[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gnupg-devel
Subject:    Re: local part of e-mail addresses (was: TOFU Design)
From:       "Neal H. Walfield" <neal () walfield ! org>
Date:       2015-07-21 11:24:42
Message-ID: 87si8hkb2d.wl-neal () walfield ! org
[Download RAW message or body]

At Mon, 20 Jul 2015 18:50:35 -0700,
Claus Assmann wrote:
> 
> On Mon, Jul 20, 2015, Simon Josefsson wrote:
> > "Neal H. Walfield" <neal@walfield.org> writes:
> 
> > > In conclusion: I think we should just use the regularized email
> > > address
> 
> > I agree.  Remember that the local part is not case sensitive.
> 
> Wrong... the interpretation of the local part is subject to
> the rules of the final destination.
> 
> RFC 2821             Simple Mail Transfer Protocol            April 2001
> ...
> 2.3.10 Mailbox and Address
> ...
>    applications than simple "user names".  Consequently, and due to a
>    long history of problems when intermediate hosts have attempted to
>    optimize transport by modifying them, the local-part MUST be
>    interpreted and assigned semantics only by the host specified in the
>    domain part of the address.
> 
> 
> See also the discussions on the DANE lists about looking up e-mail
> addresses for PGP and S/MIME keys -- there's always a large
> disagreement.

This is a good point.  However, I think in this case, it makes sense
to regularize the local part as well.  Imagine an attacker creates a
key with the email address Neal@walfield.org and my key has
neal@walfield.org.  If you already have a TOFU entry for my key and
then you get an email signed with the bad key, then not regularizing
the email address will result in gpg prompting the user to create a
new TOFU entry.  On the other hand, if we regularize the email
address, then GnuPG will detect a conflict.  Of course, this
introduces a potential for false positives.  However, I think it is
extremely rare that email addresses like neal@walfield.org and
Neal@walfield.org are distinct.  Thus, I think in this case,
regularizing is the right approach.

Thanks!

:) Neal

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic