A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://www.rfc-editor.org/rfc/rfc9598.xml below:

Introduction defines the rfc822Name subjectAltName name type for representing email addresses as described in . The syntax of rfc822Name is restricted to a subset of US-ASCII characters and thus can't be used to represent internationalized email addresses . This document defines a new otherName variant to represent internationalized email addresses. In addition, this document requires all email address domains in X.509 certificates to conform to IDNA2008 . This document obsoletes . The primary motivation of this document is to simplify the encoding of domain labels found in the domain part of internationalized email addresses. In particular, specifies that domain labels are conditionally encoded using either A-labels or U-labels. This specification simplifies encoding and processing of domain labels by mandating that the A-label representation be used in all cases. Conventions Used in This Document The key words " MUST ", " MUST NOT ", " REQUIRED ", " SHALL ", " SHALL NOT ", " SHOULD ", " SHOULD NOT ", " RECOMMENDED ", " NOT RECOMMENDED ", " MAY ", and " OPTIONAL " in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Name Definitions The GeneralName structure supports many different name forms including otherName for extensibility. This section specifies the SmtpUTF8Mailbox name form of otherName so that internationalized email addresses can appear in the subjectAltName of a certificate, the issuerAltName of a certificate, or anywhere else that GeneralName is used. id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 } SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX)) -- SmtpUTF8Mailbox conforms to Mailbox as specified -- in Section 3.3 of RFC 6531. Additionally, all domain -- labels included in the SmtpUTF8Mailbox value are -- encoded as LDH labels. In particular, domain labels -- are not encoded as U-labels and instead are encoded -- using their A-label representation. When the subjectAltName (or issuerAltName) extension contains an internationalized email address with a non-ASCII Local-part, the address MUST be stored in the SmtpUTF8Mailbox name form of otherName. The format of SmtpUTF8Mailbox is a modified version of the internationalized Mailbox that was defined in , which was derived from Mailbox as defined in . defines the following ABNF rules for Mailbox whose parts are modified for internationalization: Local-part, Dot-string, Quoted-string, QcontentSMTP, Domain, and Atom. In particular, Local-part was updated to also support UTF8-non-ascii. UTF8-non-ascii was described by . Also, domain was extended to support U-labels, as defined in . This document further refines internationalized Mailbox ABNF rules as described in and calls this SmtpUTF8Mailbox. In SmtpUTF8Mailbox, labels that include non-ASCII characters MUST be stored in A-label (rather than U-label) form . This restriction reduces complexity for implementations of the certification path validation algorithm defined in . In SmtpUTF8Mailbox, domain labels that solely use ASCII characters (meaning neither A- nor U-labels) SHALL use NR-LDH restrictions as specified by . NR-LDH stands for "Non-Reserved Letters Digits Hyphen" and is the set of LDH labels that do not have "--" characters in the third and forth character positions, which excludes "tagged domain names" such as A-labels. To facilitate octet-for-octet comparisons of SmtpUTF8Mailbox values, all NR-LDH and A-label labels that constitute the domain part SHALL only be encoded with lowercase letters. Consistent with the treatment of rfc822Name in , SmtpUTF8Mailbox is an envelope Mailbox and has no phrase (such as a common name) before it, has no comment (text surrounded in parentheses) after it, and is not surrounded by "<" and ">" characters. Due to name constraint compatibility reasons described in , SmtpUTF8Mailbox subjectAltName MUST NOT be used unless the Local-part of the email address contains non-ASCII characters. When the Local-part is ASCII, rfc822Name subjectAltName MUST be used instead of SmtpUTF8Mailbox. This is compatible with legacy software that supports only rfc822Name (and not SmtpUTF8Mailbox). The appropriate usage of rfc822Name and SmtpUTF8Mailbox is summarized in Table 1 below. SmtpUTF8Mailbox is encoded as UTF8String. The UTF8String encoding MUST NOT contain a Byte Order Mark (BOM) to aid consistency across implementations, particularly for comparison. Email Address Formatting Local-part char subjectAltName ASCII-only rfc822Name non-ASCII SmtpUTF8Mailbox Non-ASCII Local-part values may additionally include ASCII characters. IDNA2008 To facilitate comparison between email addresses, all email address domains in X.509 certificates MUST conform to IDNA2008 (and avoid any "mappings" mentioned in that document). Use of non-conforming email address domains introduces the possibility of conversion errors between alternate forms. This applies to SmtpUTF8Mailbox and rfc822Name in subjectAltName, issuerAltName, and anywhere else that these are used. Matching of Internationalized Email Addresses in X.509 Certificates Equivalence comparisons with SmtpUTF8Mailbox consist of a domain part step and a Local-part step. The comparison form for Local-parts is always UTF-8. The comparison form for domain parts is always performed with the LDH label ( ) encoding of the relevant domain labels. The comparison of LDH labels in domain parts reduces complexity for implementations of the certification path validation algorithm as defined in by obviating the need to convert domain labels to their Unicode representation. Comparison of two SmtpUTF8Mailboxes is straightforward with no setup work needed. They are considered equivalent if there is an exact octet-for-octet match. Comparison of an SmtpUTF8Mailbox and rfc822Name will always fail. SmtpUTF8Mailbox values SHALL contain a Local-part that includes one or more non-ASCII characters, while rfc822Names only includes ASCII characters (including the Local-part). Thus, an SmtpUTF8Mailbox and rfc822Name will never match. Comparison of SmtpUTF8Mailbox values with internationalized email addresses from other sources (such as received email messages, user input, etc.) requires additional setup steps for domain part and Local-part. The initial preparation for the email address to compare with the SmtpUTF8Mailbox value is to remove any phrases, comments, and "<" or ">" characters. For the setup of the domain part, the following conversions SHALL be performed:
  1. Convert all labels that constitute the domain part that include non-ASCII characters to A-labels, if not already in that form.
    1. Detect all U-labels present within the domain part using .
    2. Transform all detected U-labels (Unicode) to A-labels (ASCII) as specified in .
  2. Convert all uppercase letters found within the NR-LDH and A-label labels that constitute the domain part to lowercase letters.
For the setup of the Local-part, the Local-part MUST be verified to conform to the requirements of and , including being a string in UTF-8 form. In particular, the Local- part MUST NOT be transformed in any way, such as by doing case folding or normalization of any kind. The Local-part of an internationalized email address is already in UTF-8. Once setup is complete, they are again compared octet for octet. To summarize non-normatively, the comparison steps, including setup, are:
  1. If the domain contains U-labels, transform them to A-labels.
  2. If any NR-LDH or A-label domain label in the domain part contains uppercase letters, lowercase them.
  3. Compare strings octet for octet for equivalence.
This specification expressly does not define any wildcard characters, and SmtpUTF8Mailbox comparison implementations MUST NOT interpret any characters as wildcards. Instead, to specify multiple email addresses through SmtpUTF8Mailbox, the certificate MUST use multiple subjectAltNames or issuerAltNames to explicitly carry any additional email addresses. Name Constraints in Path Validation This section updates to extend rfc822Name name constraints to SmtpUTF8Mailbox subjectAltNames. SmtpUTF8Mailbox-aware path validators will apply name constraint comparison to the subject distinguished name and both forms of subject alternative names, rfc822Name and SmtpUTF8Mailbox. Both rfc822Name and SmtpUTF8Mailbox subject alternative names represent the same underlying email address namespace. Since legacy Certification Authorities (CAs) constrained to issue certificates for a specific set of domains would lack corresponding UTF-8 constraints, updates, modifies, and extends rfc822Name name constraints defined in to cover SmtpUTF8Mailbox subject alternative names. This ensures that the introduction of SmtpUTF8Mailbox does not violate existing name constraints. Since it is not valid to include non-ASCII UTF-8 characters in the Local-part of rfc822Name name constraints, and since name constraints that include a Local-part are rarely, if at all, used in practice, name constraints updated in allow the forms that represent all addresses at a host, or all mailboxes in a domain and deprecates rfc822Name name constraints that represent a particular mailbox. That is, rfc822Name constraints with a Local-part SHOULD NOT be used. Constraint comparison with SmtpUTF8Mailbox subjectAltName starts with the setup steps defined in . Setup converts the inputs of the comparison (which is one of a subject distinguished name, an rfc822Name, or an SmtpUTF8Mailbox subjectAltName, and one of an rfc822Name name constraint) to constraint comparison form. For both the name constraint and the subject, this will convert all A-labels and NR-LDH labels to lowercase. Strip the Local-part and "@" separator from each rfc822Name and SmtpUTF8Mailbox, which leaves just the domain part. After setup, follow the comparison steps defined in as follows. If the resulting name constraint domain starts with a "." character, then for the name constraint to match, a suffix of the resulting subject alternative name domain MUST match the name constraint (including the leading ".") octet for octet. If the resulting name constraint domain does not start with a "." character, then for the name constraint to match, the entire resulting subject alternative name domain MUST match the name constraint octet for octet. Certificate Authorities that wish to issue CA certificates with email address name constraints MUST use rfc822Name subject alternative names only. These MUST be IDNA2008-conformant names with no mappings and with non-ASCII domains encoded in A-labels only. The name constraint requirement with an SmtpUTF8Mailbox subject alternative name is illustrated in the non-normative diagram in . The first example (1) illustrates a permitted rfc822Name ASCII-only host name name constraint and the corresponding valid rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email addresses. The second example (2) illustrates a permitted rfc822Name host name name constraint with an A-label, and the corresponding valid rfc822Name subjectAltName and SmtpUTF8Mailbox subjectAltName email addresses. Note that an email address with an ASCII-only Local-part is encoded as rfc822Name despite also having Unicode present in the domain. Name Constraints with SmtpUTF8Name and rfc822Name +-------------------------------------------------------------------+ | Root CA Cert | +-------------------------------------------------------------------+ | v +-------------------------------------------------------------------+ | Intermediate CA Cert | | Permitted | | rfc822Name: elementary.school.example.com (1) | | | | rfc822Name: xn--pss25c.example.com (2) | | | +-------------------------------------------------------------------+ | v +-------------------------------------------------------------------+ | Entity Cert (w/explicitly permitted subjects) | | SubjectAltName Extension | | rfc822Name: student@elementary.school.example.com (1) | | SmtpUTF8Mailbox: u+5B66u+751F@elementary.school.example.com | | (1) | | | | rfc822Name: student@xn--pss25c.example.com (2) | | SmtpUTF8Mailbox: u+533Bu+751F@xn--pss25c.example.com (2) | | | +-------------------------------------------------------------------+ Security Considerations Use of SmtpUTF8Mailbox for certificate subjectAltName (and issuerAltName) will incur many of the same security considerations described in , but it introduces a new issue by permitting non-ASCII characters in the email address Local-part. This issue, as mentioned in and in , is that use of Unicode introduces the risk of visually similar and identical characters that can be exploited to deceive the recipient. The former document references some means to mitigate against these attacks. See for more background on security issues with Unicode. Additionally, it is possible to encode a string of Unicode user-perceived characters in multiple ways. While various Unicode normalization forms exist, does not mandate the use of any such forms for the encoding of the Local-part. Thus, it may be possible to encode a Local-part value in multiple ways. To mitigate against attacks where different encodings are used by the mail system and the Certification Authority issues certificates containing SmtpUTF8Mailbox values, this specification requires an octet-for-octet comparison of the Local-part. However, requiring the use of binary comparison may raise interoperability concerns where the mail system employs one encoding and the Certification Authority employs another. Differences from RFC 8398 This document obsoletes . There are three major changes defined in this specification:
  1. In all cases, domain labels in mail addresses SHALL be encoded as LDH labels. In particular, domain names SHALL NOT be encoded using U-Labels; instead, use A-Labels.
  2. To accommodate the first change listed above, the mail address matching algorithm defined in has been modified to only accept domain labels that are encoded using their A-label representation.
  3. Additionally, the procedure to process rfc822Name name constraints as defined in has been modified to only accept domain labels that are encoded using their A-label representation.
IANA Considerations IANA has updated the reference for the id-mod-lamps-eai-addresses-2016 module in the "SMI Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry to refer to this document instead of . IANA has updated the reference for the SmtpUTF8Mailbox otherName in the "SMI Security for PKIX Other Name Forms" (1.3.6.1.5.5.7.8) registry to refer to this document instead of . References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. UTF-8, a transformation format of ISO 10646 ISO/IEC 10646-1 defines a large character set called the Universal Character Set (UCS) which encompasses most of the world's writing systems. The originally proposed encodings of the UCS, however, were not compatible with many current applications and protocols, and this has led to the development of UTF-8, the object of this memo. UTF-8 has the characteristic of preserving the full US-ASCII range, providing compatibility with file systems, parsers and other software that rely on US-ASCII values but are transparent to other values. This memo obsoletes and replaces RFC 2279. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] Simple Mail Transfer Protocol This document is a specification of the basic protocol for Internet electronic mail transport. It consolidates, updates, and clarifies several previous documents, making all or parts of most of them obsolete. It covers the SMTP extension mechanisms and best practices for the contemporary Internet, but does not provide details about particular extensions. Although SMTP was designed as a mail transport and delivery protocol, this specification also contains information that is important to its use as a "mail submission" protocol for "split-UA" (User Agent) mail reading systems and mobile environments. [STANDARDS-TRACK] Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework This document is one of a collection that, together, describe the protocol and usage context for a revision of Internationalized Domain Names for Applications (IDNA), superseding the earlier version. It describes the document collection and provides definitions and other material that are common to the set. [STANDARDS-TRACK] Internationalized Domain Names in Applications (IDNA): Protocol This document is the revised protocol definition for Internationalized Domain Names (IDNs). The rationale for changes, the relationship to the older specification, and important terminology are provided in other documents. This document specifies the protocol mechanism, called Internationalized Domain Names in Applications (IDNA), for registering and looking up IDNs in a way that does not require changes to the DNS itself. IDNA is only meant for processing domain names, not free text. [STANDARDS-TRACK] Overview and Framework for Internationalized Email Full use of electronic mail throughout the world requires that (subject to other constraints) people be able to use close variations on their own names (written correctly in their own languages and scripts) as mailbox names in email addresses. This document introduces a series of specifications that define mechanisms and protocol extensions needed to fully support internationalized email addresses. These changes include an SMTP extension and extension of email header syntax to accommodate UTF-8 data. The document set also includes discussion of key assumptions and issues in deploying fully internationalized email. This document is a replacement for RFC 4952; it reflects additional issues identified since that document was published. [STANDARDS-TRACK] SMTP Extension for Internationalized Email This document specifies an SMTP extension for transport and delivery of email messages with internationalized email addresses or header information. [STANDARDS-TRACK] Internationalized Email Headers Internet mail was originally limited to 7-bit ASCII. MIME added support for the use of 8-bit character sets in body parts, and also defined an encoded-word construct so other character sets could be used in certain header field values. However, full internationalization of electronic mail requires additional enhancements to allow the use of Unicode, including characters outside the ASCII repertoire, in mail addresses as well as direct use of Unicode in header fields like "From:", "To:", and "Subject:", without requiring the use of complex encoded-word constructs. This document specifies an enhancement to the Internet Message Format and to MIME that allows use of Unicode in mail addresses and most header field content. This specification updates Section 6.4 of RFC 2045 to eliminate the restriction prohibiting the use of non-identity content-transfer- encodings on subtypes of "message/". [STANDARDS-TRACK] Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Internationalized Email Addresses in X.509 Certificates This document defines a new name form for inclusion in the otherName field of an X.509 Subject Alternative Name and Issuer Alternative Name extension that allows a certificate subject to be associated with an internationalized email address. This document updates RFC 5280. Internationalization Updates to RFC 5280 The updates to RFC 5280 described in this document provide alignment with the 2008 specification for Internationalized Domain Names (IDNs) and includes support for internationalized email addresses in X.509 certificates. The updates ensure that name constraints for email addresses that contain only ASCII characters and internationalized email addresses are handled in the same manner. This document obsoletes RFC 8399. Informative References New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX) The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. Unraveling Unicode: A Bag of Tricks for Bug Hunting ASN.1 Module The following ASN.1 module normatively specifies the SmtpUTF8Mailbox structure. This specification uses the ASN.1 definitions from with the 2002 ASN.1 notation used in that document. updates normative documents using older ASN.1 notation. LAMPS-EaiAddresses-2016 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-lamps-eai-addresses-2016(92) } DEFINITIONS IMPLICIT TAGS ::= BEGIN IMPORTS OTHER-NAME FROM PKIX1Implicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } id-pkix FROM PKIX1Explicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ; -- -- otherName carries additional name types for subjectAltName, -- issuerAltName, and other uses of GeneralNames. -- id-on OBJECT IDENTIFIER ::= { id-pkix 8 } SmtpUtf8OtherNames OTHER-NAME ::= { on-SmtpUTF8Mailbox, ... } on-SmtpUTF8Mailbox OTHER-NAME ::= { SmtpUTF8Mailbox IDENTIFIED BY id-on-SmtpUTF8Mailbox } id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 } SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX)) -- SmtpUTF8Mailbox conforms to Mailbox as specified -- in Section 3.3 of RFC 6531. Additionally, all domain -- labels included in the SmtpUTF8Mailbox value are -- encoded as LDH Labels. In particular, domain labels -- are not encoded as U-Labels and instead are encoded -- using their A-label representation. END Example of SmtpUTF8Mailbox This non-normative example demonstrates using SmtpUTF8Mailbox as an otherName in GeneralName to encode the email address "u+533Bu+751F@xn--pss25c.example.com". The hexadecimal DER encoding of the block is: a02b0608 2b060105 05070809 a01f0c1d e58cbbe7 949f4078 6e2d2d70 73733235 632e6578 616d706c 652e636f 6d The text decoding is: 0 43: [0] { 2 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 8 9' 12 31: [0] { 14 29: UTF8String 'u+533Bu+751F@xn--pss25c.example.com' : } : } The example was encoded using Google's "der-ascii" program and the above text decoding is an output of Peter Gutmann's "dumpasn1" program. Acknowledgments The authors thank David Benjamin for providing the motivation for this document. Additionally, the authors thank Éric Vyncke, John Levine, Peter van Dijk, Rich Salz, Russ Housley, and Tim Hollebeek for their reviews and feedback, which meaningfully improved the document. The authors also recognize and appreciate the following individuals for their contributions to :
Thank you to Magnus Nystrom for motivating this document. Thanks to Russ Housley, Nicolas Lidzborski, Laetitia Baudoin, Ryan Sleevi, Sean Leonard, Sean Turner, John Levine, and Patrik Falstrom for their feedback. Also special thanks to John Klensin for his valuable input on internationalization, Unicode, and ABNF formatting; to Jim Schaad for his help with the ASN.1 example and his helpful feedback; and especially to Viktor Dukhovni for helping us with name constraints and his many detailed document reviews.
Authors' Addresses Isode Ltd 14 Castle Mews Hampton, Middlesex TW12 2NP United Kingdom Alexey.Melnikov@isode.com Google, Inc. 1600 Amphitheater Parkway Mountain View CA United States of America weihaw@google.com DigiCert Pittsburgh PA United States of America corey.bonnell@digicert.com

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4