IETF Logo Mail Archive

Re: [openpgp] Scoped trust (signatures)

Jon Callas <joncallas@icloud.com> Fri, 01 June 2018 07:25 UTC

Return-Path: <joncallas@icloud.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 663681270AC for <openpgp@ietfa.amsl.com>; Fri, 1 Jun 2018 00:25:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hjuw9TmgVvAi for <openpgp@ietfa.amsl.com>; Fri, 1 Jun 2018 00:25:30 -0700 (PDT)
Received: from st13p27im-asmtp004.me.com (st13p27im-asmtp004.me.com [17.162.190.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23AD7124239 for <openpgp@ietf.org>; Fri, 1 Jun 2018 00:25:30 -0700 (PDT)
Received: from process-dkim-sign-daemon.st13p27im-asmtp004.me.com by st13p27im-asmtp004.me.com (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built Jun 7 2017)) id <0P9M00T00UUPDW00@st13p27im-asmtp004.me.com> for openpgp@ietf.org; Fri, 01 Jun 2018 07:25:26 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=04042017; t=1527837926; bh=4Z0IAgBoN/NG1Pp8rmIyOdL2ojdMTuSyFT83M4yCI/g=; h=Content-type:MIME-version:Subject:From:Date:Message-id:To; b=pxmbUhYHQC9Gv8bv6v3v+to8fVAcKUjJbEusIP99TgVZj55POBvWBzbaxhW+cST98 rejFCuM2BZZwsnRflQhOtcZ0/0uPT99ohrVXZLD2G9M45G/8ffDbicFW6kzkCnc77V T84wXCbV5K4s2G0rVf6C0+dVdh2yofo4noEPIC4+95dt3ubAbMoqeJnUVrE3sygs43 JPzbj9GNrZk7gHdU4L5ycXVn57b8Sco5l17hEI2CcV5PZM+5NOz9z0btK94tM6JShR SEU9N8AWHfzSeI/eN3h71L7LoxsBqb5qC+VkZj0SKTb/R5x7fKmPvwr4mbTxdVOsAG mA/eP6fzn6WEQ==
Received: from icloud.com ([127.0.0.1]) by st13p27im-asmtp004.me.com (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built Jun 7 2017)) with ESMTPSA id <0P9M00R3FVAC8W50@st13p27im-asmtp004.me.com>; Fri, 01 Jun 2018 07:25:26 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-06-01_05:,, signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 clxscore=1015 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1806010084
Content-type: text/plain; charset="utf-8"
MIME-version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Jon Callas <joncallas@icloud.com>
In-reply-to: <87vab8yxw1.wl-neal@walfield.org>
Date: Fri, 01 Jun 2018 00:25:23 -0700
Cc: Jon Callas <joncallas@icloud.com>, openpgp@ietf.org, Leo Gaspard <ietf=40leo.gaspard.ninja@dmarc.ietf.org>
Content-transfer-encoding: quoted-printable
Message-id: <1889E5F8-066A-4175-82FC-531B8608909E@icloud.com>
References: <39e598e1-2bc0-32c9-3489-4bb6ca2a631b@leo.gaspard.ninja> <871sdw24yd.wl-neal@walfield.org> <AF956CFF-8FAF-4E0E-8103-01462721E8F0@icloud.com> <87vab8yxw1.wl-neal@walfield.org>
To: "Neal H. Walfield" <neal@walfield.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/3j-IidFzG_NxZrSbITOMqAyT2nM>
Subject: Re: [openpgp] Scoped trust (signatures)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2018 07:25:32 -0000


> On May 28, 2018, at 1:42 AM, Neal H. Walfield <neal@walfield.org> wrote:
> 
> On Mon, 28 May 2018 04:06:59 +0200,
> Jon Callas wrote:
>> Moreover, there's a regular expression helpfully defined in Section
>> 8 that is a pretty bog-simple language
> 
> Implementing regular expression support might be bog-simple, but I
> think it is still orders of magnitude more complicated than just a
> list of domains.  And, I think, the general lack of support for this
> feature is strong evidence that this is the case.
> 
> Thus, it seems to me, that making the complicated theoretically
> possible has made the simple practically impossible.  That's
> unfortunate.
> 
> Do you know of any examples where a list of domains is not sufficient?

As I alluded to in my previous missive, I think that a list of domains is harder than you think. My experience in dealing with other domain-based PKI leads me right there.

Does “example.com” match “mail.example.com”? Either yes or no is completely reasonable. Does “*.example.com” (which obviously matches “mail.example.com") match “example.com”? In this case, I think that the answer is yes, but gentle persons can disagree. I’d just roll my eyes if you said no, because yeah, sure, there’s no problem in having your list of domains have both “example.com” and “*.example.com” to be explicit about it. I see the point.

Matching domains in the general case has all sorts of other weird edge cases especially in CCTLDs because many CCTLDs don’t issue anything on the bare country code. For example, for many years you couldn’t get “example.uk” but you could get “example.co.uk”. In any event, some CCTLDs allow a bare country code and some don’t. Do you take this into account in your list of domains? I think that an answer that is “whatever you put there is what we do” is a great answer, but there are people who will disagree. What about trailing dots on a domain? How are they handled?

I believe that a list of domains is harder than you think. Whatever decisions you make on the edge conditions of domains are something you yourself can do so that when I type in a list of domains, your interpretations will correctly be coded into it and that someone else will interpret them in the way you did.

Go look at the definition of regular expressions in RFC 4880. It’s basically just a paragraph. With my tongue partially in my cheek, I bet you can’t sort out what “list of domains” means in all the edge cases in less text than that definition of regular expressions. That is the reason that working group consensus went to the trouble of finding a minimal, utterly no-IP definition of a regular expression. It’s in a very real sense simpler than just about anything else.

v2.23.0 | Report a Bug | By Email