Issue
-----

This is what I had in mind at the beginning, but then I came upon a
stumbling block: User IDs. They are not at all standardized, so it's not
possible to assume they are in the form $B!H(BName (Comment)
<***@example.org>$B!I(B. And, even if assuming this, how could the
implementation validate the $B!H(BName$B!I(B and $B!H(BComment$B!I(B parts, when the Regular
Expression support is replaced by something to validate by domain?

So I think there are two problems here:
1. User IDs are not standardized
2. User IDs contain many unrelated information

I already explained point 1, so I'll now explain point 2. User IDs as
currently used tie in a name and an email (I'll omit the Comment part).
Which are two completely unrelated things: I have a single real-life
name (well -- most people do), a pseudonym, and a lot of e-mail addresses.

When I want to sign someone's User ID, I need to both check their
real-life name (with eg. a state-provided ID) and their e-mail address.
And if someone has put a pseudonym on the User ID, should I sign it?
This tight coupling of name and email address in User IDs is already an
issue for me (in choosing what User ID(s) I should put, choosing whether
to sign a User ID I only know part of$B!D(B), and is now again an issue in
fixing the standard to be both more simple and more usable.


Idea
----

So here is my idea: drop User IDs in v5 keys, and standardize more User
Attributes. In particular, standardize at least a $B!H(Bname$B!I(B, an $B!H(Bemail$B!I(B and
a $B!H(Bpseudonym$B!I(B user attribute. (I'm not sure about the $B!H(Bcomment$B!I(B user
attribute, and would prefer seeing it handled otherwise, see the
$B!H(BPossible extensions$B!I(B section)


Consequences
------------

So what would happen were this done?

First, when picking my User IDs, I wouldn't have to think over whether I
really want to associate such email address with my name or with my
pseudonym.

Then, when signing User Attributes, I could just sign all user
attributes I checked. I could sign $B!H(Bemail$B!I(B User Attributes after
checking I could send and receive mail to the provided email, I could
sign $B!H(Bname$B!I(B attributes after checking a state-provided ID, and I could
sign $B!H(Bpseudonym$B!I(B and $B!H(Bcomment$B!I(B attributes depending on my local signing
policy (which I haven't really determined yet).

Finally, this would make the scoping-by-domain-name proposal possible:
it'd be $B!H(Bcan only sign `email` User Attributes and the part after the
last @ must match this restriction$B!I(B.


Possible extensions
-------------------

So now with this change it would become possible to handle extensions of
the User IDs that have been proposed.

First, the $B!H(B[project] signing key$B!I(B comment, that can be seen eg.
[here](https://sks-keyservers.net/pks/lookup?op=vindex&search=0x8B3F30F9C8C0C2EF).
This could be handled by adding a $B!H(Brole$B!I(B User Attribute, that could be
$B!H(BQubes OS developer$B!I(B here. And thus the organization only needs to
validate the keyholder is a QubesOS developer when signing this, without
having to also validate a name, an email address or whatever else.

Then, the $B!H(BI have this account on this website$B!I(B, that can be seen eg.
[here](https://sks-keyservers.net/pks/lookup?op=vindex&search=0xAC6D00DB7F24B2C2),
and is the point that, as far as I understand, lead to the birth of
keybase.io (which did show some traction). It could be handled by a
$B!H(Baccount-on$B!I(B that would store both a domain name (for the website) and a
username.

Finally, I think it would be good to stay more $B!H(Bopen to extensions$B!I(B than
the current scheme of (mis)using User IDs, by eg. reserving attribute
type 255 for $B!H(Bplaintext key-value user ID$B!I(B, so that implementations that
can't reasonably fit some data in one of these User Attributes could
just use it with raw key/values instead of using one of the 100-110
reserved values, which wouldn't be displayed by implementations not
aware of them.


Remaining issues
----------------

The foremost issue with this change is the one of the UI to display the
user: currently, in Enigmail (the only end-user-oriented UI I know of),
the primary User ID of the key is displayed. With this change, there
would no longer be a primary User ID.

I can currently think of two UIs. The first would check that the name
and the email address of the received mail are valid, and error-out
otherwise. The second one would just pick a name and an email address
from the list of valid ones, and display it.

In my opinion, the first option is *way* better than the second one, and
it's the reason why I didn't propose an extension of the Primary User ID
flag to handle multiple primary User Attributes (would be one name and
one email, for instance).

For instance, a problem with primary User IDs/Attributes is the
following: let's assume I can validate a few UIDs on the key, but not
the primary one. What should I display? I think there is no good answer
to this question apart from $B!H(Bvalidate the one it came as$B!I(B or $B!H(Bshow all
the valid ones$B!I(B, and thus removing the Primary UID may remove some traps
naive implementations may fall in, like displaying a non-validated
primary UID.
Indeed, it looks like I had misinterpreted this, thanks!

No problem. Since I wrote that text, I can provide some color. I think gentle persons can also disagree, so I'm not saying what I think is law, merely that I wrote it, and therefore I think I can give some indication of what the group consensus meant. Group consensus is often vague, wishy-washy, etc.
That's pretty much the intent. The idea is that you should be able to mark a key as being something like a CA.

Two important things to remember about OpenPGP philosophy are: (1) OpenPGP democratizes being a CA. All keys can sign, endorse, etc. and (2) Trust is also democratized in that trust is in the eye of the beholder. Also note that in many cases the beholder might be an organization. That organization might push its policy to its members, and be polite enough to scope that trust only to keys operating in that environment.
I suppose.
Well, I think I disagree. I think that if I am trusting ca-a.com with scope at the root, subordinates cannot widen that scope. Scope is supposed to be narrowed only through subordinates. If that weren't true, then your subordinate that issues trust for example.org could just as easily issue it for ".*" and now all of a sudden the subordinate gets to sign everything, and that's the opposite of what scoping even means.
Yup, it's a little-used feature. So little used that I don't know of anyone using it, either.
I believe that is pretty much the intended use case. The idea is that if I'm a member of an club (or company, etc.), then that club can bring in new members and I don't have to go to the trouble of trusting their keys, it happens for me.

In the naive trust model, I can say, "Whatever Alice signs is okay with me." This is obviously giving Alice a lot of power.

The trust-extension feature says, "Alice can deputize others to sign for her" and also permits those deputies to have deputies to some specified depth. This is obviously extending Alice's power in huge ways. Even with a level of only one, the only limit on Alice's power is that she has to deputize new deputies, but she has unbounded power to deputize.

The scoping feature is there so you can say, "Whatever Alice signs about our club is okay with me." It limits Alice's power. This is a reasonable and arguably important thing, especially if you're going to let Alice deputize people who can deputize people. It's so that the second assistant to the deputy undersecretary of the membership committee can't just go sign anything and I'll believe it.
Sure! If there's anything OpenPGP needs it's more ease of use and work reduction.
I am not sure what you're really proposing, though. I think you might be proposing the very thing I described, but I'm not sure.


If that's not what I described, then do me a favor and describe the problem you want solved.

Jon

[...[\]
I believe you can do this.

A regexp that is "domain_1|domain_2" does this just fine.
My response is that that was not what the working group consensus was.

The working group consensus was that we didn't want to debate specifics, but regular expressions are sufficiently powerful to meet any reasonable (and probably lots of unreasonable) scoping.

I understand what you're saying, but I gotta reply, "So what?" I think I'm going to end up in a small rant in the following. I apologize in advance for any offense I might give in this small rant.

Let me shift the discussion to something slightly related. I have email accounts on a number of servers, and several of them allow me to do server-side filtering of my email. They provide a handy web page that lets me set up my own filtering rules. At the bottom of everything, all of these sites do filtering with Sieve. Sieve, like OpenPGP is an IETF standard, it is RFC 5228 and a lot more.

Each of the email servers I use has a slightly different web-GUI framework for specifying a rule. One of them, for example, is structured so that I have to enter "To" and "CC" on separate lines. Another one lets me specify "To" or "Any Recipient" (which means either To or CC). On another, I have to actually use the generic filter on some line and type in the CC if I want to filter on CC. In the actions phase of this, one of them automatically terminates after matching one other rule, while another one makes me put in an action line to stop processing following rules. But at the end of the day, they're all Sieve scripts.

(Oh, and one of them lets me upload my own Sieve script, but If I do that, I can no longer use the web GUI. Well, I can, but the GUI will likely overwrite all or part of the rules in ways that might totally break everything.)

There is *nothing* in OpenPGP that says you have to expose the full details of regular expressions to the user. Just like with Sieve, there's a full grammar that has expressive power that doesn't need to be used, and probably shouldn't be.

I agree completely that most users don't understand regexes. I agree that they shouldn't be subjected to them, and that the vast majority of what anyone needs is pretty much what you said — a list of domains. And yes, sensible software that does something nice for the user is not going to be able to ingest in an arbitrary regular expression and display it simply. Just like these server filtering web pages don't expose all the power of Sieve, a sensible program that lets people construct trust scope doesn't have to be just a text box that someone types a regexp into.

A protocol standard like OpenPGP specifies a grammar for messages. It's a way to encode a message so that other people can understand it as well as a way to interpret a message that someone else hands you.

In English, you can go up a staircase. You can also mount the staircase, ascend it, climb it, mount it, and even more. Grammar and vocabulary do not require you to put all the synonyms on the sign by the stairs. Up and Down are wonderful things to put on the sign. Ascend and Descend are a bit pretentious and non-native speakers might have trouble with them; thus they're compliant but have UX issues. The symbol ⬆ (that's the "Up Arrow" emoji in case it doesn't display properly) is not strictly standards-compliant, but if you're a fan of the Postel meta-rule, knock yourself out.

Protocol standards are not specifications for software implementations nor are they requirements documents. GnuPG is a wonderful piece of software that tries very hard to be a reference implementation that implements every single feature. It is not a requirement that every implementation implement every feature. That's why we have the RFC 2119 keywords. You gotta do the MUSTs. It would be nice to do the SHOULDs. You don't have to do the MAYs.

If you look at Section 5.2.3.1 of RFC 4880, it is perhaps more convoluted than it could be, but whatever. The gist of it is that since it says that an implementation SHOULD implement the preference subpackets as well as the Reason for Revocation, which at least implies that the others are all MAYs. It further says that you SHOULD ignore anything you don't "recognize" (which I interpret to be a synonym for "implement") and that if the critical bit it set, you SHOULD sit in the corner and sulk about anything you don't recognize.

Moreover, there's a regular expression helpfully defined in Section 8 that is a pretty bog-simple language, but like any regular expression matcher, you can create patterns that will drive weak people to strong drink. Nowhere are you *required* to let your user do things legal but silly. The reason it's there is to *permit* people to do complex things, not to expose the complexity to every user. It doesn't break the standard to implement a list of domains. It doesn't break the standard to let someone type in "*.example.com" for their scoping as opposed to ".*\.example\.com".

I believe that part of the reason so many people rail about the horrors of OpenPGP is that lots of us have the idea that OpenPGP is a software specification for GnuPG. That GnuPG is such a good piece of software is ironically part of the problem. It's as if every web browser revolved around the "curl" command.

I agree with you completely about scoping up until you want to change the standard. The scoping is the way it is so that simple things are easy and complex things are possible. If we make it so that only simple things are possible it doesn't help anyone. (And as I said before, working group consensus was such that the bog-simple regular expressions were the way to go.

Okay, thanks for reading this far.

Jon

And needing to parse hard to parse fields is a well known
security problem because the resulting bugs are often exploitable.

Cheers - Bill

--------------------------------------------------------------
Bill Frantz | There are now so many exceptions to the
408-356-8506 | Fourth Amendment that it operates only by
www.pwpconsult.com | accident. - William Hugh Murray