key examples

From Microformats Wiki
key-examples
Jump to navigation Jump to search


This page documents existing real world publishing examples of public keys in the hope of analyzing them to see if / how to better fit existing publishing practices of public keys, either with hCard 1.0's 'key' property, or possibly other solutions.

Related: provide input to W3C Crypto API Issue 14: Representation of raw key material

Particularly interesting examples: Nick Doty publishes his public key fingerprint as the 'key' property on his home page (linking to his public key at a separate URL), and Prof. Adams of Wells College publishes his public key as the 'key' property of his hCard 1.0 on his contact page. Both Operator Firefox plugin and H2VX find the hCard key property and convert it to the key property in a vCard, importable into any Address Book that supports vCard's key property.

The Problem

A user wants to share their public key on the web. What's the best way to do this?

To answer that question, this page researches existing publishing practices to see if there are patterns or exemplary examples, or if we can use them to figure out a recommended way to publish public keys on web pages.

Use Cases

meeting someone and sending private messages

Two people meet and exchange their personal URLs in the hopes of communicating later, and encrypting said communications.

  • two people meet
  • they exchange personal URLs
  • each (perhaps later) browses the others' URL on their device
  • the page clearly has contact information (e.g. an hCard 1.0) and a visible public key on it
  • they bookmark each others URLs
  • they go to their messaging web app and create a new message, using their bookmarks for the URLs / to address
  • the web app retrieves the public key from the URL and uses it to encrypt the message before sending it.
  • each receives a message from the other and is able to use their messaging web app to decrypt and read it.

possible threats

Implementations would need to be aware and careful about:

fake key updates
  • if the browser is going to offer to import contacts, particularly with keys, that the source and provenance of those keys is well understood. It's one thing to go to keyserver/directory, its another to be lead to phishme.example.com which attempts to update all of your contacts with keys held by evil-repressive-government.example.com - originally provided by rsleevi in #crypto on W3C IRC 2012-341.
--- other threats ---
  • ...

Real-World Examples

Real world publishing examples of public keys on public web pages.

personal home page

Nick Doty

In the wild:

Note: the page has an hCard 1.0 of the individual with a 'key' property containing a public key fingerprint:

<a class="key" href="npdoty.asc">
EFAA&nbsp;3954&nbsp;C83F&nbsp;20F2&nbsp;0DF0 
E0EA&nbsp;4020&nbsp;3EE9&nbsp;0BBA&nbsp;B306
</a>

Whitespace added.

The destination of the hyperlink "npdoty.asc" is a text file with a Base64 public key block:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (Darwin)

mQENBErJM6oBCAC7NG5NZ5kiJg+KTTaIDjX9BU8bc7FI5a2zCYc3p9eikJfyyZYM
...
sWbckvcIjJRcAtRliKbAf+KjplbcEIzt+kxmweE5XeKvDFtzAD041FGAphIkKcuu
IAzL+XcMWzc3DA==
=+ojz
-----END PGP PUBLIC KEY BLOCK-----

Ellipsed.

Matthias Ries

In the wild:

Note: the page has an hCard 1.0 of the individual, but no 'key' property. However, inside that hCard, there is the following:

<div class="signature">
 <pre>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)

mQGiBEl2HAgRBAC9IZGQE3NRWFoXV7CcVRbo7xMe+nGPRMTOocA0pcv9N67R6CAZ
...
-----END PGP PUBLIC KEY BLOCK-----
 </pre>
</div>

Ellipsis added.

  • inside a <pre> inside a <div> with class name "signature

If the author used the class name "key" instead of (or in addition to) the class name "signature", then it would be recognized as a plain text 'key' property value in his hCard.

Ben Tremblay

In the wild:

Note: the page has three hCards for the individual, but no 'key' property. Just after the last hCard, there is the following:

<center>
<div class="scrollbox" style="height: 7.5em;">
<pre>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.4 (MingW32)

<font size="-6">
mQGiBESzvlsRBACzsDol94Pua0ggzSsLa35K9pQoPJHWg2YgpNp5wWC9/oruQaNF
...

</font>
-----END PGP PUBLIC KEY BLOCK-----
</pre>
</div></center>
  • inside a <pre>
  • BEGIN PGP header and Version are directly in the pre tag
  • actual base64 key text is inside a nested <font> tag


profile page

Example(s) of a public key published on a profile page with other information, e.g. in a personal page at an institution or on a social network or other content hosting service.

Wells College

In the wild:

Note: The page has an hCard 1.0 of the individual with a 'key' property!

<div id="hcard-Bryant-E-Adams" class="vcard">
<a class="url fn n" href="http://eclipse.wells.edu/badams">  <span class="given-name">Bryant</span>
  <span class="additional-name">E</span>
  <span class="family-name">Adams</span>
</a>
...
<h2>GPG/GnuGP Public Key</h2> (<a href="../resources/badams_0F87773F.asc" rel="self">download</a>) <h3>For email sent to/from <a href=&ldquo;mailto:badams.gpg+0x20&rdquo;>bad ams.gpg+0x20 (at) gmail (dot com)</a></h3>
  <pre><tt>
  <span class="key">
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

mQENBE4sjPMBCAC0ublKPnsdwD9B71bygmwVxn3hX6zw4H2Qlc6wPc0/OepjqVyq
...
-----END PGP PUBLIC KEY BLOCK-----
</span>
</tt></pre>
</div>

Ellipses added.

  • profile info in hCard 1.0
  • link to downloadable .asc public key with rel="self"
  • entire visible public key including BEGIN PGP header inside a <pre><tt><span class="key">

claimID

In the wild:

Note: ClaimID has hCard supporting user profiles and thus the page has an hCard 1.0 of the individual, but no 'key' property.

Note 2: Page has an abusive invisible content div (with visibility:hidden; position:absolute) aimed at crawlers (id="crawler_text"), presumably search engines in particular, since it abuses h1 tags:

  <div id="crawler_text" style="visibility:hidden; position:absolute;">
          <h1>Brandon B</h1>      <h1>Caedis, Caedis_Hax, CaedisHax, Cædis_Hax, Daedalus, DaedalusXero, Dædalus</h1>      <h1>Texas</h1>        <h2>"There are no coincidences, only the illusion of coincidence"


The information below may be used to verify my signatures and encrypt communications to me.


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (GNU/Linux)

mQGiBEgIJGYRBAC54vZVXjK5l4VRSiUC6XGMgEOjEFgWvruVr/PXBk0hbn...</h2>
    <h3>ClaimID is a simple way to manage your online identity.  This is the claimID page of 
           Brandon B.     
    </h3> 
  </div>

Ellipsis in original.

And here's the complete and visible PGP PUBLIC KEY BLOCK:

<p>
The information below may be used to verify my signatures and encrypt communications to me.
<p>
<p>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (GNU/Linux)
<p>
mQGiBEgIJGYRBAC54vZVXjK5l4VRSiUC6XGMgEOjEFgWvruVr/PXBk0hbnZ47D8j
...
-----END PGP PUBLIC KEY BLOCK-----</span></div>
  

  <div style="text-align:center;">

Ellipsis added.

Note: the </span></div> at the end are markup errors, and the <div style="text-align:center;"> auto-closes the p tag around the actual PGP public key block.

It's not clear if the markup around the public key is added by the site, or was added by the user entering information in to a generic notes/info field, or if the p tags in particular were added by the site to represent blank lines entered by the user.

  • BEGIN PGP PUBLIC KEY BLOCK and Version header is in its own paragraph tag from the actual base64 test.
  • end of key is implied by an invalid close span tag.

key on its own page

Separate page for a key, rather than inside or a part of a profile or contact information.

armored OpenPGP in HTML

In the wild:

Typical markup:

<H2>Public Key</H2>
  <PRE>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)

mQGiBD0ZXm4RBADS59M4Dy4aOBUA59mKkNg+bWqeKenYs+zTk7O8QKfqgKxLBNya
...

-----END PGP PUBLIC KEY BLOCK-----
  </PRE>

  <P>
   This is also available in a <A HREF="pgp.txt">plaintext file</A>.
  </P>

  <H2>Importing My Key</H2>
  <P>
   The simplest way from an e-mail client (like Enigmail) is to simply e-mail
   <A HREF="pgp.txt">the plaintext version of my key</A> to your own e-mail
   address and choose the option like "Import PGP Key."  My key is also
   available from <A HREF="http://pgp.mit.edu/">pgp.mit.edu</A>
   (interactively.)
  </P>

Ellipsis added.

  • raw key in a PRE block
  • link to plain text version of key
  • (human) discovery for an email client
  • alternative key server for key (human search required at destination)

PGP PUBLIC KEY BLOCK in PRE

In the wild:

Typical markup:

<pre>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.8 for non-commercial use &lt;http://www.pgp.com&gt;

mQGiBDheqqARBAD//2FUIkCc9ITtszMh70nFmTOj/YWWi3Kk4aumxuAhgGeEwAFX
...
-----END PGP PUBLIC KEY BLOCK-----
</pre>

Ellipsis added.

  • raw key in a PRE block

Key in PRE with SPAN per line

In the wild:

Typical markup:

<pre><code class=''><span class='line'>-----BEGIN PGP PUBLIC KEY BLOCK-----
</span><span class='line'>Version: GnuPG v1.4.10 (GNU/Linux)
</span><span class='line'>
</span><span class='line'>mQINBEur2SoBEAC3dtJdKEh+fmH4Lc4U69bq8GcDzyYqbSDHcMfADXpMJhOVOhwH
</span>
...
<span class='line'>F5FOeTayIA==
</span><span class='line'>=rqth
</span><span class='line'>-----END PGP PUBLIC KEY BLOCK-----
</span></code></pre>
  • pre code elements enclosing the whole thing including BEGIN PGP and Version header
  • <span class='line'> element around every line

Blog post with public key block

In the wild:

separate page inside university user account home dir

In the wild:

Typical markup:

 <p><font face="Courier New" size=1>Type Bits/KeyID&nbsp; &nbsp; Date&nbsp; &nbsp; &nbsp;  User ID<br>
pub&nbsp; 1024/8559BF09 1995/10/09 Robert Elden Wilson &lt;rewilson@ncinter.net&gt;<br><br>
-----BEGIN PGP PUBLIC KEY BLOCK-----<br>
Version: 2.6.3a<br>
Comment: Processed by PGPClick 3.0<br>
<br>
mQCNAzB5ouMAAAEEAK/qLzp6NeqBIUxvZN3KUYjn6wnxw6D1R1QYHhi0AAmMLb4a<br>
9uiip14moSIEPVSz8jal2YoJ3B3R3zhWPa/dasF8STA2uhNDz7/NHBLCd5tyNoTb<br>
...
=o1W7<br>
-----END PGP PUBLIC KEY BLOCK-----</font></p>
  • uses font face Courier and br elements instead of a <pre> tag
  • type bits etc. included in addition to usual BEGIN PGP header

= plain text file linked from person site home page

Example URL: http://www.ufoot.org/ links to http://www.ufoot.org/ufoot.pub

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDxZRPIRBACxPI8ZYEtkIGUliwLanAlZbIqVCI38d/SONo8MS3VUZkO82XRo
...
8WS09vXAVscm06crf40AmQFxEIui1lRKOY7f/fRVkcA1TRyu
=MZu7
-----END PGP PUBLIC KEY BLOCK-----
  • no markup
  • just the BEGIN PGP and Version header and base64 key text
  • linked from top of personal site

plain text file linked from institution profile page

Example URL: http://www.w3.org/People/Bos/bert-pubkey.txt

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.7 (GNU/Linux)

mQGhBDppjAcRBAC7yYqRN+qeCgf20PoQYTtHO9ro/kHEADEpQPjlGRyrsQ/wttnm
...
=yaAL
-----END PGP PUBLIC KEY BLOCK-----
  • no markup
  • just the BEGIN PGP and Version header and base64 key text
  • linked from the parent directory - http://www.w3.org/People/Bos/ - with link text "GPG key"

short name of example

Linked full name of example

<div>
raw, unescaped markup of example
</div>

Analysis of implied schema of example.

Institutions

Sites/pages of institutions which include multiple keys on a single page.

ICAAN

Example URL: http://www.icann.org/en/contact/pgp-keys

  <div class="field field-name-body field-type-text-with-summary field-label-hidden clearfix">
    <div class="field-items">
          <div class="field-item even" property="content:encoded"><p><a name="MehmetAkcin" id="MehmetAkcin"></a><strong>Mehmet Akcin</strong></p>
<p class="keys">-----BEGIN PGP PUBLIC KEY BLOCK-----<br />
	Version: GnuPG v2.0.10 (Darwin)
</p><p class="keys">mQINBEmlow4BEACag9QwKzm7RL5ULqew0XJbAipwy32Xb2RPVgbDVGqIsVzFCXD9<br />
	ykGnwYm+CcyBj9Z1cGzQovRZU9cni0yf7YYciM6TTmjqROz3WWuxIseuLphEtNu2<br />
...
	=KgTO<br />
	-----END PGP PUBLIC KEY BLOCK-----</p>
...
<p><a name="KentCrispin" id="KentCrispin"></a><strong>Kent Crispin (Office Key) &lt;kent@icann.org&gt;:</strong></p>
<pre>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.4 (GNU/Linux)

mQELBEE2SKkBCADMmf+17NnaXzYtSKvYNUjSKFGbKF50Utds2BK+AjUzFIORpJdU
...
=EsaL
-----END PGP PUBLIC KEY BLOCK-----
</pre>
<p><strong><a name="dnssec-public" id="dnssec-public"></a><abbr title="DNS Security Extensions">DNSSEC</abbr> Public PGP Key</strong></p>
<p class="keys">-----BEGIN PGP PUBLIC KEY BLOCK-----<br />
Version: GnuPG v1.4.5 (GNU/Linux)</p>
<p class="keys">mQGiBEdQucgRBACuD4uIRQ9Or2yKfGZtqxSd7/yp20VoZaNafP85OlJfOs9yjgdN<br />
v8kSd3+2lBXGwJxgOzkssbgZ14O1U3au494WicvR0gF7cLRZBeqpdZetpm7gl5n2<br />
...
=nIe5<br />
-----END PGP PUBLIC KEY BLOCK-----</p>

Ellipses added.

  • named anchor, full name
  • BEGIN PGP and Version header marked up with <p class="keys">...</p>.
  • separately, base64 key text marked up with <p class="keys">...</p> and lines terminated with <br />.
  • some full names parenthetically include email afterwards
  • some keys including header and base64 key text are marked up together inside a <pre> element

Common Practices

  • one <pre> element wrapping the entire BEGIN PGP and base64 block

Existing Practices

  • hCard 1.0 with 'key' property in the Wells College example seems like the best existing practice so far
  • key-formats - not sure what are the specific formats for publishing keys, i.e. where is the BEGIN PGP and base64 format described?

Brainstorming

  • key-brainstorming - for now let's use hCard 1.0 with the 'key' property and see how far we can get with that.
  • rel="key" - might be useful for linking from a home page / personal contact page to a key published in a separate plain text file.

See Also