This page documents existing real world publishing examples of public keys in the hope of analyzing them to see if / how to better fit existing publishing practices of public keys, either with hCard 1.0's 'key' property, or possibly other solutions.
Related: provide input to W3C Crypto API Issue 14: Representation of raw key material
- 1 The Problem
- 2 Use Cases
- 3 Real-World Examples
- 4 Common Practices
- 5 Existing Practices
- 6 Brainstorming
- 7 See Also
A user wants to share their public key on the web. What's the best way to do this? To answer that question, this page researches existing publishing practies to see if there are patterns or exemplary examples, or if we can use them to figure out a recommended way to publish public keys on web pages.
meeting someone and sending private messages
Two people meet and exchange their personal URLs in the hopes of communicating later, and encrypting said communications.
- two people meet
- they exchange personal URLs
- each (perhaps later) browses the others' URL on their device
- the page clearly has contact information (e.g. an hCard 1.0) and a visible public key on it
- they bookmark each others URLs
- they go to their messaging web app and create a new message, using their bookmarks for the URLs / to address
- the web app retrieves the public key from the URL and uses it to encrypt the message before sending it.
- each receives a message from the other and is able to use their messaging web app to decrypt and read it.
Real world publishing examples of public keys on public web pages.
personal home page
Example URL: Matthias Ries
Note: the page has an hCard 1.0 of the individual, but no 'key' property. However, inside that hCard, there is the following:
<div class="signature"> <pre> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQGiBEl2HAgRBAC9IZGQE3NRWFoXV7CcVRbo7xMe+nGPRMTOocA0pcv9N67R6CAZ ... -----END PGP PUBLIC KEY BLOCK----- </pre> </div>
- inside a <pre> inside a <div> with class name "signature
If the author used the class name "key" instead of (or in addition to) the class name "signature", then it would be recognized as a plain text 'key' property value in his hCard.
Example URL: http://bentrem.net/
Note: the page has three hCards for the individual, but no 'key' property. Just after the last hCard, there is the following:
<center> <div class="scrollbox" style="height: 7.5em;"> <pre> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.4 (MingW32) <font size="-6"> mQGiBESzvlsRBACzsDol94Pua0ggzSsLa35K9pQoPJHWg2YgpNp5wWC9/oruQaNF ... </font> -----END PGP PUBLIC KEY BLOCK----- </pre> </div></center>
- inside a <pre>
- BEGIN PGP header and Version are directly in the pre tag
- actual base64 key text is inside a nested <font> tag
Example(s) of a public key published on a profile page with other information, e.g. in a personal page at an institution or on a social network or other content hosting service.
Example URL: http://eclipse.wells.edu/badams/contact/
Note: The page has an hCard 1.0 of the individual with a 'key' property!
<div id="hcard-Bryant-E-Adams" class="vcard"> <a class="url fn n" href="http://eclipse.wells.edu/badams"> <span class="given-name">Bryant</span> <span class="additional-name">E</span> <span class="family-name">Adams</span> </a> ... <h2>GPG/GnuGP Public Key</h2> (<a href="../resources/badams_0F87773F.asc" rel="self">download</a>) <h3>For email sent to/from <a href=“mailto:badams.gpg+0x20”>bad ams.gpg+0x20 (at) gmail (dot com)</a></h3> <pre><tt> <span class="key"> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org mQENBE4sjPMBCAC0ublKPnsdwD9B71bygmwVxn3hX6zw4H2Qlc6wPc0/OepjqVyq ... -----END PGP PUBLIC KEY BLOCK----- </span> </tt></pre> </div>
- profile info in hCard 1.0
- link to downloadable .asc public key with
- entire visible public key including BEGIN PGP header inside a <pre><tt><span class="key">
Example URL: claimID : Brandon B
Note 2: Page has an abusive invisible content div (with visibility:hidden; position:absolute) aimed at crawlers (id="crawler_text"), presumably search engines in particular, since it abuses h1 tags:
<div id="crawler_text" style="visibility:hidden; position:absolute;"> <h1>Brandon B</h1> <h1>Caedis, Caedis_Hax, CaedisHax, Cædis_Hax, Daedalus, DaedalusXero, Dædalus</h1> <h1>Texas</h1> <h2>"There are no coincidences, only the illusion of coincidence" The information below may be used to verify my signatures and encrypt communications to me. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.6 (GNU/Linux) mQGiBEgIJGYRBAC54vZVXjK5l4VRSiUC6XGMgEOjEFgWvruVr/PXBk0hbn...</h2> <h3>ClaimID is a simple way to manage your online identity. This is the claimID page of Brandon B. </h3> </div>
Ellipsis in original.
And here's the complete and visible PGP PUBLIC KEY BLOCK:
<p> The information below may be used to verify my signatures and encrypt communications to me. <p> <p> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.6 (GNU/Linux) <p> mQGiBEgIJGYRBAC54vZVXjK5l4VRSiUC6XGMgEOjEFgWvruVr/PXBk0hbnZ47D8j ... -----END PGP PUBLIC KEY BLOCK-----</span></div> <div style="text-align:center;">
Note: the </span></div> at the end are markup errors, and the <div style="text-align:center;"> auto-closes the p tag around the actual PGP public key block.
It's not clear if the markup around the public key is added by the site, or was added by the user entering information in to a generic notes/info field, or if the p tags in particular were added by the site to represent blank lines entered by the user.
- BEGIN PGP PUBLIC KEY BLOCK and Version header is in its own paragraph tag from the actual base64 test.
- end of key is implied by an invalid close span tag.
key on its own page
Separate page for a key, rather than inside or a part of a profile or contact information.
armored OpenPGP format
Example URL: PGP Public Key for Alan Eliasen
<H2>Public Key</H2> <PRE> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.12 (GNU/Linux) mQGiBD0ZXm4RBADS59M4Dy4aOBUA59mKkNg+bWqeKenYs+zTk7O8QKfqgKxLBNya ... -----END PGP PUBLIC KEY BLOCK----- </PRE> <P> This is also available in a <A HREF="pgp.txt">plaintext file</A>. </P> <H2>Importing My Key</H2> <P> The simplest way from an e-mail client (like Enigmail) is to simply e-mail <A HREF="pgp.txt">the plaintext version of my key</A> to your own e-mail address and choose the option like "Import PGP Key." My key is also available from <A HREF="http://pgp.mit.edu/">pgp.mit.edu</A> (interactively.) </P>
- raw key in a PRE block
- link to plain text version of key
- (human) discovery for an email client
- alternative key server for key (human search required at destination)
PGP PUBLIC KEY BLOCK
Example URL: Folsom's Public Key
<pre> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> mQGiBDheqqARBAD//2FUIkCc9ITtszMh70nFmTOj/YWWi3Kk4aumxuAhgGeEwAFX ... -----END PGP PUBLIC KEY BLOCK----- </pre>
- raw key in a PRE block
short name of example
Linked full name of example
<div> raw, unescaped markup of example </div>
Analysis of implied schema of example.
- Summary of common patterns discovered
- common implied schema
(template boilerplate) Other attempts to solve The Problem
- *-formats page
(template boilerplate) Link to related pages as they become available
- *-brainstorming page
- proposal page
- microformat spec page