Proposal
Only display OpenPGP Key User IDs and associated claims where the email address matches the WKD domain name queried.
Discussion
Depending on the context, User ID should be assumed to be synonymous with User ID email address.
Note this issue is similar to keyoxide/keyoxide-web#81, but differs in its motivation and the scope of User IDs returned.
The suggested design/policy change is to display only User IDs with emails matching the WKD domain name queried. It filters out User IDs that don't match the queried domain. Keyoxide currently displays all User IDs under a OpenPGP Key independent of whether they match the domain or not.
This change is motivated by a desire to limit the User IDs displayed to the end user to those most likely to have been vetted. The assumption is that the WKD will have vetted, in one form or another, the User IDs under their own jurisdiction. And that the WKD is less likely to have vetted email addresses outside their domain. It is expected that this will curb the opporunity for email squatting type attacks and impersonation. As way of example, such attacks includes those that rely on similar spelling of the domain name or the local part of the email address, using say for instance a homoglyph or letter transposition.
This policy change is consistent and inline with recommmended practices set forth in Internet Draft OpenPGP Web Key Directory, Section Security Considerations.
It should be noted that this deviates from the tradition of returning all User IDs of an OpenPGP key. Additionally it is rare to find other clients that uphold the same level of standard. Neither Thunderbird nor Claw Mail, which directly consume and utilize the User ID email addresses, are known to be this rigorous. Neither are WKD checkers known for checking the User IDs returned to ensure that they are consistent with this policy. Keyoxide might in fact be the first client to lead the way in this regard if it were to make this policy change.
Further it interfers with the effectiveness for those that wish to serve their own complete key via their own WKDs. They can no longer count on their entire User ID set being made visible to the end user. Nor does it fully eliminate the squatting and impersonation attacks earlier mentioned. Keyoxide is not currently in the business of providing validity claims on the User IDs themselves, nor would this by itself allow them to do so.
Reference
Further discussion can be found @ #keyoxide:matrix.org.
Related
keyoxide/keyoxide-web#249
keyoxide/keyoxide-web#81
keyoxide/keyoxide-web#81#issuecomment-187173
keyoxide/keyoxide-web#81#issuecomment-5936170
https://gitlab.com/keys.openpgp.org/hagrid/-/issues/180
### Proposal
Only display OpenPGP Key User IDs and associated claims where the email address matches the WKD domain name queried.
### Discussion
Depending on the context, User ID should be assumed to be synonymous with User ID email address.
Note this issue is similar to keyoxide/keyoxide-web#81, but differs in its motivation and the scope of User IDs returned.
The suggested design/policy change is to display only User IDs with emails matching the WKD domain name queried. It filters out User IDs that don't match the queried domain. Keyoxide currently displays all User IDs under a OpenPGP Key independent of whether they match the domain or not.
This change is motivated by a desire to limit the User IDs displayed to the end user to those most likely to have been vetted. The assumption is that the WKD will have vetted, in one form or another, the User IDs under their own jurisdiction. And that the WKD is less likely to have vetted email addresses outside their domain. It is expected that this will curb the opporunity for email squatting type attacks and impersonation. As way of example, such attacks includes those that rely on similar spelling of the domain name or the local part of the email address, using say for instance a homoglyph or letter transposition.
This policy change is consistent and inline with recommmended practices set forth in [Internet Draft OpenPGP Web Key Directory, Section Security Considerations](https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service#name-security-considerations).
It should be noted that this deviates from the tradition of returning all User IDs of an OpenPGP key. Additionally it is rare to find other clients that uphold the same level of standard. Neither Thunderbird nor Claw Mail, which directly consume and utilize the User ID email addresses, are known to be this rigorous. Neither are WKD checkers known for checking the User IDs returned to ensure that they are consistent with this policy. Keyoxide might in fact be the first client to lead the way in this regard if it were to make this policy change.
Further it interfers with the effectiveness for those that wish to serve their own complete key via their own WKDs. They can no longer count on their entire User ID set being made visible to the end user. Nor does it fully eliminate the squatting and impersonation attacks earlier mentioned. Keyoxide is not currently in the business of providing validity claims on the User IDs themselves, nor would this by itself allow them to do so.
### Reference
Further discussion can be found @ [#keyoxide:matrix.org](https://matrix.to/#/!dEfJkFpQpwvbzcegRX:matrix.org/$vSOh3eNUPbzu3AATvfgusdZ40AYQT8P_eJkUe5GzWMc?via=matrix.org&via=mackenba.ch&via=tchncs.de).
### Related
keyoxide/keyoxide-web#249
keyoxide/keyoxide-web#81
[keyoxide/keyoxide-web#81#issuecomment-187173](https://codeberg.org/keyoxide/keyoxide-web/issues/81#issuecomment-187173)
[keyoxide/keyoxide-web#81#issuecomment-5936170](https://codeberg.org/keyoxide/keyoxide-web/issues/81#issuecomment-5936170)
https://gitlab.com/keys.openpgp.org/hagrid/-/issues/180