17 May 2017
The IETF liaison to the Unicode Consortium has brought the text of an update to Unicode Technical Standard #39 to the attention of the Internet Architecture Board. In reviewing the text, we note that the document has changed scope and now contains a Security Profile for email identifiers in section 3.3. That section references the IETF’s EAI standards and notes that they do not contain conformance standards. It appears, however, not to recognize that the IETF has significant bodies of work both on email interoperability and on the matching of email addresses in security contexts (e.g. in RFC 5280 and its pending update, draft-housley-rfc5280-i18n-update-01).
We are concerned that the text in section 3.3 does not match the deployed landscape of local part matching and that systems built to conform to it would fail to interoperate with deployed Internet email systems. Further, we believe that it fails to adequately consider the need to align this matching with the standards which govern the use of email address in certificates and other security contexts. We would be happy to work with the Unicode Technical Committee to provide pointers to the appropriate IETF documents or to develop appropriate text should that be required.
In advance of that collaboration, we request that the Unicode Consortium remove section 3.3 from UTS #39 as soon as possible and mark it with an erratum if such removal cannot be immediate.
For the IAB