ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Possible ambiguity in description of regular expressions: [^][]

2021-01-07 19:43:00
On 2021-01-08 at 01:29 +0100, Ángel wrote:
It is unlikely that someone would have restricted a trust value based
on the presence of curly brackets on an User ID (they are legal in
the local part of email addresses, even unquoted, but it would be
very rare to find one). 

I have done a small review on the keyservers for User ID containing
curly brackets.
First, I restricted it to User ID containing email addresses.† Most
curly brackets on user id appear on the display-name of the user-id, as
part of a nick or used as brackets (e.g. "{Corporate Key}", "{RSA
Key}"…).

Someone might want to restrict a signature based on the display name,
such as trusting "John Doe" key for signing any key of someone named
"John Doe" (presumably other keys of himself), thus breaking for
names/nicks restricted in such way that contained "{".

But the real benefit of this feature imho would be for delegating the
trust on a subset of users, based on their email address.

For example, trust on a protonmail "master" openpgp key could (should?)
be qualified for "@protonmail\.(com|ch)>$" to only cover their users.


This reduces a lot the number of user ids with curly braces. There are
a few people that surrounded the email address with curly braces
instead of angle ones, or added a name/comment with those. Such emails
wouldn't be recognised by mail clients, though.

There are three instances where curlies appear on the domain part, in
order to cover multiple domains:
<{chongo,noll}@{toad,sgi}.com>        
<dz@{pd.dialnet,rd.relcom}.msk.su>
<colinp@{jolt.mpx,nms.otc}.com.au>

And then exactly twelve email addresses with the character '{' in the
local part:

<{R}@semolina.org>³
<{^_^}@hafner.NL.EU.ORG>¹
<{pc}@vlaad.co.uk>²
<{richard}@the-gog.org>⁵
<tao{tones(_at_)ivwnet(_dot_)com>⁶
<{ajh}@andrewhill.com>⁷
<{richard}@demeseo.com>⁴
<c}{s(_at_)moyind(_dot_)dhs(_dot_)org>²
<lunam2{dhwtowers/towers2/lunam2}@dhw.state.id.us>³
<odal14{@gmx.net>⁸
<alise{TW}@computer-netsolutions.com>⁵
<c}{s(_at_)moyind(_dot_)com>²


Of which only one of them works.



† This basically lets us ignore "bad" user IDs such as html pages. I
also filtered out from the analysis some garbage-looking user ids.

¹ E-mail accepted
² NXDOMAIN
³ No MX/A record
⁴ No MX record and no SMTP server reachable on A record
⁵ Recipient address rejected: User unknown in virtual mailbox table
⁶ 550 User unknown. (#5.1.1)
⁷ 550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
⁸ 550 Requested action not taken: mailbox unavailable

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp