I'll be attempting to formally submit some "OpenPGP-*" mail & news header definitions to IETF. I'd like to first submit this *rough* draft here. Please send comments to 0. Preface These headers should be considered "informational", and apply to both mail and netnews messages. These headers should be used to provide information about the senders OpenPGP key. Zero or more of these headers MAY be used in any message. Each one of these headers SHOULD NOT appear more than once in a message header. 1. "OpenPGP-Key" Header This header is intended to present characteristics of the key, such as the primary key ID, algorithm and size. 1.1. "OpenPGP-Key" Header Fields This header may consist of one or more fields. Each field MUST be presented in the format: name=data The names of each field are defined below, the value will be dependent of the key being identified. Spaces (and/or tabs) MUST NOT be in any data. Currently three fields are defined, as follows: 1.1.1. Primary Key ID Field (id) This header, if present, MUST define the primary key ID. The key ID SHOULD be prefixed with "0x", and MUST be identified as "id=???", where "???" is the hexadecimal key ID. The key ID SHOULD be presented either in either long (16 character) or short (8 character) hexadecimal notation, but MAY be presented as a 40 character (32 character, for v3 keys) fingerprint. Optionally, add the two prefix characters, "0x". The key ID MUST NOT contain spaces. 1.1.2. Primary Key Algorithm Field (algo) This header, if present, MAY define the algorithm of the primary key. The algorithm of the primary key, if presented here, MUST be presented as "algo=???", where "???" is the algorithm id number as defined in RFC2440:9.1 (Public Key Algorithms). 1.1.3. Primary Key Size Field (size) This header, if present, MAY define the size of the primary key. The size of the primary key, if presented here, MUST be presented as "size=???", where "???" is the number of bits in the key's modulus (typical sizes are 1024, 2048, 4096). 1.2. Multiple Fields Within The "OpenPGP-Key" Header The different fields defined for this header MUST be separated by a semi-colon (;): OpenPGP-Key: name1=value1 ; name2=value=2 If this header is present, it MUST identify the key ID field (id) and MAY define the algorithm field (algo) and/or size field (size). No other fields are defined for this header. 1.3. Examples All four of the following examples are valid and refer to the same key. OpenPGP-Key: id=0xD9F57808 ; algo=1 ; size=4096 OpenPGP-Key: id=0xD9F57808 OpenPGP-Key: id=0xB88D52E4D9F57808 OpenPGP-Key: id=0xB88D52E4D9F57808 ; algo=1 ; size=4096 2. "OpenPGP-Fingerprint" Header This header is intended to present a key's fingerprint. 2.1. Fingerprint Size Key fingerprint MUST be identified by a 160 bit fingerprint for v4 keys (128 bit, for v3 keys), represented in hexadecimal notation. 2.2.1. Presentation Without Spaces (0x Prefix) Fingerprints MAY be presented without spaces: If this format is used, fingerprints MUST be prefixed with "0x". 2.2.2. Presentation With Spaces Fingerprints MAY be presented with spaces: If this format is used, fingerprints MUST be contained inside double quotes ("). 2.3. Examples Both of the following examples are valid and refer to the same key. Note that the first example is prefixed with "0x". Note that the second example presents the fingerprint within double quotes. OpenPGP-Fingerprint: 0x762A3B98A3C396C9C6B7582AB88D52E4D9F57808 OpenPGP-Fingerprint: "762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808" 3. "OpenPGP-URL" Header This header is intended to present an HTTP or FTP URL where the public key may be found. The URL MUST be fully qualified and SHOULD be accessible on the public Internet. 3.1. Example OpenPGP-URL: http://atom.smasher.org/pgp.txt 4. Notes There are quite a few PGP & GnuPG users who add these types of headers, but they lack standardization, making them useless to automatically parse. Since both PGP and GnuPG rely on the OpenPGP protocol (RFC 2440), it seems best to use headers that specify "OpenPGP" rather than "PGP", or "GPG": The latter forms seem like underhanded attempts to advocate specific applications, rather than the open standard they both share. 5. Security Considerations These headers are intended to be a convenience in locating public keys: They are neither secure nor intended to be. Since header information is easy to spoof, information contained in headers should not be trusted: That information must be verified. How the information is verified is left as an exercise for the reader. draft 0.1 Tue Aug 10 02:02:36 EDT 2004