[UA-discuss] OpenSSL, was Where should IDN translation happen?
Dmitry Belyavsky
beldmit at gmail.com
Wed Nov 14 15:18:10 UTC 2018
Dear Michael,
On Wed, Nov 14, 2018 at 5:18 PM Michael Casadevall <michael at casadevall.pro>
wrote:
> Replies inline.
>
> On 11/14/18 3:04 AM, Dmitry Belyavsky wrote:
> > Dear John,
> >
> > As I wrote before, I've started to implement RFC 8399 and the
> > show-stopper for now is obtaining a set of test cases.
> >
>
> The UASG document talking about library support has a list of test cases
> although I'm not sure they're exhaustive. It's a starting point anyway.
>
Yes. The problem is to convert them into the test certificates :)
> OpenSSL team does not want to link OpenSSL with, say, libidn (and to
> > implement IDN conversion inside the library for domains).
> > I've found out that 2-3 functions inherited from RFC 3492 will fit all
> > the purposes necessary to implement RFC 8399.
> >
>
> Is there an email conversation or bug report I can read to catch up on
> upstream's current state of mind on this?
>
Sure.
https://www.ietf.org/mail-archive/web/ietf/current/msg101105.html
Victor references to libicu, it's not so hard, I wanted to link just with
libidn :)
This letter is somewhere from the middle of the thread starting from
https://www.ietf.org/mail-archive/web/ietf/current/msg100694.html
Plus I have some personal mail from Victor Dukhovni.
> Secondly, what's your current progress on this? It was your original
> posting that inspired me to look at this (and I think I commented on it
> then). OpenSSL is under a weird license so they really can't link to
> external libraries and not to (L)GPL code so adding the necessary
> support for U-labels will likely require rolling your own code or
> finding an implementation in the public domain and cutting it down to
> size for direct embedding in the BIO module of OpenSSL.
>
My current branch is here:
https://github.com/beldmit/openssl/tree/rfc8398
I currently am able to recognize the EAI in certificate and (badly) display
it.
I have a lacks of example to test chain limitations described in the RFC.
> Getting support for U-labels will be a major win for IDNs as it
> simplifies IDNs for all OpenSSL applications, and opens the door to
> getting EAI S/MIME working. I'd also like to see a fairly extensive
> shakedown of TLS in general with IDNs to see if we can shake loose any
> bugs especially in regards to revocation, OCSP stapling, AIA, and
> certificate transparency.
>
Well, for now the A-labels seem to fit here more or less reasonably.
IDN transformation can be done at more high level, I think.
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20181114/c90ff504/attachment.html>
More information about the UA-discuss
mailing list