On Mon, 17 Nov 2014, Viktor Dukhovni wrote:
However, the conflict between c and d is rather severe. Key lookups will only succeed when the email address query is for the canonical capitalization of the email address. If the email address were something like:[email protected] and the destination domain supported case-insensitive delivery (e.g. via LDAP in which addresses are not case-sensitive), one might publish the same keys for each of: [email protected] [email protected] [email protected] and hope that these combinations cover all the likely variants.
That problem already exists at the SMTP level. There is nothing we can do anymore. Implementations for OPENPGPKEY or SMIMEA will just have to try some varients, or just lowercase it all. The discovery of those records in cheap and the DNS probes can be sent in parallel.
2. Revocation, or where does one attach the horse to the motor car?
Use the key that is valid NOW and in DNS. There is nothing else better. I don't see these two as a problem (and the fact that people are implementing OPENPGKEY is a good sign they believe this too) For me, the biggest problem in this is for people who don't run their own DNS. It would be good if there was some kind of method for people with just a gmail account to also be able to publish their public keys. I think something along the lines of "DLV like" but requiring proof of ownership of both email address and public key for registration, with a requirement to keep signing something to keep the key in the "DLV like" publication space (DNS or otherwise). Paul _______________________________________________ Endymail mailing list [email protected] https://www.ietf.org/mailman/listinfo/endymail
