Internationalized Email Addresses in X.509 certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Internationalized Email Addresses in X.509 certificates

Dmitry Belyavsky-3
Here is a patch designed for the support of the https://tools.ietf.org/html/draft-ietf-lamps-eai-addresses-06 draft which is in the last call phase of the Lamps WG.


The patch https://github.com/openssl/openssl/pull/2560 implements the support of the SmtpUtf8 OTHERNAME value. 


Current problems related to the patch:

  1. It requires libidn with its own memory management.
  2. The support via config is not provided yet.
  3. It does not implement the canonicalization of the unicode string
  4. It does not have tests for the chain verification.

We have a preliminary specification of the tests, but currently I am unable to implement them
=====
I can give you an outline of a spec.  Hopefully that's enough to work with:
1. Local-part
  a. Internationalized i.e. non-ascii email Local-part is encoded as UTF8 in smtputf8Name.  Given a test certificate in ASN.1, the UTF8 Local-part should be extractable and tested.
  b. Though not recommended, ascii email Local-part may also be represented.  So a test certificate in ASN.1 could encode an ascii email local-part, and the ascii should be extractable and tested.  Certificate generation through openssl should opt to use rfc822Name for ascii Local-part though.
2. Domain
  a. U-label in smtputf8Name shall be supported.  Given a test certificate in ASN.1, a U-label domain should be extracted and tested.
  b. A-label in smtputf8Name must not be supported.  Given a test certificate in ASN.1, the A-label domain should be rejected.
3. Name constraints
  a. CA certificate with smtputf8Name name constraint should constrain an entity certificate with smtputf8Name.  Given an intermediate CA cert in ASN.1 with a full email address excluded name constraint in smtputf8Name, it can constraint an entity certificate with smtputf8Name.
  b. CA certificate with rfc822Name name constraint should not constrain an entity certicate with smtputf8Name.  Given an intermediate CA cert in ASN.1 with a full email address excluded name constraint in rfc822Name, it does *not* constraint an entity certificate with smtputf8Name.
  c. CA certificate with smtputf8Name name constraint should not constrain an entity certificiate with rfc822Name.  Given an intermediate CA cert in ASN.1 with a full email address excluded name constraint in smtputf8Name, it does *not* constraint an entity certificate with rfc822Name.
=====

So could I cooperate with the OpenSSL team to finalize this work and submit the patch to upstream?

--
SY, Dmitry Belyavsky

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev