Hi Werner,
Thanks for making these changes! On first read my only comment is about this
line:
"The key needs to carry a
User ID packet ([RFC4880]) with that mail address."
I think this statement is a little vague, as one of the reasons for providing
the unchanged local part was to allow the server to do routing in the same way
for WKD as it does for incoming mail. As such, things like case, subaddresses
with +, catch-all, etc. will necessarily sometimes return a key with a UserID
packet which does not exactly match the local part used to query.
I was wondering what you think about saying something like:
The key MUST carry a
User ID packet ([RFC4880]) with what the server considers the canonical form
of the requested mail address.
So if I request from ProtonMail Bart(_dot_)Butler(_at_)protonmail(_dot_)com, I
would get a key back with bartbutler(_at_)protonmail(_dot_)com, and the clients
could then prompt on unrecognized types of mismatches if desired because they
would know that the server is returning the canonical form of the address.
-Bart
Sent from ProtonMail, encrypted email based in Switzerland.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, November 13, 2018 6:02 AM, Werner Koch <wk(_at_)gnupg(_dot_)org>
wrote:
Hi!
A new revision of the Web Key Directory I-D has been published:
https://www.ietf.org/id/draft-koch-openpgp-webkey-service-07.txt
Changes since -06 are:
- Specify the advanced method with the openpgpkey sub-domain.
- Specify the l=LOCAL-PART query parameter.
- Require the provider to filter the key for publication.
- Drop the use of DNS SRV records.
See below for the gist of the change. GnuPG master implements the new
advanced method. You may use my address for testing. For now the SRV
method is still used as a fallback by GnuPG.
Note that the domain name is now also part of the file name if the
openpgpkey sub-domain is used. This should make it easier to server the
directory for several domains from a single server. This sub-domain
approach is similar to Mozilla's mail auto configuration [1].
Shalom-Salam,
Werner
--8<---------------cut here---------------start------------->8---
There are two variants on how to form the request URI: The advanced
and the direct method. Implementations MUST first try the advanced
method. Only if the required sub-domain does not exist, they SHOULD
fall back to the direct method.
The advanced method requires a sub-domain with the fixed name
"openpgpkey" is created and queried. It constructs the URI from the
concatenation of these items:
o The scheme "https://";,
o the domain-part,
o the string "/.well-known/openpgpkey/",
o the domain-part in lowercase,
o the string "/hu/",
o the above constructed 32 octet string,
o the unchanged local-part as a parameter with name "l" using proper
percent escaping.
An example for such an advanced method URI to lookup the key for
Joe(_dot_)Doe(_at_)Example(_dot_)ORG is:
https://openpgpkey.example.org/.well-known/openpgpkey/
example.org/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe
(line has been wrapped for rendering purposes)
The direct method requires no additional DNS entries and constructs
the URI from the concatenation of these items:
o The scheme "https://";,
o the domain-part,
o the string "/.well-known/openpgpkey/hu/",
o the above constructed 32 octet string,
o the unchanged local-part as a parameter with name "l" using proper
percent escaping.
Example for a direct method URI:
https://example.org/.well-known/openpgpkey/
hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe
(line has been wrapped for rendering purposes)
[...]
The benefit of the advanced method is its greater flexibility in
setting up the Web Key Directory in environments where more than one
mail domain is hosted. DNS SRV resource records, as used in earlier
specifications of this protocol, posed a problem for implementations
which have only limited access to DNS resolvers. The direct method
is kept for backward compatibility and to allow providing a Web Key
Directory even with without DNS change requirements.
--8<---------------cut here---------------end--------------->8---
[1]https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp