AW: Web Key Directory handling of IDN

Jürgen Schäpker Juergen.Schaepker at
Mon Nov 7 13:58:39 CET 2016


>I don't think the standard is ambiguous about this: it says that you map
>uppercase ASCII to lowercase and leave the rest unharmed.

The current draft WKD will only be able to find non-ASCII address hashes by pure chance. MUAs can look for the hashes of Öyvind at and öyvind at and only for one WKD will return a result.

>Now suppose WKD would match more than the mail server would. I think
>this is a real problem. Suppose you have <jürgen.schäpker at>.
>The mail server at doesn't do any more than lowercasing
>ASCII uppercase. This means I can still register
><jurgen.schapker at>, and use that address. Now I create an
>OpenPGP key with both e-mail addresses as UID's, and register it through
>'s Web Key Directory. If a search for the local part
>jürgen.schäpker would search for jurgen.schapker instead, people would
>end up downloading my OpenPGP key, not yours, and would then use it
>since it holds the correct UID.

"a" is not the normalized form of "ä". To get a clearer picture of an IDNA2003 conversion try

Jürgen and jürgen convert to xn--jrgen-kva 
ÜÖÄß and üöäß  convert to xn--ss-uia5e3a 
Ümit.Eminoğlu and ümit.eminoğlu convert to xn--mit-goa.xn--eminolu-rbb
Öyvind.Fahlström@Ücker-Häß and öyvind.fahlström@ücker-häß convert to xn--yvind-iua.xn--fahlstrm-t4a at
Øyvind.Brække@Ücker-Häß and øyvind.brække@ücker-häß convert to xn--yvind-uua.xn--brkke-tra at

The point is having a normalized string on both client and server.

Of course IDNA2003 is not perfect (e.g. for ß) but just ignoring non-ASCII upper/lower case is not an option.

>> At least from one of those domains redirection is
>> done by a request-modifying reverse proxy, e.g. requests reach
>> the WKD with HOST

>If you're redirecting anyway, you can easily solve this. 

No. Not if you don't control the redirecting server. We should not assume that the person attempting to introduce/install WKD has control over all servers involved, specifically not in international companies with all kinds of political bullshit involved. You simply cannot rely on the request host being unmodified and you cannot rely on finding a single god admin for all domains that should be served by a single WKD.

If there is no valid technical reason for a requirement that will limit a standard's applicability, it should not be in the standard.

Best regards,

More information about the Gnupg-devel mailing list