Re: [openpgp] Overhauling User IDs / Standardizing User Attributes

[Leo Gaspard <ietf@leo.gaspard.ninja>]

On 06/29/2018 09:55 PM, Wiktor Kwapisiewicz wrote:
>> Well, User IDs are not easier to work with than User Attributes.
> 
> Leo by "are not easier to work with" did you mean "User Attributes
> *could be* as easy to work with as UIDs" if you proposal was accepted
> *and* supported by most OpenPGP software?

I should have said “User IDs are not easier to work with than specified
User Attributes”, indeed. The fact that the only specified User
Attribute is a picture User Attribute, that has little use, is something
that contributes to the bad reputation of User Attributes.

But User IDs are (binary representation aside) exactly like a User
Attribute with type -1 that would be defined as “any UTF-8 string that
more or less represents the user”. Once reworded this way, would you
still oppose the addition of more well-defined attributes? (NB: this
would be for v5 keys, so software would have to be updated anyway, and
adding a basic representation for a few UTF-8 User Attributes doesn't
sound like the biggest change in the game -- though if User IDs were
removed too, as I'd love, then this may be the biggest change, at least
for the UI side)

All I'm saying is: we should not be wary of defining User Attributes.
It's a woefully underused part of the standard, and the fact it's so
underused (and specified for a single almost-useless purpose) makes
people fear using them.

> I think the difference is quite significant (by what is working now vs
> hypothetical future).
> 
> If you mean they are easy to work with now do tell me what's that
> attribute for that I've got on my key
> (0x653909A2F0E37C106F5FAF546C8857E0D8E8F074):
> 
>   uid  [ultimate] Wiktor Kwapisiewicz <wiktor@metacode.biz>
>   uid  [ultimate] [unknown attribute of size 83]
> 
> I had a lot of questions about this attribute from other people, so it's
> not like attributes are currently "easy to work with" in my opinion.

Well, using unspecified User Attributes will get you a lot of questions
indeed. But if you started putting packets with unspecified tags on your
key you likely would break a number of tools too, that doesn't mean
packets aren't easy to work with :)

BTW, it appears to contain

openpgpid+cookie:@https://gist.github.com/wiktor-k/389d589dd19250e1f9a42bc3d5d40c16
This is a typical example of something that would deserve a *specified*
User Attribute, like
    github=wiktor-k (with type “free-form tag=value” and notation
“automated-verification-gist=389d589dd19250e1f9a42bc3d5d40c16”)

Which would display neatly on platforms that support the very simple
type=“free-form tag=value” User Attribute I'm proposing (it's UTF-8),
and be quite easy-to-understand to the end-user seeing this if there is
no support in their software for the specific “github” tag (at least
more than the openpgpid+cookie URL).

Actually the “free-form tag=value” is really the most important type of
User Attribute I'm putting forward: it is a building block that is
enough for almost all other purposes, but that cannot be replicated
using only what we currently have without awful hacks (eg. storing
type=value directly in the User ID field, which is the “least bad”
option with RFC4880 as it is currently defined).