ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Scoped trust (signatures)

2018-06-01 02:25:43


On May 28, 2018, at 1:42 AM, Neal H. Walfield <neal(_at_)walfield(_dot_)org> 
wrote:

On Mon, 28 May 2018 04:06:59 +0200,
Jon Callas wrote:
Moreover, there's a regular expression helpfully defined in Section
8 that is a pretty bog-simple language

Implementing regular expression support might be bog-simple, but I
think it is still orders of magnitude more complicated than just a
list of domains.  And, I think, the general lack of support for this
feature is strong evidence that this is the case.

Thus, it seems to me, that making the complicated theoretically
possible has made the simple practically impossible.  That's
unfortunate.

Do you know of any examples where a list of domains is not sufficient?

As I alluded to in my previous missive, I think that a list of domains is 
harder than you think. My experience in dealing with other domain-based PKI 
leads me right there.

Does “example.com” match “mail.example.com”? Either yes or no is completely 
reasonable. Does “*.example.com” (which obviously matches “mail.example.com") 
match “example.com”? In this case, I think that the answer is yes, but gentle 
persons can disagree. I’d just roll my eyes if you said no, because yeah, sure, 
there’s no problem in having your list of domains have both “example.com” and 
“*.example.com” to be explicit about it. I see the point.

Matching domains in the general case has all sorts of other weird edge cases 
especially in CCTLDs because many CCTLDs don’t issue anything on the bare 
country code. For example, for many years you couldn’t get “example.uk” but you 
could get “example.co.uk”. In any event, some CCTLDs allow a bare country code 
and some don’t. Do you take this into account in your list of domains? I think 
that an answer that is “whatever you put there is what we do” is a great 
answer, but there are people who will disagree. What about trailing dots on a 
domain? How are they handled?

I believe that a list of domains is harder than you think. Whatever decisions 
you make on the edge conditions of domains are something you yourself can do so 
that when I type in a list of domains, your interpretations will correctly be 
coded into it and that someone else will interpret them in the way you did.

Go look at the definition of regular expressions in RFC 4880. It’s basically 
just a paragraph. With my tongue partially in my cheek, I bet you can’t sort 
out what “list of domains” means in all the edge cases in less text than that 
definition of regular expressions. That is the reason that working group 
consensus went to the trouble of finding a minimal, utterly no-IP definition of 
a regular expression. It’s in a very real sense simpler than just about 
anything else.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>