Can I create domain keys?

Henry Hertz Hobbit hhhobbit at securemecca.net
Thu Aug 15 04:46:20 CEST 2013


On 08/14/2013 10:56 PM, Foo Bar wrote:
> 
> Hello!
> 
> Thank you for your response. Some comments inline...
> 
> ----- Original Message -----
>> From: MFPA <expires2013 at ymail.com>
>>
>> You can create a key with whatever information you wish to
>> put in the user-id(s), truthful or otherwise.
> 
> I have tried to enter a "wildcard email" when gpg asked me for
> the email address during key generation. I tried "example.com",
> "@example.com" and "*@example.com", but all of them were
> rejected with 'Not a valid email address'. Is there a special
> syntax I should use?

As I pointed out before with my example using monsters.edu,
making a wildcard email for a domain is fraught with abuse
peril to the maximum.  How many users do you need to include
at a given domain?  If somebody asked me to sign such a
key as part of the WOT I wouldn't sign it.  OTOH, if you have
a half dozen or so email addresses at that domain you can add
a UID for each and every one of the email addresses to your
key.  There will be more on those email addresses in a moment.
But I would ask questions why you need so many email addresses
at the same domain for a given key.  Any more than 2-3 email
addresses would be very suspicious.

>> A key identifying itself as connected to the email address
>> "*@example.com" rather than "foo at example.com" may be missed 
>> when an
>> email program passes "foo at example.com" to GnuPG as the search
>> string for an encryption key (and when GnuPG passes the
>> string to a keyserver).
> 
> I think the point you just made is the relevant one: Even if I
> would be able to create a key with a "wildcard email"
> associated with it, would the email client plugins, such as
> Enigmail, be able to deal with it? I guess that's a question
> for the Enigmail developers, once I figure out how to generate
> a key with a wildcard email via gpg.

I hope you cannot do it.  If I was writing the code you would
need something that had a valid TLD on the end and valid
alpha-numeric and optional one "-" at time for the hostname.
In front of the @HOSTNAME you should only be able to have user
names that are alphanumeric with what ever other characters
(thinking of other character sets for other languages) but
SOMETHING has to be there for the user at that domain.

I don't think you have thought this through carefully though.
I realize some people stupidly put all of their email accounts
into one folder in Thunderbird.  NOT ME!  Each email account
gets its own separate set of folders and I have Local Folders
which accept no email so I can move email messages from the
account folders into the Local area if I need to save those
messages.  If you have a half dozen POP/IMAP email accounts,
not giving each email account its own set of folders can
complicate things terribly with no end of the confusion in
sight.  Even with just two email accounts things can get
complicated in a hurry.  What do you do if one of the email
accounts is closed down?  I just delete that set of folders.

Now we come to Enigmail.  If you use the separate email accounts
the way I said you should, you can actually have multiple keys
for all of the email addresses.  The reason why is Enigmail in
Thunderbird provides a way to specify it manually for each and
every email account:

http://www.securemecca.com/public/GnuPG/
http://www.securemecca.com/public/GnuPG/EnigMailSettings.jpg

You cannot see it but I add a UID for every email account
I am going to use with my key and then just let Enigmail find
the appropriate key for the email address.  I could also
do it with a one key fits all with a default-key in the
gpg.conf file.  But how are you going to say use only this
key with ALL of my email accounts in Enigmail if you don't
have specific email folders but dump all of them in one
common folder?

You also could investigate a group names to resolve the problems
you will have.  But this is getting so scary with so many email
addresses I am beginning to believe you will have a goulash mess
in just Thunderbird alone without adding Enigmail to the mix.

A wise man once said: "Make every system as simple as possible
but no simpler."  I may contend his saying that gravity is not
a force at all but just a warping of the time-space curve may
be a little bit too simple.  But saying gravity isn't a force
(if gravity isn't a force why is almost every galaxy a spiral?)
or me saying it may still be a force and the discussions thereof
are simple compared to what you are attempting to do.  In fact
what you are attempting to do is giving me a class A migraine
headache.  Who was the man that made the statement about how
systems should not be too complex?  Albert Einstein.  If you are
smarter than him flail away.

My low IQ is now going to be involved in watching the NOVS program
on a member of the Cephalopod family called the Cuttlefish and
after it a program on the new ALMA telescope system being created
on the Atacama plateau.  If I was really brilliant I would be one
of the technicians on-site keeping these telescopes working
proparly.  But I think either the Canary Islands or the big
Island of Hawaii would be nice places to be. I have lived most
of my life above 1500 meters so I can handle the altitude.  But
the Atacama in Chile is a really desolate piece of real estate.
I wonder how they handle the dust storms in a place that gets
less than 3 cm of rainfall per year>

HHH




More information about the Gnupg-users mailing list