> On Jun 27, 2020, at 8:06 PM, Toerless Eckert <t...@cs.fau.de> wrote:
>
> Thanks, Russ, inline
>
> On Sat, Jun 27, 2020 at 05:27:46PM -0400, Russ Housley wrote:
>> Brian:
>>
>>>> I think Brian actually made my point. While the filed contains an email
>>>> address, using it as such would result in a delivery failure. The private
>>>> key holder cannot be reached by this address.
>>>
>>> I don't see a requirement in RFC5280 that the email address in an
>>> rfc822name must be reachable, or that it must belong to the private key
>>> holder.
>>
>> We seem to be interpreting RFC 5280, Sections 4.1.2.6 and 4.2.16 differently.
>>
>> 4.1.2.6. Subject
>>
>> The subject field identifies the entity associated with the public
>> key stored in the subject public key field. The subject name MAY be
>> carried in the subject field and/or the subjectAltName extension. ...
>
> Yep. For purpose of ACP, we use rfc822Name, but the entity may get
> from registrar/CA other names too, such as any pre-existing, however
> formatted SN.
>
>> 4.2.1.6. Subject Alternative Name
>>
>> ...
>>
>> When the subjectAltName extension contains an Internet mail address,
>> the address MUST be stored in the rfc822Name.
>
> Yes. ACP does that.
>
>> The format of an
>> rfc822Name is a "Mailbox" as defined in Section 4.1.2 of [RFC2821].
>> A Mailbox has the form "Local-part@Domain".
>
> Yes. ACP does that.
>
>> Note that a Mailbox has
>> no phrase (such as a common name) before it, has no comment (text
>> surrounded in parentheses) after it, and is not surrounded by "<" and
>> ">". Rules for encoding Internet mail addresses that include
>> internationalized domain names are specified in Section 7.5.
>
> Yes, ACP does that.
>
>> Section 4.1.2 of RFC 2821 provides the ABNF for the Mailbox.
>
> Yes, ACP matches that. Actually, when i did the ABNF, i had to go
> through a couple of RFC becaue 2821 was superceeded and i think i picked
> as references the now normative one, but have to go back and remember details.
> No actual change in the syntax AFAIK since rfc2821.
>
>> RFC 2821 says:
>>
>> As used in this specification, an "address" is a character string
>> that identifies a user to whom mail will be sent or a location into
>> which mail will be deposited. The term "mailbox" refers to that
>> depository. ...
>>
>> So, the mailbox is the place that email gets sent to.
>
> Do you think that this sentence makes an address of nore...@example.com
> an invalid email address given how it does not receive email ?
>
> And please do not conflate this discussion with the use in certificates,
> your discussion points about rfc2821 are non-considering any
> certificate work, as rfc5280 does not attempt to redecine anything.
>
> Would you also like to legislate what "user" means ? E.g.: would
> lamps-requ...@ietf.org, valid email address in your reading or does
> a user have to be a human ?
>
> In any case: ACP email address can perfectly well have mailboxes,
>
> You also did not repy to my expamples about other systems where
> email addresses are primarily used for non-mailbox purposes
> but still encoded in rfc822Name. I have seen no outlawing of
> this practice through IETF documents.
It is clear that nore...@example.com has the syntax of an email address, but
there is not corresponding mailbox. For that reason, it should not appear in a
certificate. It is the the email address of the subject of the certificate.
Russ
_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
