Re: [openpgp] Web Key Directory I-D -07

Paul Wouters <paul@nohats.ca> Wed, 14 November 2018 15:27 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD000130E84 for <openpgp@ietfa.amsl.com>; Wed, 14 Nov 2018 07:27:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OCrp0ryKX9eB for <openpgp@ietfa.amsl.com>; Wed, 14 Nov 2018 07:27:10 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2A32130EA5 for <openpgp@ietf.org>; Wed, 14 Nov 2018 07:27:06 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42w7dh1ykszKCH; Wed, 14 Nov 2018 16:27:04 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542209224; bh=0JqiXzhyxgS1fCKtWx7m3Ii7S4k2HH0gU07WJTWuQj0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Cn9QJJPwEiFAI6Fi0LK+F3KfIYLW5CN+5XVr3/0kkjsZEDzZmQQDnjLsV131kgNsv INDs4iA5jYeuamKsXmX0nlDYefuxZVONa3Ys1WhWooLJFgC1PEfgx2cXwc3+Ceidm4 EZclmVSdVDL8+TfR+VErEsVYvRVV2YHPhrxo6m18=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id MMVCQZgiEH5H; Wed, 14 Nov 2018 16:26:59 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 14 Nov 2018 16:26:59 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D264A4392AC; Wed, 14 Nov 2018 10:26:58 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca D264A4392AC
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C5DC841C3B22; Wed, 14 Nov 2018 10:26:58 -0500 (EST)
Date: Wed, 14 Nov 2018 10:26:58 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: Bart Butler <bartbutler@protonmail.com>
cc: "openpgp@ietf.org" <openpgp@ietf.org>
In-Reply-To: <9J2v287mmh9FWFLrXjxZGnVjA8HNCHpPc2wyEDDqhGeKAhE7grR6JKFMRoHJfKSq9qcjDGRNfoJ5sEODERtP0Q==@protonmail.com>
Message-ID: <alpine.LRH.2.21.1811141020570.2540@bofh.nohats.ca>
References: <878t1xoz37.fsf@wheatstone.g10code.de> <9J2v287mmh9FWFLrXjxZGnVjA8HNCHpPc2wyEDDqhGeKAhE7grR6JKFMRoHJfKSq9qcjDGRNfoJ5sEODERtP0Q==@protonmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=UTF-8
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ElFv2mmaC80WrnRICgeRa9_3lUk>
Subject: Re: [openpgp] Web Key Directory I-D -07
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2018 15:27:13 -0000

On Tue, 13 Nov 2018, Bart Butler wrote:

> I was wondering what you think about saying something like:
>
> The key MUST carry a
>   User ID packet ([RFC4880]) with what the server considers the canonical form of the requested mail address.
>
> So if I request from ProtonMail Bart.Butler@protonmail.com, I would get a key back with bartbutler@protonmail.com, and the clients could then prompt on unrecognized types of mismatches if desired because they would know that the server is returning the canonical form of the address.

We went through this with OPENPGPKEY and SMIMEA. You will get the SMTP
people blocking your draft when you try to interpret (or like above,
even rewrite) addresses based on "common mail provider rewrites". Their
firm believe is only receiving SMTP servers can interpret email addresses.

Perhaps you want to take a look at the language used in those two
RFCs with respcet to mapping email addresses to DNS. Some of it
applies here too, and you will have some new ones with special
characters in URL's.

This took a year to resolve for RFC 7929 and RFC 8162. So I recommend
you look at previous discussion on this topic on the openpgp and dane
mailing lists.

Paul

> -Bart
>
> Sent from ProtonMail, encrypted email based in Switzerland.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, November 13, 2018 6:02 AM, Werner Koch <wk@gnupg.org>; wrote:
>
>> Hi!
>>
>
>> A new revision of the Web Key Directory I-D has been published:
>>
>
>> https://www.ietf.org/id/draft-koch-openpgp-webkey-service-07.txt
>>
>
>> Changes since -06 are:
>>
>
>> -   Specify the advanced method with the openpgpkey sub-domain.
>>
>
>> -   Specify the l=LOCAL-PART query parameter.
>>
>
>> -   Require the provider to filter the key for publication.
>>
>
>> -   Drop the use of DNS SRV records.
>>
>
>>     See below for the gist of the change. GnuPG master implements the new
>>     advanced method. You may use my address for testing. For now the SRV
>>     method is still used as a fallback by GnuPG.
>>
>
>>     Note that the domain name is now also part of the file name if the
>>     openpgpkey sub-domain is used. This should make it easier to server the
>>     directory for several domains from a single server. This sub-domain
>>     approach is similar to Mozilla's mail auto configuration [1].
>>
>
>>     Shalom-Salam,
>>
>
>>     Werner
>>
>
>>     --8<---------------cut here---------------start------------->8---
>>     There are two variants on how to form the request URI: The advanced
>>     and the direct method. Implementations MUST first try the advanced
>>     method. Only if the required sub-domain does not exist, they SHOULD
>>     fall back to the direct method.
>>
>
>>     The advanced method requires a sub-domain with the fixed name
>>     "openpgpkey" is created and queried. It constructs the URI from the
>>     concatenation of these items:
>>
>
>>     o The scheme "https://",
>>
>
>>     o the domain-part,
>>
>
>>     o the string "/.well-known/openpgpkey/",
>>
>
>>     o the domain-part in lowercase,
>>
>
>>     o the string "/hu/",
>>
>
>>     o the above constructed 32 octet string,
>>
>
>>     o the unchanged local-part as a parameter with name "l" using proper
>>     percent escaping.
>>
>
>>     An example for such an advanced method URI to lookup the key for
>>     Joe.Doe@Example.ORG is:
>>
>
>>     https://openpgpkey.example.org/.well-known/openpgpkey/
>>     example.org/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe
>>
>
>>     (line has been wrapped for rendering purposes)
>>
>
>>     The direct method requires no additional DNS entries and constructs
>>     the URI from the concatenation of these items:
>>
>
>>     o The scheme "https://",
>>
>
>>     o the domain-part,
>>
>
>>     o the string "/.well-known/openpgpkey/hu/",
>>
>
>>     o the above constructed 32 octet string,
>>
>
>>     o the unchanged local-part as a parameter with name "l" using proper
>>     percent escaping.
>>
>
>>     Example for a direct method URI:
>>
>
>>     https://example.org/.well-known/openpgpkey/
>>     hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe
>>
>
>>     (line has been wrapped for rendering purposes)
>>
>
>>     [...]
>>     The benefit of the advanced method is its greater flexibility in
>>     setting up the Web Key Directory in environments where more than one
>>     mail domain is hosted. DNS SRV resource records, as used in earlier
>>     specifications of this protocol, posed a problem for implementations
>>     which have only limited access to DNS resolvers. The direct method
>>     is kept for backward compatibility and to allow providing a Web Key
>>     Directory even with without DNS change requirements.
>>     --8<---------------cut here---------------end--------------->8---
>>
>
>>
>
>> [1]https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration
>>
>
>> --
>>
>
>> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>
>