Web Key Directory handling of IDN

Peter Lebbing peter at digitalbrains.com
Mon Nov 7 11:12:16 CET 2016


On 06/11/16 13:47, Jürgen Schäpker wrote:
> The local-part contains UTF-8 as well and isn't normalized (with e.g.
>  ToASCII) in the current draft. This automatically leads to ambiguity
> for non-ASCII I'd think.

I don't think the standard is ambiguous about this: it says that you map
uppercase ASCII to lowercase and leave the rest unharmed.

But I think you mean the match is overspecific. However, you need to be
careful not to match more than the mail server does. I think this isn't
standardized anywhere, different mail servers do different things.[1]

Now suppose WKD would match more than the mail server would. I think
this is a real problem. Suppose you have <jürgen.schäpker at example.org>.
The mail server at example.org doesn't do any more than lowercasing
ASCII uppercase. This means I can still register
<jurgen.schapker at example.org>, and use that address. Now I create an
OpenPGP key with both e-mail addresses as UID's, and register it through
example.org's Web Key Directory. If a search for the local part
jürgen.schäpker would search for jurgen.schapker instead, people would
end up downloading my OpenPGP key, not yours, and would then use it
since it holds the correct UID.

I think your matching behaviour needs to correspond as well as possible
to what the actual mail server does. It seems matching more specifically
is less bad than matching more broadly. I don't see the advantage of
using RFC 3490 ToASCII on the match at all, by the way? This doesn't
seem to actually broaden the match at all, it just encodes it
differently? I'm probably misunderstanding your point :).

On a completely different note, I think it's great you're giving the WKD
proposal a lot of thought and effort. Thanks for trying to make OpenPGP
and its use better!

I noticed something you said in the other thread I'd also like to reply
to, and since this thread seems to be about the same subject, I'll
copy-paste it here.

On 06/11/16 13:40, Jürgen Schäpker wrote:
> Example scenario: The WKD server is intended to provide keys for
> a.com, a.net, a.de, bass.de, baß.de, Äppelwoi.de etc. WKD is
> redirected from all those domains to some server at
> wkd.unrelated.com. At least from one of those domains redirection is
> done by a request-modifying reverse proxy, e.g. a.net requests reach
> the WKD with HOST reverse.nota.com.

If you're redirecting anyway, you can easily solve this. Let's suppose
bass.de and baß.de indicate the same e-mail accounts, and the others are
all individual. You'd simply redirect as follows:

https://bass.de/.well-known/openpgpkey/*
->
https://wkd.unrelated.com/bass.de/*

https://baß.de/.well-known/openpgpkey/*
->
https://wkd.unrelated.com/bass.de/*

https://a.com/.well-known/openpgpkey/*
->
https://wkd.unrelated.com/a.com/*

https://a.net/.well-known/openpgpkey/*
->
https://wkd.unrelated.com/a.net/*

etc. etc.

You can simply manually avoid UTF-8, by simply writing the redirect rule
to be:

https://äppelwoi.de/.well-known/openpgpkey/*
->
https://wkd.unrelated.com/appelwoi.e/*

HTH,

Peter.

[1] GMail even removes dots from the local part before matching! But you
certainly can't accomodate every strange behaviour, so let's not even
try to cope with that.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-devel mailing list