IETF Logo Mail Archive

[DNSOP] Re: [art] Re: DNS-designated Public Key Authorities (DKA)

John C Klensin <john-ietf@jck.com> Sat, 30 May 2026 21:29 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 248E1F8235EF; Sat, 30 May 2026 14:29:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780176572; bh=x8G+4Gte54hFuwaXLDvc0kerwa7Bp2zwSqSyX2cPF3w=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Z4xTaAVj4g8zi4fiub5l29msWb9n3aw8+UDlkpkHv+u/0G1PfyQ3TmxB3Pv28ZqcM FIP0yarDBurXKaHGahBmBz6JGtuBEpSs7LzFqBxPVdd9eyidVJVWUyxPyAe/dWXXFb lNq6yyIKsHyw6CDYKdPGRxwu7Ll56azPSFnVEYTw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TcSRrLnLwNav; Sat, 30 May 2026 14:29:31 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) by mail2.ietf.org (Postfix) with ESMTP id 850FFF8235EA; Sat, 30 May 2026 14:29:30 -0700 (PDT)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1wTRF7-000JNC-Pk; Sat, 30 May 2026 17:29:17 -0400
Date: Sat, 30 May 2026 17:29:12 -0400
From: John C Klensin <john-ietf@jck.com>
To: John Levine <johnl@ietf.email>, art@ietf.org, dnsop@ietf.org
Message-ID: <1A18D79D7FBA2284699B8B0D@PSB>
In-Reply-To: <20260530183322.CD8D210E6AB4C@ary.qy>
References: <BL1PR11MB5269D5F602EA7DE2DC9B8014C6162@BL1PR11MB5269.namp rd11.prod.outlook.com> <CAOdQrVMja+tag+YZbKkSbapVChZwWoKARZ-Y7GFWfYY-LmzzuQ@mail.gmail.com> <CAKhC=ahn7kqtsMnZSddGQxqv1eTpKiKrRwCumJ6yj3D5VQusPA@mail.gmail.com> <20260530183322.CD8D210E6AB4C@ary.qy>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Message-ID-Hash: 7N53W3O5TMGLP7WRSTK65ZDEWOUH6LD4
X-Message-ID-Hash: 7N53W3O5TMGLP7WRSTK65ZDEWOUH6LD4
X-MailFrom: john-ietf@jck.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: bob.traverz@gmail.com
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [art] Re: DNS-designated Public Key Authorities (DKA)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PhXwui_gAGksUtofMoMQgdlSIHY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I strongly agree with John's comments below.   A few additions
inline...

--On Saturday, May 30, 2026 14:33 -0400 John Levine
<johnl@ietf.email> wrote:

> It appears that Bob Traverz  <bob.traverz@gmail.com> said:
>>  - Normalization Rules: Before banning dot-removal or plus-tag
>>  stripping, I recommend checking the current practices of Gmail
>> and Outlook. This will ensure your specification caters to the
>> majority of email IDs.
> 
> Hi, mail person here. Our RFCs are quite clear that the local part
> of an address is completely opaque. Any assumptions you make about
> normalizing local parts are wrong, both in theory and in practice.
> This is a very hard problem, many people have tried to solve it in
> the past, and they've all failed.

This even applies to things as seemingly obvious as
case-insensitivity for all-ASCII addresses.  The practice of assuming
that bob@example.com and BOB@example.com are the same address is
common enough that that standards warn treating them as different but
the actual rule is even mapping one of those into the other prior to
final delivery may result in mishandled messages.

> Gmail ignores dots so example@gmail.com and e.x.a.m.p.l.e@gmail.com
> are equivalent, but I do not know any other system that does that.
> Sometimes bob.smith@example.com and bobsmith@example.com are the
> same, usually they are not.  Sometimes a system manually adds
> dotted and dotted variants to their alias tables, so it's only as
> consistent as the maintainer makes it.
> 
> Some systems allow plus tags, some don't. Some use other characters
> than plus. It's not even consistent on a single system -- on mine,
> some foo-bar addresses go to the same places as foo, some don't.

And some systems that allow plus "tags" think they are noise and
remove them, i.e., treating bob+smith@example.com as
bobsmith@example.com.   Others are sure they represent subaddresses
(or, in their vocabulary, a special form of alias).  Still others,
for any sort of authentication or comparison purposes, consider only
bob@example.com with bob+smith@example.com and bob+jones@example.com
equivalent to it and each other.  And, as John suggests, some believe
that "-", and maybe "%" or "/", the latter of which used to be
meaningful for mail routing and may still be in some places, are
equivalent to "+".

> Since we added EAI addresses which allow UTF-8 characters in
> addresses, you can't even do case folding reliably since it's
> language specific.  As a famous example lower case i and upper case
> I are equivalent in most European languages, but not in Turkish
> where dotted and undotted i are different characters with upper and
> lower case versions of both.  There are lots of other variations
> like ö which in German is considered a short version of oe but in
> Scandinavian languages is not.

See above about case folding even with all-ASCII addresses.  And,
since John picked on German, consider "ß" (U+00DF), which is
equivalent to "ss" except where it isn't.

> People have tried to come up with rule sets about mail systems'
> normalizations. It doesn't work for two reasons. One is that in most
> cases you don't know what a system's rules really are (what does
> Gmail do with two dots in a row?), the other is that there are more
> mail systems than you know, and you'll never have a complete set.

Exactly.

> The usual approach is to pretend none of this matters and to invent
> a scheme that will fail randomly on addresses that don't make the
> same assumptions you do.  In this case you can do better, since you
> can pass the unmodified local part to the keyserver and it can do
> whatever the local policy is to the address and return the actual
> key.

As long as the keyserver actually knows what the conventions of the
destination system are.  But please remember that the price of
inventing a system like this and getting it wrong is essentially to
tell users or organizations using other systems that their systems
(some of which may have been widely deployed and used for decades)
are illegitimate and do not deserve to send or refuse mail.  To
suggest that would be a bad idea, and a worse one for the IETF to
consider saying it, would be an understatement.

   john

v2.46.0 | Report a Bug | By Email | System Status