On Sat, Nov 02, 2002 at 05:18:53PM -0500, Michael Young wrote:
From: "David Shaw" <dshaw(_at_)jabberwocky(_dot_)com>
There is no (simple) mechanism to register new tags. There is a
rationale statement for this at the head of the RFC, under "IESG
Note". Basically, the idea is that there can be subtle interactions
with unrestricted extensions of the standard, so this is a way to
force proposed extensions to go through the WG process to get wider
consideration.
The "subtle interactions" comment appears to be aimed at security
(cryptographic) issues. It makes less sense for clearly user-defined
content like notations. As long as the ownership of any given tag
is clear (by using well-defined name spaces), I don't see a problem.
There can be subtle interactions even with non obviously cryptographic
issues. For example, the PGP comment packet was dropped partially to
avoid the possibility of a rogue implementation leaking information
via that channel. Even the MessageID armor header has a restriction
about how it is used to avoid the same problem. It's quite possible
the barn door is already wide open on using notations to do the same
thing though.
But still, there isn't any problem with adding tags at any time for
any purpose to the user name space. That's what it's there for. Only
tags in the IETF name space needs some review before the tag is
accepted.
But, this was a sidelight to my main question, which was...
There are no notation tags in the IETF space yet. However, a few
What *is* the IETF name space? What does it look like?
Any tag that doesn't have a '@' sign in it is in the IETF name space.
months ago, I pulled together a list of all notations used on keys on
the keyserver net. Perhaps unsurprisingly, nobody used the user name
space. By far the most common notation used (87%) was "COMMENT".
By definition, any tag not in the user name space should be in the
IETF name space. If you say that there are none in this name space
yet, you must know something about the structure of the IETF name
space (to know that the existing tags don't fit). Could you give an
example of a valid name in the IETF space, and/or a reference to a
definition of the IETF space?
2440bis specifies the IETF space as anything without a '@' sign in it,
so "COMMENT" would be a perfectly valid notation tag. Of course, it's
not perfectly valid since that tag was never assigned by the IETF, but
it is a tag that the IETF *could* use. The IETF hasn't assigned any
tags yet, so any tag without a '@' in it is currently an invalid tag.
It certainly doesn't surprise me that there were no tags in the
user name space. It was only a few months ago that I noted that
GnuPG rejected names with "@" in them. (I suspect it was David
who fixed it. Thanks. :-)
You're welcome :)
The problem was that the notation naming scheme in GnuPG was
originally written to follow 2440. The '@' scheme came in one of the
2440bis series.
I should also note that the "user" name space is not particularly
usable by ordinary folks. According to the RFC, the owner of
"name(_at_)foo(_dot_)bar" is the owner of "foo.bar". Many users don't own
domain
names; at best, they "own" an e-mail address or login name at an ISP.
Further, most own only one; even if the ISP delegated its space by
e-mail address (as the RFC loosely suggests), each user would have
only one tag. Calling it a "user" name space (rather than a "DNS"
name space) is misleading.
There is no restriction as to what comes before the '@' (except that
it is UTF-8) so a user can certainly use tags of the form
"loginname+tagname1(_at_)(_dot_)(_dot_)(_dot_)",
"loginname+tagname2(_at_)(_dot_)(_dot_)(_dot_)", etc. It doesn't
have to be a valid email address, though it's nice if it is.
So, it doesn't surprise me that people have used simple, unstructured
tag names, either ignoring conflict or assuming that human
interpretation would be obvious and uncontroversial.
I suspect that very few people even knew there were reserved names at
all, since 2440 doesn't define this, and I doubt anyone using GnuPG
reads 2440bis (or 2440 for that matter) before starting. ;)
I've actually been toying with the idea of disallowing any notation
name that doesn't have a "@" in it for GnuPG (with an override for
experts who presumably know what they are doing).
Lastly, does anyone happen to know whether/how PGP8 supports notations?
Silently ignores them, though it does properly fail signature
verification if the notation is marked critical. That is RFC
compliant behavior.
David
--
David Shaw | dshaw(_at_)jabberwocky(_dot_)com | WWW
http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson