Re: [openpgp] Registration of the 'proof' notation

Wiktor Kwapisiewicz <wiktor@metacode.biz> Sun, 04 October 2020 19:50 UTC

Return-Path: <wiktor@metacode.biz>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F1093A09CD for <openpgp@ietfa.amsl.com>; Sun, 4 Oct 2020 12:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=metacode.biz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3zkrtzFWxgLe for <openpgp@ietfa.amsl.com>; Sun, 4 Oct 2020 12:50:36 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C09843A09BE for <openpgp@ietf.org>; Sun, 4 Oct 2020 12:50:35 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id 33so7121156edq.13 for <openpgp@ietf.org>; Sun, 04 Oct 2020 12:50:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=metacode.biz; s=2017; h=to:cc:references:from:autocrypt:organization:subject:message-id :date:mime-version:in-reply-to; bh=T7GsJIipKS6KGMtRpihB/hxmWM8kmn9t4rbw9PJJ5n0=; b=ysdOcwYg53TLbm42dovNA14fb7Z4lk4eKB3dXP4sAr0XSA/KPiS6rmQcYnsp1aHLLR plsUh5Jx1oNRxBBgEH4BsIFENiBJz3A7CkeeC/5bDdiDJ/UHZ0umhC4yJVmTUf7KHX46 X86BkXNw8nkbhg+/Lx8bBapv2t1ADgX0Z2Q4S4mOUvOYzyc+1e7sgy/R/2DscieaIOOW Wi5C169IuXPfFAUrbWG7ZKukXe1R7zrTWGURLVPMMAS/iZdJnoN3rrAeN4ZghwdOYtpL R9UeLVYbad1zyvsU5Iupliug229XdtmNKuEOGyPAZkLjG/5/EUKzI6RxIo7/8efxabpC rDhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:references:from:autocrypt:organization :subject:message-id:date:mime-version:in-reply-to; bh=T7GsJIipKS6KGMtRpihB/hxmWM8kmn9t4rbw9PJJ5n0=; b=pyjlYo40NOLd7rBMvXgYQl/y+nuP00QFRw1ffn0CPkMVmJDbvhpBqS0Ju/jkDbkJzP Zt86ikhsTzWTGhLAa2XhOKLETjy61NtUmFlLNl3TMiWRdlL+12sJ8fGNFGjKFxev8t0k XgXLapQfpo/3DfpRnniX9S3JVM1B0UgiOwjfjEB0BYYb9+db5dCYK40FJl1r9cG1Aqr+ SY0GYJ6d8r1szfyrprM8eqVkZ49TIBm/1t8X0tqT0yuX14pniA6TWAdxhwKm4J6/gFCj TP8okBQbDVRNrp4Gx//GDkaTMhYkQletsRwWRgMY5FwtkaRiN1EYQftBqQz7YU821zQl qj3g==
X-Gm-Message-State: AOAM530JZIyrPEzI7d+P252/rcNQIiJtotRjPlwt902KRp7x51Ld1v78 iJIEH6IYT+owLLZux7zlceAGzwUnUp0Www==
X-Google-Smtp-Source: ABdhPJwMSRtRQT/vuNdm0GmVL1SuSh6y5pZinMes9SVLOFbCkLnBmBd6I0jnId3BFqYgDxIXXSmUmA==
X-Received: by 2002:a05:6402:1548:: with SMTP id p8mr14281017edx.65.1601841033068; Sun, 04 Oct 2020 12:50:33 -0700 (PDT)
Received: from [192.168.2.69] (aehd220.neoplus.adsl.tpnet.pl. [79.186.185.220]) by smtp.googlemail.com with ESMTPSA id y25sm7067216edv.15.2020.10.04.12.50.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 04 Oct 2020 12:50:31 -0700 (PDT)
To: Jon Callas <joncallas@icloud.com>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
References: <fd255115-b047-ca6a-9ce9-b2f30b0b459d@metacode.biz> <7500A2C4-A42F-4FD0-8957-86E5593FA05F@icloud.com> <bdf7df48-1693-d3f8-2468-76d92b8a6bba@metacode.biz> <2814B597-AAB0-4D3E-8DE2-AE6CF2615CE2@icloud.com>
From: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Autocrypt: addr=wiktor@metacode.biz; prefer-encrypt=mutual; keydata= mQINBFhoYHoBEADzmg9UuwDrtvyejU01gDY1J1iJiCi4XGJ4lCfYeLC2jSagIxU/5Lu0lRft 0Loi2tsjpo0c8docP7HFxafEEvnnt/iabd6I536llMuw0uno4PgnD3ljcCMZLT+vn+amIDta lzVoMnSqzoNUotMNMtjIFuAaQ/wr4/Mp9CIgJdviGUc3PscqUiiUVVtk6uF0x657NULZgSIT /Mrqlr2i4RuyPwXe2Qt0uEA3KWWjF0l2NpAMVrqz+nHsLoNOaAsfdx94bzKQrrSeSQqEO2f+ /eO/hbUAFAmEhrotmUO8wJNygo8TgkdlzFI+UE4p8/KW0aCgGGgR8YkCvHq2OQhAAYFNJoNz Hqw0FGxdsY8qWFkYpoSB8zKspNy8KliofCamMYXoPF7eVIxIiKvxrAykGP4jNnzSoV0cn+bY fXnox1IhnqbnoJIT7kTmXv4JmWoYm8ThHqpEgcQOUUQzSRXb9OiNwiXT71ijeO1qswMRpsgk 6AGKSZGWxa3c4ive/p8z1Ax27BFZSh2FceIcMCcGLrDjnQYgeFsAJ1jSxZQXkGuJFHfb4nff Big7aq/vyKrQFQXG0NQQL7rZAdk/s665vifos0yPmRDu7yDT1ggdyBp4Pa4re+ZJcNRNzNHo zU9al+CoImCQjnTtKMXmOe/BzGrpHI4QR3NNzVa423WCIWkHfwARAQABtClXaWt0b3IgS3dh cGlzaWV3aWN6IDx3aWt0b3JAbWV0YWNvZGUuYml6PokELgQTAQoCGAIbAQgLCQgHDQwLCgUV CgkICwIeAQIXgDQUgAAAAAASABlwcm9vZkBtZXRhY29kZS5iaXpkbnM6bWV0YWNvZGUuYml6 P3R5cGU9VFhUXBSAAAAAABIAQXByb29mQG1ldGFjb2RlLmJpemh0dHBzOi8vZ2lzdC5naXRo dWIuY29tL3dpa3Rvci1rLzM4OWQ1ODlkZDE5MjUwZTFmOWE0MmJjM2Q1ZDQwYzE2VRSAAAAA ABIAOnByb29mQG1ldGFjb2RlLmJpemh0dHBzOi8vd3d3LnJlZGRpdC5jb20vdXNlci93aWt0 b3Itay9jb21tZW50cy9ibzVvaWgvdGVzdC9zFIAAAAAAKgBAdGltZXN0YW1wK2JpdGNvaW4t dHJhbnNhY3Rpb25AbWV0YWNvZGUuYml6YWZjYjA5MmM1Y2E2NDA5NTI2ZDE4YWU5Y2YyMmQz YjU1ZDM3ZTcyM2ViMWI3NGUzZjg0ZjdlNmIwNTJhMTYyYUgUgAAAAAASAC1wcm9vZkBtZXRh Y29kZS5iaXpodHRwczovL25ld3MueWNvbWJpbmF0b3IuY29tL3VzZXI/aWQ9d2lrdG9yLWs3 FIAAAAAAEgAccHJvb2ZAbWV0YWNvZGUuYml6aHR0cHM6Ly9tZXRhY29kZS5iaXovQHdpa3Rv chYhBGU5CaLw43wQb1+vVGyIV+DY6PB0BQJdK4YGBQkHhq5HAAoJEGyIV+DY6PB0qPsQAIKT MUYx8RPHfLMM3F11XtLUobKO6CpU83TM894/uF06woM3OaHiajVqC8d6jBXcw2OLH9cCQ9oP Qsfxns3YcKLpWLnSv6F46U9M1e1rZM7H/ooEsNWZNiTyZPaO0bBDsLtpEEOzo609IftKaP3+ BFyEr4YGerHeXcmBzoGlxR84GVsoTzs+VLZn4zAxPMPSe+s9mTTU85uGAXDdhSjTvb5sKARV DQNAlrEo5tZ17/K0BcSztYBT+rnRVAROaxxsqvVQG8lGuohBQuv3BDaqSBwJp/qcDHz3eOLN LfvanZvGtoXtRybimd8mDjzG18wd/V1DJOIzixdsBA2PHzPvFAoYzohjZrEjC7KPFXiUN1NN 9B5PsTKXEWzZiqffjEQHCD8o3JO5tJwI04tN+g55HXxM750639OFuZRGpBTysY7NSqkzDcDN uzkcPU7mXFfNZNG1+t54NlSaU9cwfZNdOd4y6ClE3qZReKwZMiqgQPNF7h4FPpFzkR79z6CL Wt5iHhMVJ1au00xuf1c+NDGXp6oKUbtlTRpmGnLjLn1z+7s9wUDdfvUf+aRRDXRLPcseI0wv k82mkBhSbX5ZDRgFqEB+giNS7ydZw4ur5scXgMA2i6JUe3eAoDflygpB0+EWiJWv/Eyzwsoj 1V/z9TXDeTME1sQckXPpmspnuO0uogrEuQENBFs/lS0BCAC5oX3r3luF7czMF8UFxJz55Xuv NRs4tEjoHzqcqoe4+RJyfNDtspgevYIq1WTKw/H3ZYsd2wZpkM3I+BJn9eeHZKs77qXQZGN5 PBB65rZoLjMx+qHa6wH4lIYMYW7eB9HHMsT/5E3ILBSRzZIwJimd/QdIMKSrJ5mPMkAd+9+x ob5zKHO5L5pbQtJSGS0m17/hA0kCTLI885hLtT3JsI/KWwuAYDrTwsayzh/hG/NgdA3I8xlr QCLC0EFJoxHkN9tCyXeKPlrIPYyMB1jHTo1iNV0CQGpk+zf6DA/ySGfJxd30ksJZ8y5qxD43 zS0YffYMC01CeuqPoGZ2Fy9VxhODABEBAAGJAjwEGAEKACYCGwwWIQRlOQmi8ON8EG9fr1Rs iFfg2OjwdAUCXSuGiQUJBK95lQAKCRBsiFfg2OjwdHBFD/97ijOr6M+IcKbDHBTz1+5YP1VK XTwcea5YlwK8gByd/urvUr/+d/OdOu5Z6+N8r1TKI60JhawaZD2l8TcViuwFz1wi+hywBSDR KRRnDhz7g5gESsYiX0+1Vp3IOBRHgvQT2RdgirRccRNcDyo3Rna9XOhcKZoF4ykd7P8ja0ae ekeGU81xAHrZxJO930CYS3Eo+hlf6+F5qfcDv20Z4HdY9/9QrDCRwz64lgQlbAPoANHdTLPa m46ZBS/u5nrlqsTWBiFHXwnMmI+e54mC0UK+SrafLlCsEC3Qn5o1VaEx6WicAfNsl8vmYTyB Wf8lkLMXGSeH8QjF5lAmyCrGaHwcfkM5AaJJRd9OrtG2PgGRoHuYNri6Rs+Zwg3wc1Y5w3ir WGMJGJAGh33nsxpr63/onyaIea3lBpXe0ql6wlKN59PVARYIpNhOHs+m3K4mAqJ2GxBZn0Gn /uai+qFSNsFS3Zb00bGqfAIDaPx91VZp7gMoT2+OXlopyj9gtsJgRviQUEvn+DhieBTO9gQT 2N7aRqP3J2sB8nxIRp3SG1Nibt5mG2+m3JCJldgpFMrkP4JEmJNemaRURZU7lQLb8Xd8NlOZ mTtGgA/gUZqleWGdaRbQxJaV+AFCusMZMbR57KqLSKsN3gU5pV7l8DyWKTbzuG33DtD20Zie 2ben8GJucbkBDQRbP5VqAQgAt/NogC7amuAQT6aYul3lnaj7DmiZvLG99QBoTNRaQjJpbKd3 Mvu0pfah+GnQQicxOO3GOuPVWecTVMLBKDFX8L8WWTq2NFhwoZV55MBcVgVsO7a9SHWLUwzr sfKHh9G+77UNqxUldkKTRIjs0GSCivpVXJ222F4nYP0UlYsUQcNo9YS5m8vXwwbGygPRzpWr 5c5Bh6/9VmCH3WZ5O16BRqNietOBbqVKIrjdw5uL9SZFLYW4OksLOX70PvMzn9c0BWIUVSAw MJYGwlkN+xFiRKZkfh1+aLc4CmEZGstt9poqHCZAUUVnhTgjzheXswYgUpHYxtq/XeX2E5vk LK+JDQARAQABiQNyBBgBCgAmAhsCFiEEZTkJovDjfBBvX69UbIhX4Njo8HQFAl0rhokFCQSv eVgBQMB0IAQZAQoAHRYhBO8e4PqUIPgE/e/AJpf97zTauPgrBQJbP5VqAAoJEJf97zTauPgr udoIAIRxBiSbZeou42kj1cLNp0Tbwo9P0GcQm3OjrMt6NhwkSmOZtYznn6+TJoxHVqfGsFwO XgftJK25zKwsUpGV7p4GdwrYRn+rHFKkrsh2XKjiVWtVUD5SD/cGBgM6dMghqQrazLbmB8AV qzemayYX9u9w5NMxMVe4Zuze12dOgAf0wv+RPXVxxn0mVYlxOWjiod6VLn3g24aTv+bN6hmc sjGJRlQpBA0DVsSp9wYxlMCdtaThzCfOSToQOXmYMJmXmd3eSoAJNQRlSARlrP5ysiMbgS08 EukbL/hvs6mayfKA22RO5rjCQqGzN4BUqSw4RMxQQQOz/BO/sKY7RdICRtYJEGyIV+DY6PB0 n9wQAMF4H5qen/oDr3J37Y2N0OKctZxxii7fFqWSNc7GMS2tlZuakWQ7GbBC3vHBAC5j66d2 WXi3Yaf0uM4ydyu7LZ1fKpJ+9aWXjKMTdg+l7d9WV5UWY8fcXDl+nUEjO2biAJHhFfa3dKXL 3/1GwG5Q5vqjDiNhlhVVCqI4DoreuimLzHfs8QVulEm0WInrcPXKPevgYg7slwAax+Y4rXSx JeIeJo2GtgKD8nqaEX2TIEdajg5hS5MV2Wj6tvB9ZiWYy7ybPkNw/j4V5v0mUo5Hh5W+T3h2 FOMNFTJFQ7oC4AYNUwFoajh9tdgWNuKzU/Hdqoftjx387Kn4RtQIv8Clgfqt1zPjeWg1lYdp +RbjRRwV57Jq/LuKTBWAFp8zJ/tv4kVlZDxiBeeJWGoQ9LYQr6+LX7HMFmfXk1yYExwAGAwH w0h1C2Ldf5c2HoZQ7euHpbv5K1Y2MEMOiYkzwYX4XrGqsQFVGrgct0nKc5qD6BzY188sb9g4 RUa8L7MTsJyqOtkrWB1mYtNeclP9a3Eta1K6zHX90HqGjPDWjRXQ4KAhYaE8HPNkEuiI6OTR jGtSyM9iiv7LEo4D9Y8YW38XrRlCXjIhFvblDSZI/5qc+3YPT0nQ/Zb4Hwzi6OPFWwrAN3YY UyLsB+reNqoC57hhy/Q9hByH59vd03om+lfBvdPC
Organization: Metacode
Message-ID: <91dea21f-0b3e-7e6a-b4df-30bc4433be89@metacode.biz>
Date: Sun, 4 Oct 2020 21:50:19 +0200
MIME-Version: 1.0
In-Reply-To: <2814B597-AAB0-4D3E-8DE2-AE6CF2615CE2@icloud.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="aQnoNAlyJjWZv99FEMO2nKmZxYNyb1bSl"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ZdzPAnODwbP-PKpskOed3Bs8SOM>
Subject: Re: [openpgp] Registration of the 'proof' notation
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Oct 2020 19:50:38 -0000

Hi Jon,

On 04.10.2020 01:03, Jon Callas wrote:
> The definition of a User ID is intentionally that it's just a string and is by convention an email address. There's no reason you can't do what you said or even "twitter:@user" and just have it be a User ID. That's completely covered by 4880.

Thanks for the confirmation.

As for "https://twitter.com/user" vs "twitter:@user" I did lean towards
the former only due to my standards-paranoia: not to invent URI schemes
but to use ones that are already registered [0]. Of course both formats
would work just fine.

[0]: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml

> Okay, so that says that it could just be a User ID. Why not?

In the latest design I chose notations instead of User IDs out of
practical considerations:

  - while fetching the key over WKD GnuPG will strip them,
  - they will be stripped with some keyservers like keys.openpgp.org,
  - I don't want them to be signed by others.

The last point may be something that's rather personal than technical
but having a User Attribute on my key and seeing people blinding signing
it made me think that the social proofs should be only checked against
the target social site.

In my opinion there is no benefit for others signing Twitter handles but
the social proof design doesn't depend on the place where the proof is
stored.

> Today, there are a lot of ways that one can take standard parts and put them together in reasonably obvious ways -- like my suggestion of clear signing a text-based structure, like YAML, JSON, etc. It just works, and you can write your own document about what the structure means.

Yes, clearsigning a document with well-known format is actually a very
nice technique I've been considering for other uses (like voting or
assigning permissions etc.)

> In PGP days, we ended up doing a lot of work where we wanted to have a complex email with embedded attachments (like pix) be encrypted and signed. The OpenPGP/MIME documents are simple, elegant, and allow one to format the MIME in a lot of ways. To get now-modern MUAs to reassemble the message the right way, dropping the pictures in the text in the right places, all the parts had to be assembled just the right way. So we documented what we'd found and used a notation to let a key declare, "if you send me MIME this way, I can make it look pretty." We thus didn't need to have a standards discussion, we could just do it.

I think you're referring to the
"preferred-email-encoding@pgp.com=pgpmime" notation. This was the first
instance of a notation I've seen in the wild and I wondered why
notations are so grossly underused :)

> There's a lot to be said for innovating in a way that doesn't break other people, and if it becomes popular, *then* standardize it. (And of course, accept the cost of migrating one's things to the standard one inspired.)

Well said. I'm pondering the feedback loop between the standards and
implementors. I've seen it first-hand while developing this little
proof-of-concept that the implementation frequently influenced the design.

> No problem and please keep us all informed. This is interesting and cool and it's nice that you let us know what you're up to.

This idea is already being used by other parties to provide something
akin to profile page generated purely from the OpenPGP key in the browser:

https://keyoxide.org/9f0048ac0b23301e1f77e994909f6bd6f80f485d

What I find especially fascinating is that the OpenPGP key can be used
as a root of trust to verify other keys of the user including XMPP OMEMO
keys (that is a Signal-like protocol with forward secrecy for XMPP) or
things that are not social profiles such as Bitcoin addresses. As all of
them are URIs this is still using the same design (of course the
verification procedure varies).

> It sounds like you're doing some awesome innovative things.

Thanks Jon, I appreciate kind words especially if they come from a
renown standards expert.

Regards,
Wiktor

-- 
https://metacode.biz/@wiktor