Re: Issue 44 in direct-certificate-discovery-tool: Direct address shouldn't be case-sensitive

[direct-certifica...@googlecode.com]

Comment #1 on issue 44 by michal.k...@esacinc.com: Direct address shouldn't
be case-sensitive
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=44

This seems to be a known issue with Apache James v3.0 beta:
https://issues.apache.org/jira/browse/JAMES-1369

A developer posted in the issue that a change to the default
case-sensitivity has been pushed and will be in the next release. If you
are using Apache James v2.*, I think just adding
<ignoreCase>true</ignoreCase> inside the <userrepository/> element might
fix things (just a guess).

[direct-certifica...@googlecode.com]

Updates:
Owner: Sandeep....@nitorgroup.com

Comment #2 on issue 44 by edward.o...@nitorgroup.com: Direct address

shouldn't be case-sensitive
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=44

(No comment was entered for this change.)

[direct-certifica...@googlecode.com]

Updates:
Owner: edward.o...@nitorgroup.com
Labels: -Type-Defect Type-Other

Comment #3 on issue 44 by edward.o...@nitorgroup.com: Direct address

shouldn't be case-sensitive
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=44

Upon looking further -- we believe this is not a defect. According to RFC
2821 -- the non-domain portion (the part before the @ sign) actually IS
case-sensitive. See below:

"The local-part of a mailbox MUST BE treated as case sensitive. Therefore,
SMTP implementations MUST take care to preserve the case of mailbox
local-parts. Mailbox domains are not case sensitive. In particular, for
some hosts the user "smith" is different from the user "Smith". However,
exploiting the case sensitivity of mailbox local-parts impedes
interoperability and is discouraged."

In the real-world -- mail servers typically work where they follow a few
best practices:

1) All emails normally are created with all lower case (avoids this issue
entirely).

2) If someone sends you an email with a mixed case name like "JohnDoe" you
MUST preserve it (and keep it separate from "johndoe".

3) Treat inbound mail to someone on your server as case-insensitive unless
you have to (e.g. unless your mail server has two users that only differ by
case, then ignore case when receiving messages).

So unless the Direct spec altered the underlying rules in the email RFC --
I think this isn't a bug according to spec (which we follow as our primary
guide as this is primarily a spec conformance tool).

If the original submitter is out there, fire me an email
(edward....@nitorgroup.com) -- I'd like to get your two cents. But my
view is that the issue isn't a significant impediment (just send mail from
the exact same address you registered) nor are we counter to the letter of
the spec. But I also admit -- I never actually knew this (I thought the
whole email addie was meant to be case-insensitive -- but it is just the
domain portion by rule).

- Edward

[direct-certifica...@googlecode.com]

Updates:
Status: Started

Comment #4 on issue 44 by edward.o...@nitorgroup.com: Direct address

shouldn't be case-sensitive
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=44

[direct-certifica...@googlecode.com]

Comment #5 on issue 44 by dca...@meditech.com: Direct address shouldn't be
case-sensitive
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=44

Hi Edward,
Until I started this project, I had no idea email addresses had
case-sensitive parts. IMO this was poor design....

While you are correct that rfc822 email addresses are case-SENSITIVE for
the local-part, the submitter is correct that **DIRECT** email addresses
are and MUST BE case-INSENSITIVE. This is because:
A. The emailAddress (http://tools.ietf.org/html/rfc5280#section-4.1.2.6)
legacy attribute is case-insensitive. The subjectAltName is case-sensitive,
however.
B. DNS CERT records are stored in a case-insensitive manner.
C. ldap queries are case-insensitive (I think, at least by default).

Those are my thoughts... I'm interested in hearing your response. Thanks.

[direct-certifica...@googlecode.com]

Comment #6 on issue 44 by edward.o...@nitorgroup.com: Direct address

shouldn't be case-sensitive
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=44

(This is just my advice as a community member, not authoritative in any
way. I believe key Direct contributors and ONC are looking at this (all
items that fall out of MU2 tool feedback get looked at hard) and may have
official guidance that differs.)

A few points on this one:

I'm currently viewing this as interesting spec discussion as it applies to
this test tool -- not something that a user needs changed in this
particular tool. Here's why:

1) It isn't a blocker. Note the underlying functionality in the tool we're
talking about is just where the tool asks for the sender's direct addie and
non-direct addie so it can know who is sending it messages (and where to
send test results). Case-sensitivity of the address isn't something we're
testing -- it is just something that came up due to the communication
portion of the tool. In other words, a user can successfully utilize the
test tool by simply entering their email address correctly in our interface
(correctly = matching case).

2) Our test tool utilizes a version of the Direct Java RI to receive emails
-- so if the RI decides this is a bug, our tool will eventually migrate to
the new RI and the issue will go away (though I'm not convinced it is a bug
-- it makes sense to follow the Direct reference's lead). I need to check
into this and make sure it's true -- but I assume we're inheriting this
behavior from our underlying email server, as opposed to our interface
code. <-- To-do item.

-------
So the important aspect of what we're talking about isn't an issue in this
tool, it is basically a specification discussion coincidentally generated
by using the tool. In terms of the spec discussion -- that really isn't my
area -- would recommend you have a transparent one with the Direct
community overall (though I know there is a giant email thread going around
about it already - it isn't totally open yet).

Here's why I recommend that:

a) This has uncovered some murky spec. An underlying spec (2821) quotes
very clearly that the subject portion MUST be case sensitive. Specs
referencing 2821 don't clearly constrain it (though as you pointed out,
some areas like 5280 might implicitly constrain it).

b) So my advice -- don't dance around constraining it by making an implicit
constraint argument (that's how I read the latest response) -- just
explicitly constrain the spec (in the Direct spec). Implicit spec
constraints are confusing spec constraints that end up only being
understood by the people that happened to be in the thick of threads like
these. If you see a need for a constraint to 2821 -- just make an explicit
one (make the spec SPECIFIC). Make things clear and easy for implementers
-- especially implementers who get the idea to use an existing email server
in their enterprise which might REALLY care about case-sensitivity. Even if
your implicit argument grows (e.g. if you find spec references to
support "B" and "C"
in your case) - then I recommend putting that explanation into the Direct
spec (don't make people figure out something like this -- peel the onion
for them and expose the conclusion openly/clearly).

Note I see both arguments for and arguments against constraining this. 2821
left in that caveat for case-insensitivity to support legacy email server
interoperability -- they did this for a good reason. Due to how Direct
merges email/certs, I think a constrain might make sense, but it also might
hose anyone using an email server who respects that legacy constraint.

[direct-certifica...@googlecode.com]

Comment #7 on issue 44 by dca...@meditech.com: Direct address shouldn't be
case-sensitive
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=44

Thanks for the responses, I think I have the information I need now. I'm
glad to know this is being looked at further by the DIRECT community, and
will be interested to see how it turns out.

[direct-certifica...@googlecode.com]

Updates:
Status: WontFix

Comment #8 on issue 44 by edward.o...@nitorgroup.com: Direct address

shouldn't be case-sensitive
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=44

Identified as a spec question and directed to ONC for processing. Issue
being closed for now as a wontFix.