Re: [openpgp] OpenPGP Web Key Directory I-D

"brian m. carlson" <> Fri, 09 November 2018 21:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A330512008A for <>; Fri, 9 Nov 2018 13:27:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (3072-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gx_kPdKrliD7 for <>; Fri, 9 Nov 2018 13:27:17 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8BE13129619 for <>; Fri, 9 Nov 2018 13:27:17 -0800 (PST)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 7CB0D6077B; Fri, 9 Nov 2018 21:27:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1541798834; bh=KrQpGjDdJAQCUEHYZpfXAdOX/rqm3+dAp2jjARZxOh8=; h=Date:From:To:Subject:References:Content-Type:Content-Disposition: In-Reply-To:From:Reply-To:Subject:Date:To:CC:Resent-Date: Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=ZWZDyqEzSrenVkgV1QVPAAE1X0xZUhvJKHdFw7EVEMc99EaEjGyG6P6rC1TMuQtFl hTpVCzMo3qfZXnHucLmUOomgnxWYYivWEX6GNihxlEyUpFKhvjapoIbscj2ykahJLK FIsWrGzLjuF+5jSw01suSKhmoPCXW0DHoptn1BZhGz6MBtIbg+AqIXVFg1XxHZ1DH1 NApjBrjkIDqVfOuS2x960R/fdwnsByhhR6pT3Ft0hdy9UGmHMYNZ4qx01pfkAR1OXg fOGrxuznbETS8gCD1YqqIkhGdXAsxe3tdTIWbpio7PW5mj8gE7GmUH0nD1k6V9UCkF bcWrel9mNV5yrNbFq5HNn4dS5lvxFVXhf3lKegvvixExXDZwFCaYqq9uBYV3TJaN8N Fi1ciaF++YIODsgCBUyBE90MyF+EY3xNXRyjBrUYBgXXuLorJISmTZ+mZXV6+rEoIa j62ubpQH0zajvdboUqoBSNScpGs4+Toi8XHjap6N//j0nvJFi+B
Date: Fri, 9 Nov 2018 21:27:05 +0000
From: "brian m. carlson" <>
To: Ian Jackson <>,
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="HuXIgs6JvY9hJs5C"
Content-Disposition: inline
In-Reply-To: <>
X-Machine: Running on genre using GNU/Linux on x86_64 (Linux kernel 4.18.0-2-amd64)
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Scanned-By: MIMEDefang 2.79 on
Archived-At: <>
Subject: Re: [openpgp] OpenPGP Web Key Directory I-D
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Nov 2018 21:27:20 -0000

On Thu, Nov 08, 2018 at 07:59:24AM +0100, Werner Koch wrote:
> On Thu,  8 Nov 2018 02:25, said:
> > I definitely agree that lowercasing the address is wrong.  The RFCs say
> > that the local part is case sensitive, and there are many case-sensitive
> > systems on the Internet today.
> Please tell me a single public accessible system which is
> case-sensitive.  Ask any non-hacker about mail addresses; almost
> everyone enters mail addresses in whatever case they like.  I have seen
> many business cards which spell despite that the
> canonical address is  See also the OpenPGP DANE
> RFC for this.

My mail system is case sensitive.

Even ignoring me as an example, there's now SMTPUTF8, which means that
case folding is nontrivial.  Turkish has a dotted I and dotless I, and
case folding a Turkish email address in the traditional ASCII way could
produce invalid results even if the system is case-insensitive.  Greek
sigma case folds differently depending on position.  Moreover, I expect
some SMTPUTF8-capable systems don't case fold non-ASCII characters.

Even if you think this is not an issue, RFC 5321 requires that the
local-part "MUST be…assigned semantics only by the host specified", and
we should not knowingly violate other IETF RFCs in writing our own.
This is a MUST directive; it is not optional.

If you adopted Ian Jackson's suggestion to not hash the name, then case
sensitivity wouldn't be a concern; you could simply choose to let the
remote system accept whichever case you wanted.
brian m. carlson: Houston, Texas, US