Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.

[Brian Dickson <brian.peter.dickson@gmail.com>]

On Mon, Feb 23, 2015 at 10:18 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Mon, Feb 23, 2015 at 12:31:09PM -0500, Warren Kumari wrote:
>
> > I *think* that the proposal is in this email:
> > http://www.ietf.org/mail-archive/web/dane/current/msg07163.html
> > (Viktor, 11 Dec 2014)
> >
> > This seemed to be mostly met with acceptance (or, at least closer than
> > many of the other options!), but didn't address the user+tag@ or
> > johnsmith=john.smith=jo.hn.sm.th special hanging the gMail does.
> > A potential, but icky solution to those could be synthesized records.
>
> If the goal is to go beyond case-folding, then we'd have to seriously
> consider publishing the data via a DANE-authenticated HTTPS service
> rather than directly in DNS.  The service would then be able to
> apply whatever lookup transformations are locally applicable.
>
> I'm not sensing much appetite for moving away from per-user records
> in DNS, so case-folding can be handled, but fancier variants are
> I think beyond what can be done with the logic mostly on the client
> side.
>
>
I think maybe this needs to be broken out as a separate mini-document.
However, I think the right time to do this is NOW.

Here's the reasoning to support "NOW" for when to address this issue:
- right now, there aren't any clients doing the DANE s/mime or pgp thing
yet (I believe)
- if everyone implementing the DANE stuff for clients has the same rules to
work from, much happiness ensues
- if, on the other hand, all the DANE stuff gets built without the extra
"case-folding++" logic, it becomes a missed opportunity that can never be
addressed successfully (shutting the barn door after the horse has left)

The thing to do, IMHO, is identify ALL of the specific things that anyone
does in MUA/MTA name-handling, beyond case folding. I think even
standardizing a signaling for case-folding of names is beneficial.

The difference between PGP keyrings and DANE, is that users are responsible
for adding any "case folding" aliases into their PGP keyrings, e.g. as
child alias for their main fingerprint (or whatever the correct terminology
is for that). On the other hand, domain-based user aliasing is, by
definition, known by and generally able to be handled by, the admin for the
domain.

My suggestion would be to have some kind of _THING defined, which is
well-known, and which is queried, that lists the specific username-folding
ruleset(s). E.g. _casefold TXT "lc" for lowercase as the canonical form, or
_casefold TXT "lc nodots" for removing any dots, and converting to
lowercase, or _casefold  TXT "lc trimplus".

Having a canonical list of these NOW, means coding for DANE S/MIME and DANE
PGP can include this, and then it is up to the zone publisher to do the
right thing.

My $0.02.

Brian