IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.

"Jim Schaad" <ietf@augustcellars.com> Mon, 23 February 2015 20:40 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3540E1A6F04 for <dane@ietfa.amsl.com>; Mon, 23 Feb 2015 12:40:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FhPobx5HUKB2 for <dane@ietfa.amsl.com>; Mon, 23 Feb 2015 12:40:17 -0800 (PST)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10D241A6F03 for <dane@ietf.org>; Mon, 23 Feb 2015 12:40:17 -0800 (PST)
Received: from Philemon (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 85CF938EA5; Mon, 23 Feb 2015 12:40:16 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Warren Kumari' <warren@kumari.net>, dane@ietf.org
References: <CAHw9_iJPuG23Aok7V_wcAMirua_DPDLHy01tnd+DaUqEeK3NZA@mail.gmail.com> <001a01d04f19$b0292e90$107b8bb0$@augustcellars.com> <20150223035230.GD1260@mournblade.imrryr.org> <001b01d04f1c$f626c940$e2745bc0$@augustcellars.com> <20150223040833.GF1260@mournblade.imrryr.org> <CAHw9_iJ167aCbpW=Fni0h_vsWLcWQVLC1P7vkr6X0cmAV9zG=g@mail.gmail.com>
In-Reply-To: <CAHw9_iJ167aCbpW=Fni0h_vsWLcWQVLC1P7vkr6X0cmAV9zG=g@mail.gmail.com>
Date: Mon, 23 Feb 2015 12:39:24 -0800
Message-ID: <001501d04fa8$cffdef50$6ff9cdf0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGZrEAk8fO9l7kPFCFwPwE9DoqVVgHou59QAh//qxkCbLzqVwI4KR+7AojFI5CdEkDvMA==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/MZv5WPCI5pv_75FTV6U3sBuvkGI>
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2015 20:40:19 -0000


> -----Original Message-----
> From: dane [mailto:dane-bounces@ietf.org] On Behalf Of Warren Kumari
> Sent: Monday, February 23, 2015 9:31 AM
> To: <dane@ietf.org>
> Subject: Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey -
*please*
> review.
> 
> [ Meta top post ]
> 
> I'd like to also draw attention to the "companion" document
draft-ietf-dane-
> openpgpkey-usage ( http://datatracker.ietf.org/doc/draft-ietf-dane-
> openpgpkey-usage/ ), which describes usage of openpgpkey records, and
> following CNAMES.
> 
> On Sun, Feb 22, 2015 at 11:08 PM, Viktor Dukhovni <ietf-
> dane@dukhovni.org> wrote:
> > On Sun, Feb 22, 2015 at 07:58:19PM -0800, Jim Schaad wrote:
> >
> >> I am on a case sensitive receiving domain.
> >> There are two recipients - JimSch and jimsch on the domain.
> >> jimsch has a record but JimSch does not.
> >> I now try and send mail to JimSch but get a key for jimsch.
> >
> > You forgot to hash the tag with the case-folded name.
> >
> > Speaking of which, IIRC neither the OPENPGPKEY nor the SMIMEA draft
> > explicitly mentions what to do about quoted localparts:
> >
> >         "Sam.Jr."@example.com
> >
> > The localpart is not a dot-atom, and thus requires double-quotes.
> > My contention is that in this case the input to SHA2-224 MUST include
> > the quotes:
> >
> >         SHA2-224("Sam.Jr.")
> >
> > not
> >
> >         SHA2-224("Sam.Jr.")
> >
> > In this case the simplest tagging scheme is:
> >
> >         JimSch                  - unfolded hash input
> >         jimsch@lowercase        - folded hash input
> >
> > any email address of the form:
> >
> >         "jimsch@lowercase"@example.com
> >
> > would be hashed together with the quotes!
> >
> > I don't have a pointer to my original proposal handy, check the
> > archives.  It is something along these lines.
> 
> I *think* that the proposal is in this email:
> http://www.ietf.org/mail-archive/web/dane/current/msg07163.html
> (Viktor, 11 Dec 2014)
> 
> This seemed to be mostly met with acceptance (or, at least closer than
many
> of the other options!), but didn't address the user+tag@ or
> johnsmith=john.smith=jo.hn.sm.th special hanging the gMail does.
> A potential, but icky solution to those could be synthesized records.

If we are going to deal with these cases then there are number of other
problems that need to be addressed.  Specifically the fact that there is
going to be a problem matching of email addresses found in the PGP key ring
and those that are on the to/from line of a mail message.

MUAs have traditionally just done simple comparisons of names, they are not
going to be able to handle the type of thing where google starts removing
periods from the name. 

A person is going to say - send me that and here is my address.  If it has
funny things in it, that is going to need to be matched in the PGP key ring.
I don't know how common that is for PGP, but it was rare in the S/MIME world
when I was doing work there.

Even case folding is not a requirement for S/MIME clients on doing name
comparisons of the address in the headers as compared with the address in
the certificate.

There are two different names that needs to be dealt with:

1.  The name the owner of the mail box thinks that is being used.
2.  The name that mail system thinks is being used for the mail box.

If these names differ by more than case, then there are going to be a great
number of failures in comparisons between from and to fields and the email
address in either a certificate or a key ring.  While there are stupid
folding rules that have been implemented by different systems.  They are
going to lead to problems if they are not recognized by the owner of the
mail box.  If I think the address is John.Doe@google.com and put that into a
key ring and the From address is JohnDoe@google.com then there is never
going to a successful match by an MUA to begin with.

Jim

> 
> I'd just like to note that having a single rule for mapping ascii
addresses (e.g
> lowercase, s/\.//g, s/\+.*// ) sure would have been nice. Next time
> someone has access to a time machine...
> 
> W
> 
> >
> > --
> >         Viktor.
> >
> > _______________________________________________
> > dane mailing list
> > dane@ietf.org
> > https://www.ietf.org/mailman/listinfo/dane
> 
> 
> 
> --
> I don't think the execution is relevant when it was obviously a bad idea
in the
> first place.
> This is like putting rabid weasels in your pants, and later expressing
regret at
> having chosen those particular rabid weasels and that pair of pants.
>    ---maf
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane

v2.23.0 | Report a Bug | By Email