domain-specific trust constraints

Several implementers have expressed concerns that the regex subpacket is very complex to generate, and an interoperability mess to consume.

The only use case i've seen has been attempts to designate a trust signature as being limited to "a domain" (e.g. in the gpg --tsign prompt) -- presumably meaning just e-mail addresses with the @example.com domain.

Perhaps it would make more sense to have a new subpacket that specifically addresses this e-mail "domain" case, and ignores the complexities associated with regex. Some care needs to be taken when specifying to think about subdomains as well. clear examples would also be useful.

Presumably such a subpacket would need to be marked as critical when combined with a trust signature of depth more than zero, since such a trust signature would otherwise be unconstrained.

Any attempt to specify this should explicitly specify the semantics of what it means to have multiple such subpackets present in a tsig, and of whether the subpacket is allowed outside the context of a tsig with depth more than zero.

I don't believe this is currently (2021) in-charter for the WG, but might be worth considering after we complete the crypto refresh.