Dear Michael, On Wed, Nov 14, 2018 at 5:18 PM Michael Casadevall <michael@casadevall.pro> wrote:
Replies inline.
On 11/14/18 3:04 AM, Dmitry Belyavsky wrote:
Dear John,
As I wrote before, I've started to implement RFC 8399 and the show-stopper for now is obtaining a set of test cases.
The UASG document talking about library support has a list of test cases although I'm not sure they're exhaustive. It's a starting point anyway.
Yes. The problem is to convert them into the test certificates :)
OpenSSL team does not want to link OpenSSL with, say, libidn (and to
implement IDN conversion inside the library for domains). I've found out that 2-3 functions inherited from RFC 3492 will fit all the purposes necessary to implement RFC 8399.
Is there an email conversation or bug report I can read to catch up on upstream's current state of mind on this?
Sure. https://www.ietf.org/mail-archive/web/ietf/current/msg101105.html Victor references to libicu, it's not so hard, I wanted to link just with libidn :) This letter is somewhere from the middle of the thread starting from https://www.ietf.org/mail-archive/web/ietf/current/msg100694.html Plus I have some personal mail from Victor Dukhovni.
Secondly, what's your current progress on this? It was your original posting that inspired me to look at this (and I think I commented on it then). OpenSSL is under a weird license so they really can't link to external libraries and not to (L)GPL code so adding the necessary support for U-labels will likely require rolling your own code or finding an implementation in the public domain and cutting it down to size for direct embedding in the BIO module of OpenSSL.
My current branch is here: https://github.com/beldmit/openssl/tree/rfc8398 I currently am able to recognize the EAI in certificate and (badly) display it. I have a lacks of example to test chain limitations described in the RFC.
Getting support for U-labels will be a major win for IDNs as it simplifies IDNs for all OpenSSL applications, and opens the door to getting EAI S/MIME working. I'd also like to see a fairly extensive shakedown of TLS in general with IDNs to see if we can shake loose any bugs especially in regards to revocation, OCSP stapling, AIA, and certificate transparency.
Well, for now the A-labels seem to fit here more or less reasonably. IDN transformation can be done at more high level, I think. -- SY, Dmitry Belyavsky