One of the reasons that Ballot 202 failed was that it proposed prohibiting U-labels from appearing in the CN, which several CAs noted in the “no” vote emails that this was the reason why they were voting against the ballot.
Given that there have been no normative changes to the allowed encoding of values in the CN field since ballot 202 was voted on, I’m inclined to agree with you and Kurt that U-labels are allowed, provided that the corresponding A-label encoding of the domain name is included as a dNSName in the SAN.
That being said, I don’t think prohibiting U-labels in CN is the worst idea in the world since conversion from U-labels to A-labels can yield different A-label representations of the domain name depending on if you’re using IDNA 2003, 2008, or transitional processing.
Thanks,
Corey
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/44052966-5378-478b-8562-b69f740dcde3n%40mozilla.org.
Hi Rob,
Responses inline.
> Hi Corey. The discussion at https://github.com/zmap/zlint/issues/601 has so far reached the opposite conclusion. Would you mind reviewing https://github.com/zmap/zlint/issues/601#issuecomment-841168368 and explaining in more detail why you disagree?
Yes, I reviewed the zlint issue discussion prior to posting here last week. Since Michel continued the conversation here, I thought mdsp is the most appropriate forum to discuss.
While your interpretation that the encoding of the CN value and dNSName must be byte-for-byte identical is a reasonable interpretation, it also reasonable to interpret the requirement as allowing encoding of U-labels, provided that the equivalent A-label encoding is contained in a dNSName. As I mentioned in my previous email, the proposed prohibition on this practice was one of the reasons why the ballot failed and no Root Programs stated that the practice was prohibited even in light of the ballot failure.
> ISTM that "no normative changes to the allowed encoding of values in the CN field since ballot 202 was voted on" assumes that ballot 202 only intended to change the rules, whereas IIRC the main intention of ballot 202 was to clarify existing rules by stating them more explicitly in the BRs.
I don’t believe this is accurate. Ballot 202 proposed introducing new requirements such as a prohibition on issuing certificates for domain names that contain hyphens as the third and fourth character but do not contain “xn” as the first two characters of a label (i.e., a prohibition on issuance of domain names that contain R-LDH labels that are not XN-labels). I know of no prohibition in force now for such labels, as they conform to preferred name syntax.
> It's unfortunate that ballot 202 failed, because it means we have to dig a bit deeper to articulate what the current rules actually are.
100% agreed. I’d be happy to work on a replacement ballot to clear these rules up.
Thanks,
Corey
> Hi Corey. I'm struggling to see how that can be a reasonable interpretation, given the Defined Terms and the nature of DNS.
Following this line of logic, the definitions in section 1.6 and the wire format of IPv4 would prohibit the inclusion of IP addresses in the CN and SAN, as the IPv4 protocol does not use the dotted-string notation on the wire. I hope we agree that this is not a reasonable interpretation, and instead would agree that the address forms as encoded in certificates may be in a presentation format that diverges from the on-the-wire encoding.
> Note that I wrote "the main intention...was to clarify", not "the only intention...was to clarify". FWIW, I think that what I wrote is consistent with the summary of ballot 202:
<snip>
I agree insomuch as there were clarifications on the allowance of existing practice as well as new restrictions proposed in ballot 202. However, given that the prohibition on expressing U-labels in the CN and including non-XN R-LDH labels in dNSNames were new restrictions, I don’t see how one can reasonably argue that one practice is currently prohibited and the other currently allowed as result of ballot 202 failing to pass absent further discussion or clarification by Root Programs on these issues.
On Thu, May 20, 2021 at 11:28:46AM +0000, Rob Stradling wrote:
> Corey wrote:
> > I’m inclined to agree with you and Kurt that U-labels are allowed, provided that the corresponding A-label encoding of the domain name is included as a dNSName in the SAN
>
> Hi Corey. The discussion at https://github.com/zmap/zlint/issues/601 has so far reached the opposite conclusion. Would you mind reviewing https://github.com/zmap/zlint/issues/601#issuecomment-841168368 and explaining in more detail why you disagree?
I think the text "is one of the values" means that if the CN
contains a U-label, it should translate to one of the A-labels in
the SAN.
Internationalized Domain Names (IDNs) may be included in certificates
and CRLs in the subjectAltName and issuerAltName extensions, name
constraints extension, authority information access extension,
subject information access extension, CRL distribution points
extension, and issuing distribution point extension.
> Using which translation algorithm? UTF46? IDNA2003? IDNA2008?
I'm not sure why you ask, and then go and say it's IDNA2003.
You're quoting 7.2, which is about GeneralNames.
Hi Ryan,
Comments inline.
> Any CA issuing with U-Labels is a CA that is introducing security issues to relying parties, because to display the commonName is to potentially display a value other than the actual verified name. Some may want to dismiss that as simply inconsequential differences between IDNA2003 and IDNA2008, or that the risks are somehow minor, but that's entirely incorrect.
I agree that encoding a U-label representation of a domain name in the CN that produces different A-labels depending on the version of IDNA is a security concern, especially if the CN-ID is used to perform hostname verification. However, for many writing systems in the world, the “ToAscii” algorithm for IDNA 2003, 2008, and UTS46 yield the same set of A-labels when native script is used in U-labels, so this particular security concern does not manifest in many cases.
> It would be a shame if we have to do another such ballot to say U-Labels are explicitly prohibited, when they are already implicitly prohibited.
This seems strange to me. If there’s a security concern – especially one that has a different risk profile depending on language used by Subscribers/RPs -- then we should amend policy to fix it. Declaring that this practice is universally insecure and “implicitly prohibited” deep in a random thread of a newsgroup likely will not have the desired effect. Clear guidance is the best way to address these issues.
Thanks,
Corey
> It would be a shame if we have to do another such ballot to say U-Labels are explicitly prohibited, when they are already implicitly prohibited.
This seems strange to me. If there’s a security concern – especially one that has a different risk profile depending on language used by Subscribers/RPs -- then we should amend policy to fix it. Declaring that this practice is universally insecure and “implicitly prohibited” deep in a random thread of a newsgroup likely will not have the desired effect. Clear guidance is the best way to address these issues.
Note that the BRs do not adopt RFC 8399 or 8398, they're based on
RFC 5280.
> Your entire argument is simply “I don’t see it prohibited” (which, as I
> point out, it is, clearly), when the entire point for all CAs is that if
> you don’t see something clearly *permitted*, you’re already in dangerous
> territory. For this case of U-Labels in CN, you won’t find it, because they
> aren’t allowed, nor have they ever been.
I see no text that permits to use of A-labels in a CN.
Please assume that whatever I write is in good faith. I'm trying
to understand things. Your attitude does not help.
> You can find this language in BRs 7.1.4.2.2 (a), RFC 2818, and RFC 6125.
RFC 6125 says in section 6.4.2 that a CN can have a U-label.
If you think I'm wrong, you can explain why I'm wrong, pointing to a
document or some other discussion, or ask me to explain it. But most
of the time you don't do that and seem to resolve to tone that I
can only describe as not constructive and not welcoming any
discussion.
> Clear guidance like widely used linting tools that enforce this, and discussion about this point in the CA/Browser Forum during the discussion of Ballot 202 about precisely these conclusions?
Again, I find this approach to defining policy to be strange and likely ineffective. This community has long frowned upon “the linter didn’t catch this” as rationale for why compliance incidents occurred, so suggesting that CAs should rely on linter results does not align with previous discussion. Nor does it assuage concerns of non-compliance that is currently not checked by linters today.
As to why the ballot 202 discussions are insufficient guidance to CAs on whether U-labels are prohibited in CN, one needs to look no further than this post [1] here on MDSP, which Mozilla stated a full year after ballot 202 failed that encoding U-labels in the CN is not a policy violation. Given this, I cannot agree that this practice is clearly prohibited. If we decide that it should be prohibited (which I’d be on board with), then we should resurrect ballot 202 and explicitly state the expectations.
Thanks,
Corey
[1] https://groups.google.com/g/mozilla.dev.security.policy/c/LdYPWj1SCGM/m/NeVL3mwsAAAJ
From: Ryan Sleevi <ry...@sleevi.com>
Sent: Friday, May 21, 2021 1:11 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: ry...@sleevi.com; Kurt Roeckx <ku...@roeckx.be>; Rob Stradling <r...@sectigo.com>; Michel Le Bihan <michel.le...@gmail.com>; dev-secur...@mozilla.org
Subject: Re: Are U-labels allowed in CN?
> Clear guidance like widely used linting tools that enforce this, and discussion about this point in the CA/Browser Forum during the discussion of Ballot 202 about precisely these conclusions?
> If Mozilla has chosen to ignore a requirement of the BRs - as they are free to do and have done so in the past, with a number of CAs - that doesn’t change the BRs.
Are you asserting that Mozilla has granted an exception to CAs for this supposed violation of the BRs?
From: Ryan Sleevi <ry...@sleevi.com>
Sent: Monday, May 24, 2021 1:17 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: Kurt Roeckx <ku...@roeckx.be>; Michel Le Bihan <michel.le...@gmail.com>; Rob Stradling <r...@sectigo.com>; dev-secur...@mozilla.org; ry...@sleevi.com
Subject: Re: Are U-labels allowed in CN?
On Mon, May 24, 2021 at 3:22 AM Corey Bonnell <Corey....@digicert.com> wrote:
> Brandolini’s Law
I consider this passive aggressive behaviour. Which is at least
better than calling me a troll.
Like always, I've spend time researching this. I'm sorry that I do
not agree with you.
Clearly there has not been a consensus about this and other
things.
I think your continued message of "hold CAs to higher standards"
and the tone of your messages if someone doesn't agree with you is
stopping CAs from participating in discussions, and so learning to
understand things. I think your confidence in what you think is the
correct answer combined with the tone of your message is also
harmful.
> If Mozilla has chosen to ignore a requirement of the BRs - as they are free to do and have done so in the past, with a number of CAs - that doesn’t change the BRs.
Are you asserting that Mozilla has granted an exception to CAs for this supposed violation of the BRs?
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHHTE2h5NLBzF2FPEQ5-dmNMxy90b2us5CqeE7kLBUt4PA%40mail.gmail.com.
I wonder how much of these discussions could be avoided if the root programs and CA/B Forum came together to design a compliance linter which took inputs such as:
> That is up to Mozilla to clarify the past remark. As both Apple and Google highlighted both before and after Ballot 202, the language of the BRs and the RFCs do not permit U-Labels.
Ryan, I cannot agree with you that Google has made a clear statement concerning the prohibition on U-labels in the CN. In this message [1] on cabfpub (dated 2018-05-23, almost 10 months after the ballot 202 failure), the Chrome root program representative stated:
“CAs that encode in U-Label unfortunately facilitate greater
confusion, and thus are discouraged (and, should that ballot be brought
forward, forbidden) from doing so :)”
This is a clear statement that absent the passage of a further ballot, CAs are discouraged (but not forbidden) from encoding U-labels in the CN.
I want to raise this not to defend the practice of encoding U-labels in CN (conversely, the practice should go away), but obligating CAs to follow statements that are documented solely in a collection of mailing list posts that span several years and are seemingly contradictory to previous statements is a highly ineffective and dangerous way to state policy.
It is ineffective because it is very unlikely that any of the points raised will be incorporated into guidance for auditors and it is also highly unlikely that all CAs will share the same interpretation of messages that carry nuance. For example, in the post you directed Kurt to in early 2016 concerning the initial discussion of U-labels in CN, the Google Root program representative stated his interpretation “with my strict interpretation hat on”, which means it is not an absolute statement and/or conveys uncertainty and is not intended to be immediately actionable guidance for CAs. Similarly, the message from Apple after ballot 202 failed that you linked to contains similar indications of uncertainty, namely prefacing the entire message with “my understanding”. I hope we can agree that proper policies we expect to be followed must not contain such nuanced, uncertain language.
Similarly, treating random messages from Root Program representatives from various mailing lists as policy statements is dangerous. As we all know, messages in spirited discussions may be done in haste and not consider all relevant details, especially as the group’s shared understanding of the topic builds. Only through clearly stated documents that have undergone the appropriate review should policy be expressed. Expecting otherwise invites disaster, especially if a Root Program representative makes a statement that is based on a flawed understanding or incomplete information at the start or middle of a discussion.
Perhaps a crazy idea, but I think organizations that hold the literal keys to the Internet should be operated according to a set of well documented and understood policy documents and not a random assortment of mailing list posts that may or not may not be accurate or applicable today.
Thanks,
Corey
[1] https://lists.cabforum.org/pipermail/public/2018-May/045090.html
From: Ryan Sleevi <ry...@sleevi.com>
Sent: Monday, May 24, 2021 2:05 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: dev-secur...@mozilla.org
Subject: Re: Are U-labels allowed in CN?
On Mon, May 24, 2021 at 7:44 AM Corey Bonnell <Corey....@digicert.com> wrote:
[O]bligating CAs to follow statements that are documented solely in a collection of mailing list posts that span several years and are seemingly contradictory to previous statements is a highly ineffective and dangerous way to state policy.