AW: Web Key Directory handling of IDN
Juergen.Schaepker at giepa.de
Mon Nov 7 13:58:39 CET 2016
>I don't think the standard is ambiguous about this: it says that you map
>uppercase ASCII to lowercase and leave the rest unharmed.
The current draft WKD will only be able to find non-ASCII address hashes by pure chance. MUAs can look for the hashes of Öyvind at something.net and öyvind at something.net and only for one WKD will return a result.
>Now suppose WKD would match more than the mail server would. I think
>this is a real problem. Suppose you have <jürgen.schäpker at example.org>.
>The mail server at example.org doesn't do any more than lowercasing
>ASCII uppercase. This means I can still register
><jurgen.schapker at example.org>, and use that address. Now I create an
>OpenPGP key with both e-mail addresses as UID's, and register it through
>example.org's Web Key Directory. If a search for the local part
>jürgen.schäpker would search for jurgen.schapker instead, people would
>end up downloading my OpenPGP key, not yours, and would then use it
>since it holds the correct UID.
"a" is not the normalized form of "ä". To get a clearer picture of an IDNA2003 conversion try http://www.dotarai.com/idna/
Jürgen and jürgen convert to xn--jrgen-kva
ÜÖÄß and üöäß convert to xn--ss-uia5e3a
Ümit.Eminoğlu and ümit.eminoğlu convert to xn--mit-goa.xn--eminolu-rbb
Öyvind.Fahlström@Ücker-Häßler.de and öyvind.fahlström@ücker-häßler.de convert to xn--yvind-iua.xn--fahlstrm-t4a at xn--cker-hssler-q8a91a.de
Øyvind.Brække@Ücker-Häßler.de and øyvind.brække@ücker-häßler.de convert to xn--yvind-uua.xn--brkke-tra at xn--cker-hssler-q8a91a.de
The point is having a normalized string on both client and server.
Of course IDNA2003 is not perfect (e.g. for ß) but just ignoring non-ASCII upper/lower case is not an option.
>> wkd.unrelated.com. At least from one of those domains redirection is
>> done by a request-modifying reverse proxy, e.g. a.net requests reach
>> the WKD with HOST reverse.nota.com.
>If you're redirecting anyway, you can easily solve this.
No. Not if you don't control the redirecting server. We should not assume that the person attempting to introduce/install WKD has control over all servers involved, specifically not in international companies with all kinds of political bullshit involved. You simply cannot rely on the request host being unmodified and you cannot rely on finding a single god admin for all domains that should be served by a single WKD.
If there is no valid technical reason for a requirement that will limit a standard's applicability, it should not be in the standard.
More information about the Gnupg-devel