mailbox subjectAltName starts with
the setup steps defined by Section 5. Setup converts the inputs of the setup steps defined in Section 5. Setup converts the inputs of
the comparison (which is one of a subject distinguished name, an the comparison (which is one of a subject distinguished name, an
rfc822Name, or an SmtpUTF8Mailbox subjectAltName, and one of an rfc822Name, or an SmtpUTF8Mailbox subjectAltName, and one of an
rfc822Name name constraint) to constraint comparison form. For both rfc822Name name constraint) to constraint comparison form. For both
the name constraint and the subject, this will convert all A-labels the name constraint and the subject, this will convert all A-labels
and NR-LDH labels to lowercase. Strip the Local-part and "@" and NR-LDH labels to lowercase. Strip the Local-part and "@"
separator from each rfc822Name and SmtpUTF8Mailbox, leaving just the separator from each rfc822Name and SmtpUTF8Mailbox, which leaves just
domain part. After setup, this follows the comparison steps defined the domain part. After setup, follow the comparison steps defined in
in Section 4.2.1.10 of [RFC5280] as follows. If the resulting name Section 4.2.1.10 of [RFC5280] as follows. If the resulting name
constraint domain starts with a "." character, then for the name constraint domain starts with a "." character, then for the name
constraint to match, a suffix of the resulting subject alternative constraint to match, a suffix of the resulting subject alternative
name domain MUST match the name constraint (including the leading name domain MUST match the name constraint (including the leading
".") octet-for-octet. If the resulting name constraint domain does ".") octet for octet. If the resulting name constraint domain does
not start with a "." character, then for the name constraint to not start with a "." character, then for the name constraint to
match, the entire resulting subject alternative name domain MUST match, the entire resulting subject alternative name domain MUST
match the name constraint octet-for-octet. match the name constraint octet for octet.
Certificate Authorities that wish to issue CA certificates with email Certificate Authorities that wish to issue CA certificates with email
address name constraints MUST use rfc822Name subject alternative address name constraints MUST use rfc822Name subject alternative
names only. These MUST be IDNA2008-conformant names with no mappings names only. These MUST be IDNA2008-conformant names with no mappings
and with non-ASCII domains encoded in A-labels only. and with non-ASCII domains encoded in A-labels only.
The name constraint requirement with SmtpUTF8Mailbox subject The name constraint requirement with an SmtpUTF8Mailbox subject
alternative name is illustrated in the non-normative diagram in alternative name is illustrated in the non-normative diagram in
Figure 1. The first example (1) illustrates a permitted rfc822Name Figure 1. The first example (1) illustrates a permitted rfc822Name
ASCII-only host name name constraint and the corresponding valid ASCII-only host name name constraint and the corresponding valid
rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email
addresses. The second example (2) illustrates a permitted rfc822Name addresses. The second example (2) illustrates a permitted rfc822Name
host name name constraint with A-label, and the corresponding valid host name name constraint with an A-label, and the corresponding
rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email valid rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName
addresses. Note that an email address with ASCII-only Local-part is email addresses. Note that an email address with an ASCII-only
encoded as rfc822Name despite also having Unicode present in the Local-part is encoded as rfc822Name despite also having Unicode
domain. present in the domain.
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Root CA Cert | | Root CA Cert |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| |
v v
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Intermediate CA Cert | | Intermediate CA Cert |
| Permitted | | Permitted |
| rfc822Name: elementary.school.example.com (1) | | rfc822Name: elementary.school.example.com (1) |
| | | |
| rfc822Name: xn--pss25c.example.com (2) | | rfc822Name: xn--pss25c.example.com (2) |
| | | |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| |
v v
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| Entity Cert (w/explicitly permitted subjects) | | Entity Cert (w/explicitly permitted subjects) |
| SubjectAltName Extension | | SubjectAltName Extension |
| rfc822Name: student@elementary.school.example.com (1) | | rfc822Name: student@elementary.school.example.com (1) |
| SmtpUTF8Mailbox: u+5B66u+751F@elementary.school.example.com | | SmtpUTF8Mailbox: u+5B66u+751F@elementary.school.example.com |
| (1) | | (1) |
| | | |
| rfc822Name: student@xn--pss25c.example.com (2) | | rfc822Name: student@xn--pss25c.example.com (2) |
| SmtpUTF8Mailbox: u+533Bu+751F@xn--pss25c.example.com (2) | | SmtpUTF8Mailbox: u+533Bu+751F@xn--pss25c.example.com (2) |
| | | |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
Figure 1: Name Constraints with SmtpUTF8Name and rfc822Name Figure 1: Name Constraints with SmtpUTF8Name and rfc822Name
7. Security Considerations 7. Security Considerations
Use of SmtpUTF8Mailbox for certificate subjectAltName (and Use of SmtpUTF8Mailbox for certificate subjectAltName (and
issuerAltName) will incur many of the same security considerations as issuerAltName) will incur many of the same security considerations
in Section 8 in [RFC5280], but it introduces a new issue by described in Section 8 of [RFC5280], but it introduces a new issue by
permitting non-ASCII characters in the email address Local-part. permitting non-ASCII characters in the email address Local-part.
This issue, as mentioned in Section 4.4 of [RFC5890] and in Section 4 This issue, as mentioned in Section 4.4 of [RFC5890] and in Section 4
of [RFC6532], is that use of Unicode introduces the risk of visually of [RFC6532], is that use of Unicode introduces the risk of visually
similar and identical characters that can be exploited to deceive the similar and identical characters that can be exploited to deceive the
recipient. The former document references some means to mitigate recipient. The former document references some means to mitigate
against these attacks. See [WEBER] for more background on security against these attacks. See [WEBER] for more background on security
issues with Unicode. issues with Unicode.
Additionally, it is possible to encode a string of Unicode user- Additionally, it is possible to encode a string of Unicode user-
perceived characters in multiple ways. While various Unicode perceived characters in multiple ways. While various Unicode
normalization forms exist, [RFC6531] does not mandate the use of any normalization forms exist, [RFC6531] does not mandate the use of any
such forms for the encoding of the Local-part. Thus, it may be such forms for the encoding of the Local-part. Thus, it may be
possible to encode a Local-part value in multiple ways. To mitigate possible to encode a Local-part value in multiple ways. To mitigate
against attacks where different encodings are used by the mail system against attacks where different encodings are used by the mail system
and the Certification Authority issuing certificates containing and the Certification Authority issues certificates containing
SmtpUTF8Mailbox values, this specification requires an octet-for- SmtpUTF8Mailbox values, this specification requires an octet-for-
octet comparison of the Local-part. However, requiring the use of octet comparison of the Local-part. However, requiring the use of
binary comparison may raise interoperability concerns where the mail binary comparison may raise interoperability concerns where the mail
system employs one encoding and the Certification Authority employs system employs one encoding and the Certification Authority employs
another. another.
8. Differences from RFC 8398 8. Differences from RFC 8398
This document obsoletes [RFC8398]. There are three major changes This document obsoletes [RFC8398]. There are three major changes
defined in this specification which deviate from [RFC8398]: defined in this specification:
1. In all cases, domain labels in mail addresses SHALL be encoded as 1. In all cases, domain labels in mail addresses SHALL be encoded as
LDH-labels. In particular, domain names SHALL NOT be encoded LDH labels. In particular, domain names SHALL NOT be encoded
using U-Labels and instead use A-Labels. using U-Labels; instead, use A-Labels.
2. To accommodate the first change listed above, the mail address 2. To accommodate the first change listed above, the mail address
matching algorithm defined in Section 5 of [RFC8398] has been matching algorithm defined in Section 5 of [RFC8398] has been
modified to only accept domain labels that are encoded using modified to only accept domain labels that are encoded using
their A-label representation. their A-label representation.
3. Additionally, the name constraints processing algorithm defined 3. Additionally, the procedure to process rfc822Name name
in Section 6 of [RFC8398] has been modified to only accept domain constraints as defined in Section 6 of [RFC8398] has been
labels that are encoded using their A-label representation. modified to only accept domain labels that are encoded using
their A-label representation.
9. IANA Considerations 9. IANA Considerations
Update the document reference for the id-mod-lamps-eai-addresses-2016 IANA has updated the reference for the id-mod-lamps-eai-
module in the "SMI Security for PKIX Module Identifier" addresses-2016 module in the "SMI Security for PKIX Module
(1.3.6.1.5.5.7.0) registry from RFC 8398 to this document. Identifier" (1.3.6.1.5.5.7.0) registry to refer to this document
instead of [RFC8398].
Update the document reference for the SmtpUTF8Mailbox otherName in IANA has updated the reference for the SmtpUTF8Mailbox otherName in
the "SMI Security for PKIX Other Name Forms" (1.3.6.1.5.5.7.8) the "SMI Security for PKIX Other Name Forms" (1.3.6.1.5.5.7.8)
registry from RFC 8398 to this document. registry to refer to this document instead of [RFC8398].
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/rfc/rfc3629>. 2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/rfc/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008, DOI 10.17487/RFC5321, October 2008,
<https://www.rfc-editor.org/rfc/rfc5321>. <https://www.rfc-editor.org/info/rfc5321>.
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010, RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/rfc/rfc5890>. <https://www.rfc-editor.org/info/rfc5890>.
[RFC5891] Klensin, J., "Internationalized Domain Names in [RFC5891] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", RFC 5891, Applications (IDNA): Protocol", RFC 5891,
DOI 10.17487/RFC5891, August 2010, DOI 10.17487/RFC5891, August 2010,
<https://www.rfc-editor.org/rfc/rfc5891>. <https://www.rfc-editor.org/info/rfc5891>.
[RFC6530] Klensin, J. and Y. Ko, "Overview and Framework for [RFC6530] Klensin, J. and Y. Ko, "Overview and Framework for
Internationalized Email", RFC 6530, DOI 10.17487/RFC6530, Internationalized Email", RFC 6530, DOI 10.17487/RFC6530,
February 2012, <https://www.rfc-editor.org/rfc/rfc6530>. February 2012, <https://www.rfc-editor.org/info/rfc6530>.
[RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized [RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized
Email", RFC 6531, DOI 10.17487/RFC6531, February 2012, Email", RFC 6531, DOI 10.17487/RFC6531, February 2012,
<https://www.rfc-editor.org/rfc/rfc6531>. <https://www.rfc-editor.org/info/rfc6531>.
[RFC6532] Yang, A., Steele, S., and N. Freed, "Internationalized [RFC6532] Yang, A., Steele, S., and N. Freed, "Internationalized
Email Headers", RFC 6532, DOI 10.17487/RFC6532, February Email Headers", RFC 6532, DOI 10.17487/RFC6532, February
2012, <https://www.rfc-editor.org/rfc/rfc6532>. 2012, <https://www.rfc-editor.org/info/rfc6532>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8398] Melnikov, A., Ed. and W. Chuang, Ed., "Internationalized [RFC8398] Melnikov, A., Ed. and W. Chuang, Ed., "Internationalized
Email Addresses in X.509 Certificates", RFC 8398, Email Addresses in X.509 Certificates", RFC 8398,
DOI 10.17487/RFC8398, May 2018, DOI 10.17487/RFC8398, May 2018,
<https://www.rfc-editor.org/rfc/rfc8398>. <https://www.rfc-editor.org/info/rfc8398>.
[RFC8399BIS] [RFC9549] Housley, R., "Internationalization Updates to RFC 5280",
Housley, R., "Internationalization Updates to RFC 5280", RFC 9549, DOI 10.17487/RFC9549, March 2024,
n.d., <https://datatracker.ietf.org/doc/draft-housley- <https://www.rfc-editor.org/info/rfc9549>.
lamps-rfc8399bis/>.
10.2. Informative References 10.2. Informative References
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010, DOI 10.17487/RFC5912, June 2010,
<https://www.rfc-editor.org/rfc/rfc5912>. <https://www.rfc-editor.org/info/rfc5912>.
[WEBER] Weber, C., "Attacking Software Globalization", March 2010, [WEBER] Weber, C., "Unraveling Unicode: A Bag of Tricks for Bug
<https://www.lookout.net/files/ Hunting", July 2009, <https://www.lookout.net/files/
Chris_Weber_Character%20Transformations%20v1.7_IUC33.pdf>. Chris_Weber_Character%20Transformations%20v1.7_IUC33.pdf>.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
The following ASN.1 module normatively specifies the SmtpUTF8Mailbox The following ASN.1 module normatively specifies the SmtpUTF8Mailbox
structure. This specification uses the ASN.1 definitions from structure. This specification uses the ASN.1 definitions from
[RFC5912] with the 2002 ASN.1 notation used in that document. [RFC5912] with the 2002 ASN.1 notation used in that document.
[RFC5912] updates normative documents using older ASN.1 notation. [RFC5912] updates normative documents using older ASN.1 notation.
LAMPS-EaiAddresses-2016 LAMPS-EaiAddresses-2016
skipping to change at page 12, line 43 skipping to change at line 512
on-SmtpUTF8Mailbox OTHER-NAME ::= { on-SmtpUTF8Mailbox OTHER-NAME ::= {
SmtpUTF8Mailbox IDENTIFIED BY id-on-SmtpUTF8Mailbox SmtpUTF8Mailbox IDENTIFIED BY id-on-SmtpUTF8Mailbox
} }
id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 } id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 }
SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX)) SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX))
-- SmtpUTF8Mailbox conforms to Mailbox as specified -- SmtpUTF8Mailbox conforms to Mailbox as specified
-- in Section 3.3 of RFC 6531. Additionally, all domain -- in Section 3.3 of RFC 6531. Additionally, all domain
-- labels included in the SmtpUTF8Mailbox value are -- labels included in the SmtpUTF8Mailbox value are
-- encoded as LDH-Labels. In particular, domain labels -- encoded as LDH Labels. In particular, domain labels
-- are not encoded as U-Labels and instead are encoded -- are not encoded as U-Labels and instead are encoded
-- using their A-label representation. -- using their A-label representation.
END END
Appendix B. Example of SmtpUTF8Mailbox Appendix B. Example of SmtpUTF8Mailbox
This non-normative example demonstrates using SmtpUTF8Mailbox as an This non-normative example demonstrates using SmtpUTF8Mailbox as an
otherName in GeneralName to encode the email address otherName in GeneralName to encode the email address
"u+533Bu+751F@xn--pss25c.example.com". "u+533Bu+751F@xn--pss25c.example.com".
skipping to change at page 13, line 34 skipping to change at line 547
The example was encoded using Google's "der-ascii" program and the The example was encoded using Google's "der-ascii" program and the
above text decoding is an output of Peter Gutmann's "dumpasn1" above text decoding is an output of Peter Gutmann's "dumpasn1"
program. program.
Acknowledgments Acknowledgments
The authors thank David Benjamin for providing the motivation for The authors thank David Benjamin for providing the motivation for
this document. Additionally, the authors thank Éric Vyncke, John this document. Additionally, the authors thank Éric Vyncke, John
Levine, Peter van Dijk, Rich Salz, Russ Housley, and Tim Hollebeek Levine, Peter van Dijk, Rich Salz, Russ Housley, and Tim Hollebeek
for their reviews and feedback which meaningfully improved the for their reviews and feedback, which meaningfully improved the
document. document.
The authors also recognize and appreciate the following individuals The authors also recognize and appreciate the following individuals
for their contributions to the previous version of this document: for their contributions to [RFC8398]:
Thank you to Magnus Nystrom for motivating this document. Thanks to | Thank you to Magnus Nystrom for motivating this document. Thanks
Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean | to Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan
Leonard, Sean Turner, John Levine, and Patrik Falstrom for their | Sleevi, Sean Leonard, Sean Turner, John Levine, and Patrik
feedback. Also special thanks to John Klensin for his valuable input | Falstrom for their feedback. Also special thanks to John Klensin
on internationalization, Unicode, and ABNF formatting; to Jim Schaad | for his valuable input on internationalization, Unicode, and ABNF
for his help with the ASN.1 example and his helpful feedback; and | formatting; to Jim Schaad for his help with the ASN.1 example and
especially to Viktor Dukhovni for helping us with name constraints | his helpful feedback; and especially to Viktor Dukhovni for
and his many detailed document reviews. | helping us with name constraints and his many detailed document
| reviews.
Authors' Addresses Authors' Addresses
Alexey Melnikov Alexey Melnikov
Isode Ltd Isode Ltd
14 Castle Mews 14 Castle Mews
Hampton Hampton, Middlesex
TW12 2NP TW12 2NP
United Kingdom United Kingdom
Email: Alexey.Melnikov@isode.com Email: Alexey.Melnikov@isode.com
Wei Chuang Wei Chuang
Google, Inc. Google, Inc.
1600 Amphitheater Parkway 1600 Amphitheater Parkway
Mountain View, CA Mountain View, CA
United States of America United States of America
Email: weihaw@google.com Email: weihaw@google.com
 End of changes. 64 change blocks. 
195 lines changed or deleted 176 lines changed or added

This html diff was produced by rfcdiff 1.48.