Tickets :: [#14321] PGP Key-IDs should be compared in a case-insensitive way

Summary	PGP Key-IDs should be compared in a case-insensitive way
Queue	Horde Framework Packages
Type	Bug
State	Not A Bug
Priority	1. Low
Owners
Requester	mike.gabriel (at) das-netzwerkteam (dot) de
Created	04/06/2016 (3354 days ago)
Due
Updated	04/08/2016 (3352 days ago)
Assigned
Resolved	04/08/2016 (3352 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	Yes

04/08/2016 11:24:40 AM	mike (dot) gabriel (at) das-netzwerkteam (dot) de	Comment #3	Reply to this comment
Hi Jan, Even though those two email addresses may be the same on your system, they are different addresses by definition. While the domain part of an email address is case insensitive, the user part is not. It would be more correct to use Horde_Mail_Rfc822_Address::match() to verify RFC 2822, I presume... the address, but that wouldn't solve your problem. This is a valid point, however, most keyserver implementations don't see and neither handle it that way. You may want to search for you own public PGP key (or mine) with different variations of email address spelling (regarding upper-lower-case combinations) and you will always retrieve the same key information: http://sks.pkqs.net/ Similar with the gpg command line client. Please also note, that in GPG/PGP a "User ID" can be any UTF-8 string representation [1], but should mostly be the user's full name and email address (plus optionally a comment). So after 30min of search on the net, reading some RFCs and the GnuPG handbook, I cannot find any hint of case-(in)sensivity regarding GPG's User ID packet. Only thing I can provide is best practice experience, and this end up: mail addresses in User ID packets should be considered as case insensitive. Thanks+Greets, Mike [1] https://tools.ietf.org/html/rfc4880#section-5.11

04/08/2016 10:51:17 AM	Jan Schneider	Comment #2 State ⇒ Not A Bug	Reply to this comment
Even though those two email addresses may be the same on your system, they are different addresses by definition. While the domain part of an email address is case insensitive, the user part is not. It would be more correct to use Horde_Mail_Rfc822_Address::match() to verify the address, but that wouldn't solve your problem.

04/06/2016 10:15:40 PM	mike (dot) gabriel (at) das-netzwerkteam (dot) de	Comment #1 Priority ⇒ 1. Low New Attachment: pgp-case-insensitive.patch Patch ⇒ Yes Milestone ⇒ Queue ⇒ Horde Framework Packages Summary ⇒ PGP Key-IDs should be compared in a case-insensitive way Type ⇒ Bug State ⇒ Unconfirmed	Reply to this comment
When encrypting a message with PGP and obtaining the Key-ID / public key from a key server, then the key server return a Key-ID in some lower-upper case spelling whereas a mail address can also be written in a different lower-upper case spelling manner. E.g. on Keyservers: mike.gabriel@das-netzwerkteam.de But you can also e-Mail me under Mike.Gabriel@das-netzwerkteam.de Horde's Pgp/Keyserver.php code does not honour this case-insensitive nature of mail addresses and Key-IDs. Patch attached to fix this.