]> PGPKeys.EU

andrewg@andrewg.com

int openpgp Internet-Draft This document updates the specification of User Attribute Packets and Subpackets in OpenPGP. The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the OpenPGP Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction User Attributes are a much-maligned and often-abused feature of OpenPGP. Currently their only specified use is to contain images, however it is known that some implementations use the Private and Experimental User Attribute Subpacket range for various internal purposes. In this document, we simplify the specification of User Attribute packets and subpackets, and use them to implement currently-missing functionality in OpenPGP.

Conventions and Definitions The term "OpenPGP Certificate" is used in this document interchangeably with "OpenPGP Transferable Public Key", as defined in . The term "Component key" is used in this document to mean either a primary key or subkey. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

User Attribute Subpackets User Attribute Packets are simple containers for one or more User Attribute Subpackets. These subpackets are wire-format compatible with Signature Subpackets, but the only currently defined type is the Image Attribute Subpacket type.

Image Attribute Subpacket The Image Attribute Subpacket (Type 1) has some unusual features, and is over-specified: The image header has a little-endian length field, uniquely for OpenPGP. It has a version octet that represents an entire registry but with only one version specified. It has an encoding format octet that represents an entire registry with only one value specified. The v1 image header has a further 12 octets of unused fields. The Image Attribute Subpacket has been abused to store large amounts of data on the OpenPGP keyservers, and as a result most modern keyservers refuse to handle any User Attribute packets. Further, we wish to minimise the quantity of human-readable information in the OpenPGP wire format. Images and other data without meaning at the OpenPGP layer SHOULD instead be stored at the application layer, for example in a vCard . The use of Image Attribute subpackets is therefore deprecated: Code point 1 in the User Attribute Subpacket Registry should be updated to "Image Attribute Subpacket (deprecated)". No further Image Attribute versions or encoding formats will be supported; the values of both these fields are hereby fixed at 1. The OpenPGP Image Attribute Versions and OpenPGP Image Attribute Encoding Formats registries should be deleted. A User Attribute packet SHOULD NOT contain more than one Image Attribute subpacket.

Embedded Signature Attribute Subpacket The Embedded Signature attribute subpacket (Type 2) is analogous to the Embedded Signature signature subpacket (). It contains a single, complete Signature packet body. A User Attribute Packet MAY contain one or more Embedded Signature attribute subpackets. These can be used to distribute signatures that cannot otherwise be included in the certificate packet grammar. Placing embedded signatures in User Attribute subpackets rather than signature subpackets avoids several issues arising from signature cumulation rules. For example, if an embedded signature is included in the hashed or unhashed subpackets area of another signature, it must be duplicated into all future signatures over the same subject. Otherwise, a receiving implementation that ignores or discards older signature packets might ignore or discard the embedded signature. Unless otherwise specified, all signatures embedded in User Attribute packets MUST be made by a component key of the current certificate. We update the following signature types to be "embeddable" (see ), and specify their use in User Attributes:

Certification Revocation Signature An Embedded Signature attribute subpacket MAY contain a Certification Revocation signature (Type 0x30):

Certification Revocation Signature Over a Third-Party Certificate The key holder might not trust that a third party will distribute certification revocations over their (possibly fraudulent) certificate. The key holder MAY instead distribute the revocation signature in their own certificate using an Embedded Signature attribute subpacket of a User Attribute packet. A receiving implementation SHOULD apply any certification revocation to the target certification, if the revocation signature correctly validates. To aid a receiving implementation locate the correct certificate to apply the revocation to, a generating implementation SHOULD include an Intended Recipient Fingerprint subpacket containing the fingerprint of the primary key over which the revocation has been calculated. The receiving implementation then only has to perform one signature verification per User ID packet on the target certificate, but cannot recover the contents of a User ID packet that it does not already have a copy of.

Certification Revocation Self-Signature If the key holder wishes to delete a User ID or User Attribute from their own certificate using a redacting revocation signature (), they cannot append the revocation signature to the redacted User ID or User Attribute packet, because the redacted packet is no longer part of the certificate packet sequence. In order to distribute the revocation signature, it MAY be included in an Embedded Signature attribute subpacket of a separate User Attribute packet. The revocation signature can be validated by a receiving implementation that already has a copy of the redacted User ID or User Attribute.

User Attribute Subpacket Grammar A User Attribute MUST NOT contain subpackets of more than one type. A receiving implementation MUST disregard the entire User Attribute packet if it contains subpackets of more than one type. A certification signature over a User Attribute packet SHOULD NOT contain subpackets of the Direct or First Party Certification categories (), and any such subpackets MUST be ignored.

Security Considerations The deprecation of Image Attribute subpackets should increase both security and reliability, by removing a significant abuse vector. Distribution of third-party revocations in the certificate of the signer should be more reliable than existing methods, thereby increasing overall trust in the certification process.

IANA Considerations IANA is requested to perform the following tasks: Delete the OpenPGP Image Attribute Versions and OpenPGP Image Attribute Encoding Format registries. Update the contents of the OpenPGP User Attribute Subpacket Types Registry to read: Type Name Reference 1 Image Attribute (Deprecated) 2 Embedded Signature Update the following entry in the OpenPGP Signature Types Registry to read: ID Name Embeddable Reference 0x30 Certification Revocation Signature Yes ,

This document specifies the message formats used in OpenPGP. OpenPGP provides encryption with public key or symmetric cryptographic algorithms, digital signatures, compression, and key management. This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. This document obsoletes RFCs 4880 ("OpenPGP Message Format"), 5581 ("The Camellia Cipher in OpenPGP"), and 6637 ("Elliptic Curve Cryptography (ECC) in OpenPGP"). PGPKeys.EU ACLU This document specifies several updates and clarifications to the OpenPGP signature and message format specifications. ACLU Cryptographic revocation is a hard problem. OpenPGP's revocation mechanisms are imperfect, not fully understood, and not as widely implemented as they could be. Additionally, some historical OpenPGP revocation mechanisms simply do not work in certain contexts. This document provides clarifying guidance on how OpenPGP revocation works, documents outstanding problems, and introduces a new mechanism for delegated revocations that improves on previous mechanism. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document defines the vCard data format for representing and exchanging a variety of information about individuals and other entities (e.g., formatted and structured name and delivery addresses, email address, multiple telephone numbers, photograph, logo, audio clips, etc.). This document obsoletes RFCs 2425, 2426, and 4770, and updates RFC 2739. [STANDARDS-TRACK] American Civil Liberties Union OpenPGP transferable public keys are composite certificates, made up of primary keys, revocation signatures, direct key signatures, user IDs, identity certifications ("signature packets"), subkeys, and so on. They are often assembled by merging multiple certificates that all share the same primary key, and are distributed in public keystores. Unfortunately, since many keystores permit any third-party to add a certification with any content to any OpenPGP certificate, the assembled/merged form of a certificate can become unwieldy or undistributable. Furthermore, keystores that are searched by user ID or fingerprint can be made unusable for specific searches by public submission of bogus certificates. And finally, keystores open to public submission can also face simple resource exhaustion from flooding with bogus submissions, or legal or other risks from uploads of toxic data. This draft documents techniques that an archive of OpenPGP certificates can use to mitigate the impact of these various attacks, and the implications of these concerns and mitigations for the rest of the OpenPGP ecosystem.

Acknowledgments The author would like to thank Daniel Kahn Gillmor, Heiko Schäfer and Wiktor Kwapisiewicz for discussions.

Document History Note to RFC Editor: this section should be removed before publication.

Changes Between draft-gallagher-openpgp-attributes-00 and draft-gallagher-openpgp-attributes-01 Removed Attribute Creation Time, Attribute URI, and Notation Data subpacket types. Restricted Signature Subpacket categories in certifications over User Attributes. Simplified the User Attribute Subpacket grammar and registry requirements. Specified use of the Intended Recipient Fingerprint subpacket. Added references.