archive-org.com » ORG » J » JOSEFSSON.ORG

Total: 236

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".

  • unknown parameters to allow for future extensions Each parameter attribute e g url MUST NOT occur more than once in any single instance of the OpenPGP field The OpenPGP field itself MAY occur more than once in a single email for example if the sender has multiple keys Smasher Josefsson Expires November 21 2008 Page 4 Internet Draft The OpenPGP mail and news header field May 2008 openpgp OpenPGP SP o params CRLF CFWS is defined in RFC 2822 SP and CRLF are defined in RFC 5234 o params o parameter o parameter o parameter CFWS id id CFWS CFWS url url CFWS CFWS preference preference CFWS CFWS parameter CFWS normally unused for extensions parameter is defined in RFC 2045 id 1 8HEXDIG HEXDIG is defined in RFC 5234 Matching of value is case insensitive url absoluteURI quoted url absoluteURI is defined in RFC 3986 If the URL contains the character the quoted url form MUST be used quoted url DQUOTE absoluteURI DQUOTE DQUOTE is defined in RFC 5234 preference sign encrypt signencrypt unprotected Matching of values is case insensitive 3 1 Primary Key ID field id The id parameter if present MUST hold the Key ID or key fingerprint for the primary key The value uses the hex RFC4648 notation The parameter value is case insensitive The length of the field determines whether it denotes a Key ID 8 hex symbols a long Key ID 16 hex symbols a v3 key fingerprint 32 hex symbols or a v4 key fingerprint 40 hex symbols Note that each of the following examples includes a comment which is optional id 12345678 short key ID id 1234567890ABCDEF long key ID id 1234567890abcdef0123456789ABCDEF01234567 v4 fingerprint id 1234567890ABCDEF0123456789ABCDEF v3 fingerprint deprecated Smasher Josefsson Expires November 21 2008 Page 5 Internet Draft The OpenPGP mail and news header field May 2008 3 2 Key URL field url The url parameter if present MUST specify a URL where the public key can be found It is RECOMMENDED to use a common URL family such as HTTP RFC2616 or FTP RFC0959 The URL MUST be fully qualified MUST explicitly specify a protocol and SHOULD be accessible on the public Internet The content of where the URL points SHOULD be either an ASCII armored or binary OpenPGP packet containing the key A valid reason for storing something else may be if the key has been revoked For example url http example org pgp txt url http example org funny name txt If the URL contains the character the entire URL MUST be quoted as illustrated in the example 3 3 Protection Preference Field preference The preference parameter if present specify the quality of protection preferred by the sender The parameter value is case insensitive The available values are as follows A unprotected token means that the sender prefers not to receive OpenPGP protected e mails A sign token means that the sender prefers to receive digitally signed e mails A encrypt token means that the sender prefers to receive encrypted e mails A signencrypt token means that the sender prefers to receive encrypted and signed e mails Note that there is no normative requirement on the receiver to follow the stated preference For example preference sign preference unprotected preference ENCRYPT 4 Comments As discussed in section 3 2 3 of RFC 2822 comments may appear in header field bodies Comments are not intended to be interpreted by any application but to provide additional information for humans Smasher Josefsson Expires November 21 2008 Page 6 Internet Draft The OpenPGP mail and news header field May 2008 The following are examples of OpenPGP fields with comments id B565716F key stored on non networked laptop id 12345678 1024 bit RSA Key for Encrypt or Sign id ABCD0123 created Sun Jan 2 02 25 15 CET 2005 5 Examples These are valid examples of how the field may be used This list is not meant to be exhaustive but to reflect expected typical usages OpenPGP id 12345678 OpenPGP url http example com key txt OpenPGP preference unprotected OpenPGP url http example com key txt id 12345678 OpenPGP id 12345678 url http example com key txt preference signencrypt OpenPGP url http example com key txt down 2 3pm UTC id 12345678 this key is only used at the office preference sign unsigned emails are filtered away OpenPGP id 12345678 url http example com openpgp key txt 6 Acknowledgements The content of this document builds on discussions with in alphabetical order Christian Biere Patrick Brunschwig Jon Callas Dave Evans Alfred Hoenes Peter J Holzer Ingo Klocker Werner Koch Jochen Kupper William Leibzon Charles Lindsey Aleksandar Milivojevic Xavier Maillard Greg Sabino Mullane Tim Polk Thomas Roessler Moritz Schulte Olav Seyfarth David Shaw Thomas Sjogren Paul Walker and Steve Youngs No doubt the list is incomplete We apologize to anyone we left out 7 Security Considerations The OpenPGP header field is intended to be a convenience in locating public keys it is neither secure nor intended to be Since the message header is easy to spoof information contained in the header should not be trusted The information must be verified Applications that interpret the field MUST NOT assume that the content is correct and MUST NOT present the data to the user in any way that would cause the user to assume that it is correct Applications that interpret the data within the field SHOULD alert the user that this information is not a substitute for personally Smasher Josefsson Expires November 21 2008 Page 7 Internet Draft The OpenPGP mail and news header field May 2008 verifying keys and being a part of the web of trust If an application receives a signed message and uses the information in the field to automatically retrieve a key the application MAY ignore the retrieved key if it is not the same key used to sign the message This SHOULD be done before the newly retrieved key is imported into the user s keyring The use of HTTPS RFC2818 DNSSEC

    Original URL path: http://www.josefsson.org/openpgp-header/draft-josefsson-openpgp-mailnews-header-06.txt (2016-04-30)
    Open archived version from archive


  • Diff: draft-josefsson-openpgp-mailnews-header-05.txt - draft-josefsson-openpgp-mailnews-header-06.txt
    The OpenPGP header field is intended to present characteristics of the sender s OpenPGP key The field typically contains the Key ID the sender s OpenPGP key The field typically contains the Key ID and the URL where the key can be retrieved and the URL where the key can be retrieved skipping to change at page 4 line 31 skipping to change at page 4 line 31 two sources conflict users SHOULD favor the information from the two sources conflict users SHOULD favor the information from the OpenPGP key as that information can be cryptographically protected OpenPGP key as that information can be cryptographically protected The field is of a structured type see section 2 2 2 of RFC 2822 The field is of a structured type see section 2 2 2 of RFC 2822 In general the structure consist of one or more parameters each In general the structure consist of one or more parameters each consisting of one attribute and one value The terminology and consisting of one attribute and one value The terminology and format of the field was inspired by MIME RFC2045 The various format of the field was inspired by MIME RFC2045 The various provisions of RFC 2045 apply In particular the value part of provisions of RFC 2045 apply In particular the value part of parameters may be quoted whitespace folding and comments may occur parameters may be quoted whitespace folding and comments may occur in the middle of parameters except as noted below The provisions in the middle of parameters except as noted below The provisions of MIME RFC2231 also apply in particular it deals with handling of MIME Parameter Extensions RFC2231 also apply in particular parameters of excessive length that document deals with handling parameters of excessive length The OpenPGP header field is defined as below in the Augmented BNF The OpenPGP header field is defined below in the Augmented BNF RFC5234 notation By itself however this grammar is incomplete RFC5234 notation By itself however this grammar is incomplete It refers by name to syntax rules that are defined in RFC2822 and It refers by name to syntax rules that are defined in RFC2822 and RFC3986 Rather than reproduce those definitions here and risk RFC3986 Rather than reproduce those definitions here and risk unintentional differences between the two this document refer the unintentional differences between the two this document refer s the reader to the other documents for the definition of non terminals reader to the other documents for the definition of non terminals Implementations MUST understand the id url and preference Implementations MUST understand the id url and preference attributes Parameter with unrecognized attributes MUST be ignored attributes Parameter with unrecognized attributes MUST be ignored The grammar permit unknown parameters to allow for future extensions The grammar permits unknown parameters to allow for future Each parameter attribute e g url MUST NOT occur more than once extensions Each parameter attribute e g url MUST NOT occur in any single instance of the OpenPGP field The OpenPGP field more than once in any single instance of the OpenPGP field The itself MAY occur more than once in a single email for example if the OpenPGP field itself MAY occur more than once in a single email for sender has multiple keys example if the sender has multiple keys openpgp OpenPGP SP CFWS o params CRLF openpgp OpenPGP SP o params CRLF CFWS is defined in RFC 2822 CFWS is defined in RFC 2822 SP and CRLF are defined in RFC 5234 SP and CRLF are defined in RFC 5234 o params o parameter CFWS CFWS o params o params o parameter o parameter o parameter o parameter CFWS id id CFWS id id CFWS url url CFWS url url CFWS preference preference CFWS preference preference CFWS parameter CFWS normally unused for extensions parameter normally unused for extensions parameter is defined in RFC 2045 parameter is defined in RFC 2045 id 8 HEXDIG id 1 8HEXDIG HEXDIG is defined in RFC 5234 HEXDIG is defined in RFC 5234 Matching of value is case insensitive Matching of value is case insensitive url absoluteURI quoted url url absoluteURI quoted url absoluteURI is defined in RFC 3986 absoluteURI is defined in RFC 3986 If URL contains the character If the URL contains the character the quoted url form MUST be used the quoted url form MUST be used quoted url DQUOTE absoluteURI DQUOTE quoted url DQUOTE absoluteURI DQUOTE DQUOTE is defined in RFC 5234 DQUOTE is defined in RFC 5234 preference sign encrypt signencrypt unprotected preference sign encrypt signencrypt unprotected Matching of values are case insensitive Matching of values is case insensitive 3 1 Primary Key ID field id 3 1 Primary Key ID field id The id parameter if present MUST hold the Key ID or key The id parameter if present MUST hold the Key ID or key fingerprint for the primary key The value uses the hex RFC4648 fingerprint for the primary key The value uses the hex RFC4648 notation The parameter value is case insensitive notation The parameter value is case insensitive The length of the field determine whether it denotes a Key ID 8 hex The length of the field determine s whether it denotes a Key ID 8 hex symbols a long Key ID 16 hex symbols a v3 key fingerprint 32 symbols a long Key ID 16 hex symbols a v3 key fingerprint 32 hex symbols or a v4 key fingerprint 40 hex symbols hex symbols or a v4 key fingerprint 40 hex symbols Note that each of the following examples includes a comment which is Note that each of the following examples includes a comment which is optional optional id 12345678 short key ID id 12345678 short key ID id 1234567890ABCDEF long key ID id 1234567890ABCDEF long key ID id 1234567890abcdef0123456789ABCDEF01234567 v4 fingerprint id 1234567890abcdef0123456789ABCDEF01234567 v4 fingerprint id 1234567890ABCDEF0123456789ABCDEF v3 fingerprint deprecated id 1234567890ABCDEF0123456789ABCDEF v3 fingerprint deprecated skipping to change at page 6 line 32 skipping to

    Original URL path: http://www.josefsson.org/openpgp-header/draft-josefsson-openpgp-mailnews-header-06-from-5.diff.html (2016-04-30)
    Open archived version from archive


  • The grammar permit unknown parameters to allow for future extensions Each parameter attribute e g url MUST NOT occur more than once in any single instance of the OpenPGP field The OpenPGP field itself MAY occur more than once in a single email for example if the sender has multiple keys Smasher Josefsson Expires October 17 2008 Page 4 Internet Draft The OpenPGP mail and news header field April 2008 openpgp OpenPGP SP CFWS o params CRLF CFWS is defined in RFC 2822 SP and CRLF are defined in RFC 5234 o params o parameter CFWS CFWS o params o parameter id id url url preference preference parameter normally unused for extensions parameter is defined in RFC 2045 id 8 HEXDIG HEXDIG is defined in RFC 5234 Matching of value is case insensitive url absoluteURI quoted url absoluteURI is defined in RFC 3986 If URL contains the character the quoted url form MUST be used quoted url DQUOTE absoluteURI DQUOTE DQUOTE is defined in RFC 5234 preference sign encrypt signencrypt unprotected Matching of values are case insensitive 3 1 Primary Key ID field id The id parameter if present MUST hold the Key ID or key fingerprint for the primary key The value uses the hex RFC4648 notation The parameter value is case insensitive The length of the field determine whether it denotes a Key ID 8 hex symbols a long Key ID 16 hex symbols a v3 key fingerprint 32 hex symbols or a v4 key fingerprint 40 hex symbols Note that each of the following examples includes a comment which is optional id 12345678 short key ID id 1234567890ABCDEF long key ID id 1234567890abcdef0123456789ABCDEF01234567 v4 fingerprint id 1234567890ABCDEF0123456789ABCDEF v3 fingerprint deprecated Smasher Josefsson Expires October 17 2008 Page 5 Internet Draft The OpenPGP mail and news header field April 2008 3 2 Key URL field url The url parameter if present MUST specify a URL where the public key can be found It is RECOMMENDED to use a common URL family such as HTTP RFC2616 or FTP RFC0959 The URL MUST be fully qualified MUST explicitly specify a protocol and SHOULD be accessible on the public Internet The content of where the URL points SHOULD be either an ASCII armored or binary OpenPGP packet containing the key A valid reason for storing something else may be if the key has been revoked For example url http example org pgp txt url http example org funny name txt If the URL contains the character the entire URL MUST be quoted as illustrated in the example 3 3 Protection Preference Field preference The preference parameter if present specify the quality of protection preferred by the sender The parameter value is case insensitive The available values are as follows A unprotected token means that the sender prefer not to receive OpenPGP protected e mails A sign token means that the sender prefer to receive digitally signed e mails A encrypt token means that the sender prefer to receive encrypted e mails A signencrypt token means that the sender prefer to receive encrypted and signed e mails Note that there is no normative requirement on the receiver to follow the stated preference For example preference sign preference unprotected preference ENCRYPT 4 Comments As discussed in section 3 2 3 of RFC 2822 comments may appear in header field bodies Comments are not intended to be interpreted by any application but to provide additional information for humans Smasher Josefsson Expires October 17 2008 Page 6 Internet Draft The OpenPGP mail and news header field April 2008 The following are examples of OpenPGP fields with comments id B565716F key stored on non networked laptop id 12345678 1024 bit RSA Key for Encrypt or Sign id ABCD0123 created Sun Jan 2 02 25 15 CET 2005 5 Examples These are valid examples of how the field may be used This list is not meant to be exhaustive but to reflect expected typical usages OpenPGP id 12345678 OpenPGP url http example com key txt OpenPGP preference unprotected OpenPGP url http example com key txt id 12345678 OpenPGP id 12345678 url http example com key txt preference signencrypt OpenPGP url http example com key txt down 2 3pm UTC id 12345678 this key is only used at the office preference sign unsigned emails are filtered away OpenPGP id 12345678 url http example com openpgp key txt 6 Acknowledgements The content of this document builds on discussions with in alphabetical order Christian Biere Patrick Brunschwig Jon Callas Dave Evans Peter J Holzer Ingo Klocker Werner Koch Jochen Kupper William Leibzon Charles Lindsey Aleksandar Milivojevic Xavier Maillard Greg Sabino Mullane Tim Polk Thomas Roessler Moritz Schulte Olav Seyfarth David Shaw Thomas Sjogren Paul Walker and Steve Youngs No doubt the list is incomplete We apologize to anyone we left out 7 Security Considerations The OpenPGP header field is intended to be a convenience in locating public keys The OpenPGP header is neither secure nor intended to be Since the message header is easy to spoof information contained in the header should not be trusted The information must be verified Applications that interpret the field MUST NOT assume that the content is correct and MUST NOT present the data to the user in any way that would cause the user to assume that it is correct Applications that interpret the data within the field SHOULD alert Smasher Josefsson Expires October 17 2008 Page 7 Internet Draft The OpenPGP mail and news header field April 2008 the user that this information is not a substitute for personally verifying keys and being a part of the web of trust If an application receives a signed message and uses the information in the field to automatically retrieve a key the application MAY ignore the retrieved key if it is not the same key used to sign the message This SHOULD be done before the newly retrieved key is imported into the user s keyring The use of HTTPS RFC2818 DNSSEC RFC4033 SMTP STARTTLS

    Original URL path: http://www.josefsson.org/openpgp-header/draft-josefsson-openpgp-mailnews-header-05.txt (2016-04-30)
    Open archived version from archive

  • Diff: draft-josefsson-openpgp-mailnews-header-04.txt - draft-josefsson-openpgp-mailnews-header-05.txt
    multiple keys openpgp OpenPGP SP CFWS openpgp params CFWS CRLF openpgp OpenPGP SP CFWS o params CRLF CFWS is defined in RFC 2822 CFWS is defined in RFC 2822 SP and CRLF are defined in RFC 5234 openpgp params o params o parameter CFWS CFWS o params openpgp parameter CFWS openpgp parameter openpgp parameter o parameter id id id id url url url url preference preference preference preference parameter See RFC 2045 for definition of parameter parameter normally unused for extensions parameter is defined in RFC 2045 id 8 HEXDIG Defined in RFC 5234 id 8 HEXDIG HEXDIG is defined in RFC 5234 Matching of value is case insensitive url absoluteURI Defined in RFC 3986 url absoluteURI quoted url absoluteURI is defined in RFC 3986 If URL contains the character the quoted url form MUST be used quoted url DQUOTE absoluteURI DQUOTE DQUOTE is defined in RFC 5234 preference sign encrypt signencrypt unprotected preference sign encrypt signencrypt unprotected Matching of values are case insensitive 3 1 Primary Key ID field id 3 1 Primary Key ID field id The id attribute value pair if present MUST define the primary The id parameter if present MUST hold the Key ID or key key ID The value MUST identify the key ID in either short or long fingerprint for the primary key The value uses the hex RFC4648 form or the fingerprint all using the hex RFC4648 notation notation The parameter value is case insensitive The length of the field imply the kind of key id i e short or long The length of the field determine whether it denotes a Key ID 8 hex form or a v3 or v4 key symbols a long Key ID 16 hex symbols a v3 key fingerprint 32 hex symbols or a v4 key fingerprint 40 hex symbols Note that each of the following examples includes a comment which is Note that each of the following examples includes a comment which is optional optional id 12345678 short key ID id 12345678 short key ID id 1234567890ABCDEF long key ID id 1234567890ABCDEF long key ID id 1234567890abcdef01234567890ABCDEF0123456 v4 fingerprint id 1234567890abcdef0123456789ABCDEF01234567 v4 fingerprint id 1234567890ABCDEF01234567890ABCDE v3 fingerprint deprecated id 1234567890ABCDEF0123456789ABCDEF v3 fingerprint deprecated 3 2 Key URL field url 3 2 Key URL field url The url attribute value pair if present MUST specify a URL where The url parameter if present MUST specify a URL where the public the public key can be found It is RECOMMENDED to use a common URL key can be found It is RECOMMENDED to use a common URL family such family such as HTTP RFC2616 or FTP RFC0959 The URL MUST be as HTTP RFC2616 or FTP RFC0959 The URL MUST be fully qualified fully qualified MUST explicitly specify a protocol and SHOULD be MUST explicitly specify a protocol and SHOULD be accessible on the accessible on the public Internet public Internet The content of where the URL points SHOULD be either an ASCII armored or binary OpenPGP packet containing the key A valid reason for storing something else may be if the key has been revoked For example For example url http example org pgp txt url http example org pgp txt url http example org funny name txt If the URL contains the character the entire URL MUST be quoted as illustrated in the example 3 3 Protection Preference Field preference 3 3 Protection Preference Field preference The preference attribute value pair if present specify the The preference parameter if present specify the quality of quality of protection preferred by the sender The available choices protection preferred by the sender The parameter value is case are unprotected which means that the sender prefer not to receive insensitive OpenPGP protected e mails A sign token means that the sender prefer to receive digitally signed e mails A encrypt token means The available values are as follows A unprotected token means that the sender prefer to receive digitally encrypted e mails A that the sender prefer not to receive OpenPGP protected e mails A signencrypt token means that the sender prefer to receive digitally sign token means that the sender prefer to receive digitally signed encrypted and signed e mails Note that there is no technical e mails A encrypt token means that the sender prefer to receive requirement on the receiver to follow the stated preference encrypted e mails A signencrypt token means that the sender prefer to receive encrypted and signed e mails Note that there is no normative requirement on the receiver to follow the stated preference For example For example preference sign preference sign preference unprotected preference unprotected preference ENCRYPT preference ENCRYPT 4 Comments 4 Comments As discussed in section 3 2 3 of RFC 2822 comments may appear in As discussed in section 3 2 3 of RFC 2822 comments may appear in header field bodies Comments are not intended to be interpreted by header field bodies Comments are not intended to be interpreted by any application but to provide additional information for humans any application but to provide additional information for humans The following are examples of OpenPGP fields with comments The following are examples of OpenPGP fields with comments id B565716F key stored on non networked laptop id B565716F key stored on non networked laptop id 12345678 1024 bit RSA Key for Encrypt or Sign id 12345678 1024 bit RSA Key for Encrypt or Sign id ABCD0123 created Sun Jan 2 02 25 15 CET 2005 id ABCD0123 created Sun Jan 2 02 25 15 CET 2005 5 Examples 5 Examples These are valid examples of how the field may be used This list is These are valid examples of how the field may be used This list is not meant to be exhaustive but d o reflect expected typical usages not meant to be exhaustive but t o reflect expected typical usages OpenPGP id 12345678 OpenPGP id 12345678 OpenPGP url http example com key txt OpenPGP url http example com key

    Original URL path: http://www.josefsson.org/openpgp-header/draft-josefsson-openpgp-mailnews-header-05-from-4.diff.html (2016-04-30)
    Open archived version from archive


  • notation The length of the field imply the kind of key id i e short or long form or a v3 or v4 key Note that each of the following examples includes a comment which is optional id 12345678 short key ID id 1234567890ABCDEF long key ID id 1234567890abcdef01234567890ABCDEF0123456 v4 fingerprint id 1234567890ABCDEF01234567890ABCDE v3 fingerprint deprecated 3 2 Key URL field url The url attribute value pair if present MUST specify a URL where the public key can be found It is RECOMMENDED to use a common URL family such as HTTP RFC2616 or FTP RFC0959 The URL MUST be fully qualified MUST explicitly specify a protocol and SHOULD be accessible on the public Internet For example url http example org pgp txt Smasher Josefsson Expires October 4 2008 Page 5 Internet Draft The OpenPGP mail and news header field April 2008 3 3 Protection Preference Field preference The preference attribute value pair if present specify the quality of protection preferred by the sender The available choices are unprotected which means that the sender prefer not to receive OpenPGP protected e mails A sign token means that the sender prefer to receive digitally signed e mails A encrypt token means that the sender prefer to receive digitally encrypted e mails A signencrypt token means that the sender prefer to receive digitally encrypted and signed e mails Note that there is no technical requirement on the receiver to follow the stated preference For example preference sign preference unprotected preference ENCRYPT 4 Comments As discussed in section 3 2 3 of RFC 2822 comments may appear in header field bodies Comments are not intended to be interpreted by any application but to provide additional information for humans The following are examples of OpenPGP fields with comments id B565716F key stored on non networked laptop id 12345678 1024 bit RSA Key for Encrypt or Sign id ABCD0123 created Sun Jan 2 02 25 15 CET 2005 5 Examples These are valid examples of how the field may be used This list is not meant to be exhaustive but do reflect expected typical usages OpenPGP id 12345678 OpenPGP url http example com key txt OpenPGP preference unprotected OpenPGP url http example com key txt id 12345678 OpenPGP id 12345678 url http example com key txt preference signencrypt OpenPGP url http example com key txt down 2 3pm UTC id 12345678 this key is only used at the office preference sign unsigned emails are filtered away Smasher Josefsson Expires October 4 2008 Page 6 Internet Draft The OpenPGP mail and news header field April 2008 6 Acknowledgements The content of this document builds on discussions with in alphabetical order Christian Biere Patrick Brunschwig Jon Callas Dave Evans Peter J Holzer Ingo Klocker Werner Koch Jochen Kupper William Leibzon Charles Lindsey Aleksandar Milivojevic Xavier Maillard Greg Sabino Mullane Thomas Roessler Moritz Schulte Olav Seyfarth David Shaw Thomas Sjogren Paul Walker and Steve Youngs No doubt the list is incomplete We apologize to anyone we left out

    Original URL path: http://www.josefsson.org/openpgp-header/draft-josefsson-openpgp-mailnews-header-04.txt (2016-04-30)
    Open archived version from archive

  • Diff: draft-josefsson-openpgp-mailnews-header-03.txt - draft-josefsson-openpgp-mailnews-header-04.txt
    field id 3 1 Primary Key ID field id The id attribute value pair if present MUST define the primary The id attribute value pair if present MUST define the primary key ID The value MUST identify the key ID in either short or long key ID The value MUST identify the key ID in either short or long form or the fingerprint all using the hex 16 notation form or the fingerprint all using the hex RFC4648 notation The length of the field imply the kind of key id i e short or long The length of the field imply the kind of key id i e short or long form or a v3 or v4 key form or a v3 or v4 key Note that each of the following examples includes a comment which is Note that each of the following examples includes a comment which is optional optional id 12345678 short key ID id 12345678 short key ID id 1234567890ABCDEF long key ID id 1234567890ABCDEF long key ID id 1234567890abcdef01234567890ABCDEF0123456 v4 fingerprint id 1234567890abcdef01234567890ABCDEF0123456 v4 fingerprint id 1234567890ABCDEF01234567890ABCDE v3 fingerprint deprecated id 1234567890ABCDEF01234567890ABCDE v3 fingerprint deprecated 3 2 Key URL field url 3 2 Key URL field url The url attribute value pair if present MUST specify a URL where The url attribute value pair if present MUST specify a URL where the public key can be found It is RECOMMENDED to use a common URL the public key can be found It is RECOMMENDED to use a common URL family such as HTTP 11 or FTP 8 The URL MUST be fully family such as HTTP RFC2616 or FTP RFC0959 The URL MUST be qualified MUST explicitly specify a protocol and SHOULD be fully qualified MUST explicitly specify a protocol and SHOULD be accessible on the public Internet accessible on the public Internet For example For example url http example org pgp txt url http example org pgp txt 3 3 Protection Preference Field preference 3 3 Protection Preference Field preference The preference attribute value pair if present specify the The preference attribute value pair if present specify the quality of protection preferred by the sender The available choices quality of protection preferred by the sender The available choices skipping to change at page 7 line 5 skipping to change at page 7 line 5 OpenPGP id 12345678 OpenPGP id 12345678 OpenPGP url http example com key txt OpenPGP url http example com key txt OpenPGP preference unprotected OpenPGP preference unprotected OpenPGP url http example com key txt id 12345678 OpenPGP url http example com key txt id 12345678 OpenPGP id 12345678 url http example com key txt OpenPGP id 12345678 url http example com key txt preference signencrypt preference signencrypt OpenPGP url http example com key txt down 2 3pm UTC OpenPGP url http example com key txt down 2 3pm UTC id 12345678 this key is only used at the office id 12345678 this key is only used at the office preference sign unsigned emails are filtered away preference sign unsigned emails are filtered away 6 Open Issues 6 Acknowledgements Should there be a supports field that signal whether the sender support inline PGP or PGP MIME As in supports inline mime or similar Should it be in preferred priority order This draft tentatively closes this issue by ignoring the matter until someone proposes text The ABNF definition is known to be under specified 7 Acknowledgements The content of this document builds on discussions with in The content of this document builds on discussions with in alphabetical order Christian Biere Patrick Brunschwig Jon Callas alphabetical order Christian Biere Patrick Brunschwig Jon Callas Dave Evans Peter J Holzer Ingo Klocker Werner Koch Jochen Dave Evans Peter J Holzer Ingo Klocker Werner Koch Jochen Kupper William Leibzon Charles Lindsey Aleksandar Milivojevic Kupper William Leibzon Charles Lindsey Aleksandar Milivojevic Xavier Maillard Greg Sabino Mullane Thomas Roessler Moritz Xavier Maillard Greg Sabino Mullane Thomas Roessler Moritz Schulte Olav Seyfarth David Shaw Thomas Sjogren Paul Walker and Schulte Olav Seyfarth David Shaw Thomas Sjogren Paul Walker and Steve Youngs No doubt the list is incomplete We apologize to Steve Youngs No doubt the list is incomplete We apologize to anyone we left out anyone we left out 8 Security Considerations 7 Security Considerations The OpenPGP header field is intended to be a convenience in locating The OpenPGP header field is intended to be a convenience in locating public keys They are neither secure nor intended to be Since the public keys They are neither secure nor intended to be Since the message header is easy to spoof information contained in the header message header is easy to spoof information contained in the header should not be trusted The information must be verified should not be trusted The information must be verified Applications that interpret the field MUST NOT assume that the Applications that interpret the field MUST NOT assume that the content is correct and MUST NOT present the data to the user in any content is correct and MUST NOT present the data to the user in any way that would cause the user to assume that it is correct way that would cause the user to assume that it is correct Applications that interpret the data within the field SHOULD alert Applications that interpret the data within the field SHOULD alert the user that this information is not a substitute for personally the user that this information is not a substitute for personally verifying keys and being a part of the web of trust verifying keys and being a part of the web of trust If an application receives a signed message and uses the information If an application receives a signed message and uses the information in the field to retrieve a key the application MAY ignore the in the field to retrieve a key the application MAY ignore the retrieved key if it is not the same key used to sign the message retrieved key

    Original URL path: http://www.josefsson.org/openpgp-header/draft-josefsson-openpgp-mailnews-header-04-from-3.diff.html (2016-04-30)
    Open archived version from archive


  • is defined as below By itself however this grammar is incomplete It refers by name to several syntax rules that are defined by RFC 2822 and the URI syntax document 5 Rather than reproduce those definitions here and risk unintentional differences between the two this document refer the reader to RFC 2822 and RFC 3986 for the definition of non terminals Unrecognized parameters MUST be ignored The grammar permit them to allow for future extensions The field SHOULD NOT appear more than once within a message A given parameter type i e id url or preference MUST NOT occur more than once Smasher Josefsson Expires August 26 2008 Page 4 Internet Draft The OpenPGP mail and news header field February 2008 openpgp OpenPGP openpgp parameter openpgp parameter CRLF id 8 HEXDIG url absoluteURI Defined in RFC 3986 preference sign encrypt signencrypt unprotected openpgp parameter id id url url preference preference parameter See RFC 2045 for definition of parameter 3 1 Primary Key ID field id The id attribute value pair if present MUST define the primary key ID The value MUST identify the key ID in either short or long form or the fingerprint all using the hex 16 notation The length of the field imply the kind of key id i e short or long form or a v3 or v4 key Note that each of the following examples includes a comment which is optional id 12345678 short key ID id 1234567890ABCDEF long key ID id 1234567890abcdef01234567890ABCDEF0123456 v4 fingerprint id 1234567890ABCDEF01234567890ABCDE v3 fingerprint deprecated 3 2 Key URL field url The url attribute value pair if present MUST specify a URL where the public key can be found It is RECOMMENDED to use a common URL family such as HTTP 11 or FTP 8 The URL MUST be fully qualified MUST explicitly specify a protocol and SHOULD be accessible on the public Internet For example url http example org pgp txt Smasher Josefsson Expires August 26 2008 Page 5 Internet Draft The OpenPGP mail and news header field February 2008 3 3 Protection Preference Field preference The preference attribute value pair if present specify the quality of protection preferred by the sender The available choices are unprotected which means that the sender prefer not to receive OpenPGP protected e mails A sign token means that the sender prefer to receive digitally signed e mails A encrypt token means that the sender prefer to receive digitally encrypted e mails A signencrypt token means that the sender prefer to receive digitally encrypted and signed e mails Note that there is no technical requirement on the receiver to follow the stated preference For example preference sign preference unprotected preference ENCRYPT 4 Comments As discussed in section 3 2 3 of RFC 2822 comments may appear in header field bodies Comments are not intended to be interpreted by any application but to provide additional information for humans The following are examples of OpenPGP fields with comments id B565716F key stored on non networked laptop id 12345678 1024 bit RSA Key for Encrypt or Sign id ABCD0123 created Sun Jan 2 02 25 15 CET 2005 5 Examples These are valid examples of how the field may be used This list is not meant to be exhaustive but do reflect expected typical usages OpenPGP id 12345678 OpenPGP url http example com key txt OpenPGP preference unprotected OpenPGP url http example com key txt id 12345678 OpenPGP id 12345678 url http example com key txt preference signencrypt OpenPGP url http example com key txt down 2 3pm UTC id 12345678 this key is only used at the office preference sign unsigned emails are filtered away Smasher Josefsson Expires August 26 2008 Page 6 Internet Draft The OpenPGP mail and news header field February 2008 6 Open Issues Should there be a supports field that signal whether the sender support inline PGP or PGP MIME As in supports inline mime or similar Should it be in preferred priority order This draft tentatively closes this issue by ignoring the matter until someone proposes text The ABNF definition is known to be under specified 7 Acknowledgements The content of this document builds on discussions with in alphabetical order Christian Biere Patrick Brunschwig Jon Callas Dave Evans Peter J Holzer Ingo Klocker Werner Koch Jochen Kupper William Leibzon Charles Lindsey Aleksandar Milivojevic Xavier Maillard Greg Sabino Mullane Thomas Roessler Moritz Schulte Olav Seyfarth David Shaw Thomas Sjogren Paul Walker and Steve Youngs No doubt the list is incomplete We apologize to anyone we left out 8 Security Considerations The OpenPGP header field is intended to be a convenience in locating public keys They are neither secure nor intended to be Since the message header is easy to spoof information contained in the header should not be trusted The information must be verified Applications that interpret the field MUST NOT assume that the content is correct and MUST NOT present the data to the user in any way that would cause the user to assume that it is correct Applications that interpret the data within the field SHOULD alert the user that this information is not a substitute for personally verifying keys and being a part of the web of trust If an application receives a signed message and uses the information in the field to retrieve a key the application MAY ignore the retrieved key if it is not the same key used to sign the message This SHOULD be done before the newly retrieved key is imported into the user s keyring The use of HTTPS 12 DNSSEC 15 SMTP STARTTLS 13 IMAP POP3 STARTTLS 10 and other secure protocols may enhance the security of information conveyed through this field but does not guarantee any level of security or authenticity Developers and users must remain aware of this Smasher Josefsson Expires August 26 2008 Page 7 Internet Draft The OpenPGP mail and news header field February 2008 Version 3 OpenPGP keys can be created with a chosen key

    Original URL path: http://www.josefsson.org/openpgp-header/draft-josefsson-openpgp-mailnews-header-03.txt (2016-04-30)
    Open archived version from archive

  • Diff: draft-josefsson-openpgp-mailnews-header-02.txt - draft-josefsson-openpgp-mailnews-header-03.txt
    may be enhanced by using the where the user experience may be enhanced by using the information in information in this header Consequently the information in this the field Consequently the information in the field should not header should not disrupt the normal OpenPGP key retrieval and web of disrupt the normal OpenPGP key retrieval and web of trust mechanism trust mechanism Neither the integrity nor the authenticity of the Neither the integrity nor the authenticity of the information in the information in this header should be assumed to be correct or be field should be assumed to be correct or be trust worthy trust worthy No specific scenario when the header should be used nor how it No specific scenario when the field should be used nor how it should should be used in that scenario are suggested by this document It be used in that scenario are suggested by this document It is is acknowledged that the dominant use of the information in this acknowledged that the dominant use of the information in the field header may be by humans and not applications may be by humans and not applications To promote good use of th is header care should be taken so that To promote good use of th e field care should be taken so that applications do not trigger error messages that may annoy the user applications do not trigger error messages that may annoy the user when an error condition arise during handling of the OpenPGP header when an error condition arise during handling of the OpenPGP field It is generally recommended that an implementation ignore the It is generally recommended that an implementation ignore the presence of the OpenPGP header if an error condition occur Since presence of the OpenPGP fields if an error condition occur Since the header is optional this approach should not be difficult to the field is optional this approach should not be difficult to implement The philosophy here is to enable an enhanced user implement The philosophy here is to enable an enhanced user experience Error messages rarely contribute to that goal experience Error messages rarely contribute to that goal 3 OpenPGP Header Field 3 OpenPGP Header Field This header is intended to present characteristics of the sender s The OpenPGP header field is intended to present characteristics of OpenPGP key It may contain the Key ID and the URL where the key can the sender s OpenPGP key The field may contain the Key ID and the be retrieved URL where the key can be retrieved This header is of a structured type see section 2 2 2 of RFC Because the header is typically not integrity protected the 2822 In general the structure consist of one or more parameters information conveyed in the OpenPGP header field MUST NOT be trusted each consisting of one attribute and one value The terminology and without additional verification Some of the information given in format of the header was inspired by MIME 2 The various this field may also be given on the OpenPGP key itself When these provisions of RFC 2045 apply In particular the value part of all two sources conflict users SHOULD favor the information from the parameters may be quoted whitespace foldoing and comments may occur OpenPGP key as that information can be cryptographically protected in the middle of parameters The provisions of MIME 3 also apply in particular it deals with handling parameters of excessive length In the Augmented BNF 5 notation an OpenPGP header field is defined The field is of a structured type see section 2 2 2 of RFC 2822 as below By itself however this grammar is incomplete It refers In general the structure consist of one or more parameters each by name to several syntax rules that are defined by RFC 2822 and the consisting of one attribute and one value The terminology and URI syntax document 6 Rather than reproduce those definitions format of the field was inspired by MIME 1 The various provisions here and risk unintentional differences between the two this of RFC 2045 apply In particular the value part of all parameters document refer the reader to RFC 2822 and RFC 2396 for the definition may be quoted whitespace foldoing and comments may occur in the of non terminals middle of parameters The provisions of MIME 2 also apply in particular it deals with handling parameters of excessive length In the Augmented BNF 7 notation the OpenPGP header field is defined as below By itself however this grammar is incomplete It refers by name to several syntax rules that are defined by RFC 2822 and the URI syntax document 5 Rather than reproduce those definitions here and risk unintentional differences between the two this document refer the reader to RFC 2822 and RFC 3986 for the definition of non terminals Unrecognized parameters MUST be ignored The grammar permit them to Unrecognized parameters MUST be ignored The grammar permit them to allow for future extensions Th is header SHOULD NOT appear more than allow for future extensions Th e field SHOULD NOT appear more than once within a message A given parameter type i e id url or once within a message A given parameter type i e id url or preference MUST NOT occur more than once preference MUST NOT occur more than once openpgp OpenPGP openpgp OpenPGP openpgp parameter openpgp parameter openpgp parameter openpgp parameter CRLF CRLF id HEXDIG id 8 HEXDIG url absoluteURI Defined in RFC 239 6 url absoluteURI Defined in RFC 398 6 preference sign encrypt signencrypt unprotected preference sign encrypt signencrypt unprotected openpgp parameter openpgp parameter id id id id url url url url preference preference preference preference parameter See RFC 2045 for definition of parameter parameter See RFC 2045 for definition of parameter 3 1 Primary Key ID field id 3 1 Primary Key ID field id The id attribute value pair if present MUST define the primary The id attribute value pair if present MUST define the primary key ID The value MUST identify the key ID in either short or long key ID The value MUST identify the key ID in either short or long form or the fingerprint all using the hex adecimal 14 notation form or the fingerprint all using the hex 16 notation The length of the field imply the kind of key id i e short or long The length of the field imply the kind of key id i e short or long form or a v3 or v4 key form or a v3 or v4 key Note that each of the following examples includes a comment which is Note that each of the following examples includes a comment which is optional optional id 12345678 short key ID id 12345678 short key ID id 1234567890ABCDEF long key ID id 1234567890ABCDEF long key ID id 1234567890abcdef01234567890ABCDEF0123456 v4 fingerprint id 1234567890abcdef01234567890ABCDEF0123456 v4 fingerprint id 1234567890ABCDEF01234567890ABCDE v3 fingerprint deprecated id 1234567890ABCDEF01234567890ABCDE v3 fingerprint deprecated 3 2 Key URL field url 3 2 Key URL field url The url attribute value pair if present MUST specify a URL where The url attribute value pair if present MUST specify a URL where the public key can be found It is RECOMMENDED to use a common URL the public key can be found It is RECOMMENDED to use a common URL family such as HTTP 1 2 or FTP 9 The URL MUST be fully family such as HTTP 1 1 or FTP 8 The URL MUST be fully qualified MUST explicitly specify a protocol and SHOULD be qualified MUST explicitly specify a protocol and SHOULD be accessible on the public Internet accessible on the public Internet For example For example url http example org pgp txt url http example org pgp txt 3 3 Protection Preference Field preference 3 3 Protection Preference Field preference The preference attribute value pair if present specify the The preference attribute value pair if present specify the skipping to change at page 6 line 29 skipping to change at page 6 line 29 preference sign preference sign preference unprotected preference unprotected preference ENCRYPT preference ENCRYPT 4 Comments 4 Comments As discussed in section 3 2 3 of RFC 2822 comments may appear in As discussed in section 3 2 3 of RFC 2822 comments may appear in header field bodies Comments are not intended to be interpreted by header field bodies Comments are not intended to be interpreted by any application but to provide additional information for humans any application but to provide additional information for humans The following are examples of header field bodie s with comments The following are examples of OpenPGP field s with comments id B565716F key stored on non networked laptop id B565716F key stored on non networked laptop id 12345678 1024 bit RSA Key for Encrypt or Sign id 12345678 1024 bit RSA Key for Encrypt or Sign id ABCD0123 created Sun Jan 2 02 25 15 CET 2005 id ABCD0123 created Sun Jan 2 02 25 15 CET 2005 5 Examples 5 Examples These are valid examples of ways in which this header may be used These are valid examples of how the field may be used This list is This list is not meant to be exhaustive but do reflect expected not meant to be exhaustive but do reflect expected typical usages typical usages OpenPGP id 12345678 OpenPGP id 12345678 OpenPGP url http example com key txt OpenPGP url http example com key txt OpenPGP preference unprotected OpenPGP preference unprotected OpenPGP url http example com key txt id 12345678 OpenPGP url http example com key txt id 12345678 OpenPGP id 12345678 url http example com key txt OpenPGP id 12345678 url http example com key txt preference signencrypt preference signencrypt OpenPGP url http example com key txt down 2 3pm UTC OpenPGP url http example com key txt down 2 3pm UTC id 12345678 this key is only used at the office id 12345678 this key is only used at the office preference sign unsigned emails are filtered away preference sign unsigned emails are filtered away skipping to change at page 7 line 19 skipping to change at page 7 line 19 similar Should it be in preferred priority order This draft similar Should it be in preferred priority order This draft tentatively closes this issue by ignoring the matter until someone tentatively closes this issue by ignoring the matter until someone proposes text proposes text The ABNF definition is known to be under specified The ABNF definition is known to be under specified 7 Acknowledgements 7 Acknowledgements The content of this document builds on discussions with in The content of this document builds on discussions with in alphabetical order Christian Biere Patrick Brunschwig Jon Callas alphabetical order Christian Biere Patrick Brunschwig Jon Callas Peter J Holzer Ingo Klocker Werner Koch Jochen Kupper Charles Dave Evans Peter J Holzer Ingo Klocker Werner Koch Jochen Lindsey Aleksandar Milivojevic Xavier Maillard Greg Sabino Kupper William Leibzon Charles Lindsey Aleksandar Milivojevic Mullane Thomas Roessler Moritz Schulte Olav Seyfarth Thomas Xavier Maillard Greg Sabino Mullane Thomas Roessler Moritz Sjogren Paul Walker and Steve Youngs No doubt the list is Schulte Olav Seyfarth David Shaw Thomas Sjogren Paul Walker and incomplete We apologize to anyone we left out Steve Youngs No doubt the list is incomplete We apologize to anyone we left out 8 Security Considerations 8 Security Considerations These headers are intended to be a convenience in locating public The OpenPGP header field is intended to be a convenience in locating keys They are neither secure nor intended to be Since header public keys They are neither secure nor intended to be Since the information is easy to spoof information contained in headers should message header is easy to spoof information contained in the header not be trusted The information must be verified How the should not be trusted The information must be verified information is verified is left as an exercise for the reader Applications that interpret the data within this header MUST NOT Applications that interpret the field MUST NOT assume that the assume that the data is correct and MUST NOT present the data to the content is correct and MUST NOT present the data to the user in any user in any way that would cause the user to assume that it is way that would cause the user to assume that it is correct correct Applications that interpret the data within this header Applications that interpret the data within the field SHOULD alert SHOULD alert the user that this information is not a substitute for the user that this information is not a substitute for personally personally verifying keys and being a part of the web of trust verifying keys and being a part of the web of trust If an application receives a signed message and uses the information If an application receives a signed message and uses the information in th is header to retrieve a key the application MAY ignore the in th e field to retrieve a key the application MAY ignore the retrieved key if it is not the same key used to sign the message retrieved key if it is not the same key used to sign the message This SHOULD be done before the newly retrieved key is imported into This SHOULD be done before the newly retrieved key is imported into the user s keyring the user s keyring The use of HTTPS 13 DNSSEC 10 SMTP STARTTLS 11 and other The use of HTTPS 12 DNSSEC 15 SMTP STARTTLS 13 IMAP POP3 secure protocols may enhance the security of information conveyed STARTTLS 10 and other secure protocols may enhance the security of through this header but does not guarantee any level of security or information conveyed through this field but does not guarantee any authenticity Developers and users must remain aware of this level of security or authenticity Developers and users must remain aware of this Version 3 OpenPGP keys can be created with a chosen key id aka the Version 3 OpenPGP keys can be created with a chosen key id aka the 0xDEADBEEF attack Verifying the Key ID of a retrived key against 0xDEADBEEF attack Verifying the Key ID of a retrived key against the one provided in th is header is thus not sufficient to protect the one provided in th e field is thus not sufficient to protect against a man in the middle attack Instead the web of trust against a man in the middle attack Instead the web of trust mechanism should be used mechanism should be used If an attacker wants to check the validity of Email addresses he If an attacker wants to check the validity of Email addresses he might send out junk email to arbitrary addresses and collect those might send out junk email to arbitrary addresses and collect those that report back to the crafted OpenPGP URL To protect against that report back to the crafted OpenPGP URL To protect against this implementations MUST inform the user of that potential privacy this implementations MUST inform the user of that potential privacy issue when retrieving keys from an URL provided by the mail headers issue when retrieving keys from an URL provided by the field of an of an inbound email message either when the feature is enabled or to inbound email message either when the feature is enabled or to be be used for the first time or every time the MUA detects an unknown used for the first time or every time the MUA detects an unknown key key Given the flexibility of the syntax of the header slightly varying Given the flexibility of the syntax of the field slightly varying the content between messages can be used as a covert channel the content between messages can be used as a covert channel 9 IANA Considerations 9 IANA Considerations The IANA is asked to register the OpenPGP header using the template The IANA is asked to register the OpenPGP header field using the as follows in accordance with RFC 3864 15 template as follows in accordance with RFC 3864 14 Header field name OpenPGP Header field name OpenPGP Applicable protocol mail netnews Applicable protocol mail netnews Status informational Status informational Author Change controller IETF Author Change controller IETF Specification document s This document Specification document s This document skipping to change at page 9 line 26 skipping to change at page 9 line 26 permission to anyone to use modify and distribute it in any way permission to anyone to use modify and distribute it in any way that does not diminish the rights of anyone else to use modify that does not diminish the rights of anyone else to use modify and distribute it provided that redistributed derivative works and distribute it provided that redistributed derivative works do not contain misleading author or version information do not contain misleading author or version information Derivative works need not be licensed under similar terms Derivative works need not be licensed under similar terms 11 References 11 References 11 1 Normative References 11 1 Normative References 1 Horton M and R Adams Standard for interchange of USENET 1 Freed N and N Borenstein Multipurpose Internet Mail messages RFC 1036 December 1987 2 Freed N and N Borenstein Multipurpose Internet Mail Extensions MIME Part One Format of Internet Message Bodies Extensions MIME Part One Format of Internet Message Bodies RFC 2045 November 1996 RFC 2045 November 1996 3 Freed N and K Moore MIME Parameter Value and Encoded Word 2 Freed N and K Moore MIME Parameter Value and Encoded Word Extensions Character Sets Languages and Continuations Extensions Character Sets Languages and Continuations RFC 2231 November 1997 RFC 2231 November 1997 4 Bradner S Key words for use in RFCs to Indicate Requirement 3 Bradner S Key words for use in RFCs to Indicate Requirement Levels

    Original URL path: http://www.josefsson.org/openpgp-header/draft-josefsson-openpgp-mailnews-header-03-from-2.diff.html (2016-04-30)
    Open archived version from archive



  •