Re: [openpgp] Possible ambiguity in description of regular expressions:

On Sat 2021-01-09 01:08:10 +0100, Ángel wrote:
> Finally, another point to consider would be whether to match only the
> email address portion. Yes, User ID could contain something else, but
> this delegation of partial trust only seem useful when combined with a
> hierarchical structure, such as those to be found on the email address
> part. It seems rare to require a matching on the display name part.
> And allowing that would greatly decrease its security. Basically a
> wildcard not on the left-most side could be bypassed by including the
> required characters on the display name.
This stuff is very rarely used in the wild, and to the extent that it
is, it's used as a hierarchical match on the domain side of an e-mail
address, as found in the user ID (which itself is not typically treated
as a true RFC 2822 name-addr, despite the text in the spec, see
id:87woe7zx7o(_dot_)fsf(_at_)fifthhorseman(_dot_)net and related discussion).

Seems like the right way to address the most common (though still
uncommon) use case is to make a new explicit subpacket that is just
about handling a DNS suffix; to clearly define the interaction between
multiple subpackets; and to deprecate the regex for that particular use
case. (maybe deprecate the regex subpacket in general, as i've not seen
any other legit use, and there are clearly gaps in the spec for it)

That work is not really in-scope given our current charter, but if
someone wants to write something like that down in a more formal way, i
can imagine it being something for the WG to take on after we finish the
cryptographic refresh and consider re-chartering.

              --dkg

signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp