Dear Michael,

On Wed, Nov 14, 2018 at 5:18 PM Michael Casadevall <michael@casadevall.pro> wrote:

Replies inline.

On 11/14/18 3:04 AM, Dmitry Belyavsky wrote:
> Dear John,
>
> As I wrote before, I've started to implement RFC 8399 and the
> show-stopper for now is obtaining a set of test cases.
>

The UASG document talking about library support has a list of test cases
although I'm not sure they're exhaustive. It's a starting point anyway.

Yes. The problem is to convert them into the test certificates :)

> OpenSSL team does not want to link OpenSSL with, say, libidn (and to
> implement IDN conversion inside the library for domains).
> I've found out that 2-3 functions inherited from RFC 3492 will fit all
> the purposes necessary to implement RFC 8399.
>

Is there an email conversation or bug report I can read to catch up on
upstream's current state of mind on this?

Sure.

https://www.ietf.org/mail-archive/web/ietf/current/msg101105.html

Victor references to libicu, it's not so hard, I wanted to link just with libidn :)

This letter is somewhere from the middle of the thread starting from

https://www.ietf.org/mail-archive/web/ietf/current/msg100694.html

Plus I have some personal mail from Victor Dukhovni.

Secondly, what's your current progress on this? It was your original
posting that inspired me to look at this (and I think I commented on it
then). OpenSSL is under a weird license so they really can't link to
external libraries and not to (L)GPL code so adding the necessary
support for U-labels will likely require rolling your own code or
finding an implementation in the public domain and cutting it down to
size for direct embedding in the BIO module of OpenSSL.

My current branch is here:

https://github.com/beldmit/openssl/tree/rfc8398

I currently am able to recognize the EAI in certificate and (badly) display it.

I have a lacks of example to test chain limitations described in the RFC.

Getting support for U-labels will be a major win for IDNs as it
simplifies IDNs for all OpenSSL applications, and opens the door to
getting EAI S/MIME working. I'd also like to see a fairly extensive
shakedown of TLS in general with IDNs to see if we can shake loose any
bugs especially in regards to revocation, OCSP stapling, AIA, and
certificate transparency.

Well, for now the A-labels seem to fit here more or less reasonably.

IDN transformation can be done at more high level, I think.

SY, Dmitry Belyavsky