Internet DRAFT - draft-boese-vcarddav-signedvcard
draft-boese-vcarddav-signedvcard
vcarddav D. Boese
Internet-Draft
Intended status: Standards Track
Expires: Apr 22, 2014 Oct 21, 2013
vCard Format Extensions : Signed vCards
draft-boese-vcarddav-signedvcard-03
Abstract
The base vCard 4.0 specification defines a large number of properties.
This specification adds two new parameters and six new properties to
vCard 4.0, which allow the use of cryptography and public-key
infrastructure (PKI) for identity assertion.
Note
Discussion and suggestions for improvement are requested, and should
be sent to vcarddav@ietf.org.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 9, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Boese Expires April 22, 2013 [Page 1]
�
Internet-Draft Signed vCards October 2013
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
1.1. Terminology Used in This Document
2. Version Extension
3. Identification Parameter Extensions
3.1. Parameter: CONFIDENCE
3.2. Parameter: DATE
4. Identification Property Extensions
4.1. Property: PREFERRED-ID
4.2. Property: AUTHORITY
4.3. Property: SOCIALMEDIA
4.1. Property: HASH
4.2. Property: HASHKEY
4.3. Property: HASHLIST
5. Example: Author's vCard
6. Security Considerations
7. IANA Considerations
8. Acknowledgements
9. Normative References
Authors' Addresses
1. Introduction
The base vCard 4.0 specification defines a large number of properties.
This specification adds two new parameters and six new properties to
vCard 4.0, which allow the use of cryptography and public-key
infrastructure (PKI) for identity assertion.
Online identities are often much more complicated than having a single
email address in one's PGP key identity field, and adding a
surprisingly small number of items to the vCard format can allow for
vCards to cover a much more comprehensive range of them.
vCard is the source for several other formats, such as hCard and jCard,
which contain the same information in a different format. This creates
some difficulty in writing a canonical text-string to compare against a
cryptographic hash. This problem is solved by including enough
information to reconstruct a partial vCard, no matter what format that
information is saved in; and that partial vCard will be what is
compared against the hash.
Boese Expires April 22, 2013 [Page 2]
�
Internet-Draft Signed vCards October 2013
Several other properties and parameters are added, to make it easier for
users to assert various aspects of their identity, to revoke other
aspects, and to integrate with webs-of-trust, up to the point of Signed
vCards being able to be used as the basis for an ad-hoc mesh-networked
certificate authority system. (A protocol based on webfist, but without
webfist's reliance on DKIM-verified email addresses as identification
strings, is one possibility.)
1.1. Terminology Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Syntax specifications shown here use the augmented Backus-Naur Form
(ABNF) as described in [RFC5234], and are specified as in the base
vcard specification [RFC6350].
2. Version Extension.
Simplistically, Signed vCards have an 's' in the version number.
More complicatedly: The 's' is meant as a signal that a vCard
interpreter needs to include crypto libraries to fully interpret all
the information in the vCard. Thus, a vCard which is compatible with
the fields here MAY have an 's'; a vCard which includes the HASH
property MUST have an 's'. In order to prevent confusing a revocation
of a part of an identity with an assertion, a vCard which uses a
negative number in a CONFIDENCE field also SHOULD have an 's'.
3. Identification Parameter Extensions
3.1. Parameter: CONFIDENCE
Namespace:
Parameter name: CONFIDENCE
Purpose: To specify the confidence of the authority that the
information of the given parameter is accurate, measured in decibans.
Value type: A single number, usually an integer.
Boese Expires April 22, 2013 [Page 3]
�
Internet-Draft Signed vCards October 2013
Description:
In order to avoid the problems of mixing up 99.9999999999% confidence
with 99.999999999% confidence, the CONFIDENCE parameter uses a
logarithmic scale instead of a linear one.
A deciban is 10 times the base 10 log of the odds. n decibans means
odds of 10^(n/10) to one.
A CONFIDENCE value of 0 decibans indicates odds of 1:1 (ie, 50%) that
the information is correct. A change of 10 decibans changes the odds by
a factor of 10; 10 decibans means 1:10 odds (~90%), 20 decibans 1:100
odds (~99%), -10 decibans 10:1 odds against (~10%). A change of 1
deciban is roughly equivalent to changing the odds by a factor of 5:4.
Given human factors, it is rare for hand-typed data to be able to have
a CONFIDENCE that every single bit is accurate of more than 50
decibans. Without getting into the details of recursion, and given that
at least one out of roughly ten billion people is thoroughly
disconnected from reality, it's very difficult for a human to have more
than 100 decibans of confidence in anything, even that H2O is a useful
description of water or that the subjective reality they are
experiencing is connected to the same subjective reality experienced by
other humans.
Here is a table covering enough integer deciban values to allow for
easy reference.
Decibans / Level of belief / Rough Odds / notes
-30 / 0.1% / 1:1,000
-20 / 1.0% / 1:100
-10 / 9.9% / 1:10
-9 / 11.2% / 1:8
-8 / 13.7% / 1:6
-7 / 16.7% / 1:5
-6 / 20.0% / 1:4
-5 / 24.0% / 1:3
-4 / 28.5% / 2:5 / a reasonable doubt
-3 / 33.3% / 1:2
-2 / 38.7% / 2:3 / probable cause
-1 / 44.3% / 4:5
0 / 50.0% / 1:1 / neither belief nor disbelief; agnosticism
1 / 55.7% / 5:4, 1.25:1 / preponderance of the evidence
2 / 61.3% / 3:2, 1.5:1
3 / 66.6% / 2:1 / clear and convincing evidence
4 / 71.5% / 5:2, 2.5:1
5 / 76.0% / 3:1 / beyond a reasonable doubt, 1 standard deviation
Boese Expires April 22, 2013 [Page 4]
�
Internet-Draft Signed vCards October 2013
6 / 80.0% / 4:1
7 / 83.3% / 5:1
8 / 86.3% / 6:1
9 / 88.8% / 8:1
10 / 90.9% / 10:1
11 / 92.6% / 25:2, 12.5:1
12 / 92.5% / 15:1
13 / 95.2% / 20:1 / 2 standard deviations
14 / 96.2% / 25:1
15 / 96.8% / 30:1
16 / 97.6% / 40:1
17 / 98.0% / 50:1
18 / 98.4% / 60:1
19 / 98.8% / 80:1
20 / 99.0% / 100:1
26 / 99.7% / 400:1 / 3 standard deviations
42 / 99.993% / 16,000:1 / 4 standard deviations
62 / 99.99994% / 1.5 million:1 / 5 standard deviations
87 / 99.9999998% / 500 million:1 / 6 standard deviations
99 / 99.99999998% / 8 billion:1
100 / 99.99999999% / 10 billion:1
116 / 99.9999999997% / 400 billion:1 / 7 standard deviations
If a user wishes to manually generate signed vCards, but does not have
much experience with mathematics, then one option to get rough
estimates of what CONFIDENCE values are appropriate could be to use
Laplace's Sunrise Formula, also known as the Rule of Succession. This
takes two pieces of input: the number of times in which something might
have gone one way or the other; and the number of times it went one
way. For example, it might be used with the number of times an email
has been received from a particular address, and the number of times
that email has been from the owner of that address instead of viral
spam. The formula produces an estimate of the odds that future trials
will go the same way, by calculating:
FutureProbability = (Successes + 1) / (TotalTrials + 2)
For the example, if one has received 1,000 emails from an address, out
of which 1 was spam, then the formula says that the future probability
will be on the order of (999+1) / (1,000+2) = 1,000/1,002. This implies
that a CONFIDENCE value based on this data would be on the order of 30
decibans - but, barring other forms of evidence, it would take around
10,000 such emails before a claim of 40 decibans of confidence would be
warranted.
Boese Expires April 22, 2013 [Page 5]
�
Internet-Draft Signed vCards October 2013
Note that this is an extremely simple formula, and there are many
better ones that can provide more accurate results, and take into
account more kinds of evidence. Any user who knows of a better method
to generate CONFIDENCE values should use those ways; the Sunrise
Formula is provided as a basis for users who have nothing else to
create estimates with.
More sophisticated Bayesian analyses can be used to create ad-hoc
certificate authority systems. This would involve one vCard with an
authority describing itself, and signing it; another vCard where that
authority issues a card describing a second entity and its key, using
the CONFIDENCE parameter to give its Bayesianically-generated level of
belief; and a third card where that second entity describes a third,
offering its CONFIDENCE level. A user with access to all the vCards
could then determine, based on its own trust-level of the root
authority, how much to trust the other entities. This trust of the
root authority could be generated either with the Sunrise Formula, or
with an analysis of web-of-trust data.
Examples:
BIRTHPLACE;CONFIDENCE=50:Winnipeg, Manitoba, Canada
ABNF:
confidence-param = "CONFIDENCE=" (INTEGER / FLOAT)
3.2. Parameter: DATE
Namespace:
Parameter name: DATE
Purpose: To identify the particular moment, or the period of time, for
which the property's value is being described.
Value type: A date, or a time, or a date-time, or a period of time
(from ISO 8601).
Description:
Assuming that the default CALSCALE, Gregorian, is in use, then this is
an ISO 8601 date, time, date-time, or period, for the property for
which is being described. Eg, if an email address is being described
for the year 2012, then the corresponding DATE could have the value
2012-01-01/P1Y.
Boese Expires April 22, 2013 [Page 6]
�
Internet-Draft Signed vCards October 2013
DATE can be combined with the existing GEO parameter for full
four-dimensional time-and-space locations, such as to indicate that a
person was in a particular place at a particular time.
CONFIDENCE and DATE can be combined for identity revocation. Eg:
EMAIL;DATE=2012-01-01/P1Y;CONFIDENCE=50:example@example.com
EMAIL;DATE=2013-01-01;CONFIDENCE=-50:example@example.com
would indicate that the given email address is/was/will-be in use for
all of 2012, but cease to be used as of 2013.
If a non-Gregorian CALSCALE is being used, then the appropriate
equivalent dates, as interpreted by the vCard standard, should be used
instead.
Example:
BDAY:1990-01-01
FN;DATE=1990-01-01/2010-06-12:Jane Doe
EMAIL;DATE=P2Y/2010-06-12:janedoe@example.com
ADR;DATE=P2Y/2010-06-12:;;123 Main Street;Any Town;CA;91921-1234;U.S.A.
ANNIVERSARY:2010-06-12
FN;DATE=2010-06-12:Jane Doe Smith
ADR;DATE=2010-06-12:;;456 Blackacre Road;Any Town;CA;91925;U.S.A.
EMAIL;DATE=2010-06-12/P9M:johnandjane@example.com
EMAIL;DATE=2011-03-15:johnandjaneandrick@example.com
ABNF:
DATE-param = "DATE=" date-tag
date-tag = instant-tag / period-tag
instant-tag = date-and-or-time ; from RFC 6350 section 4.3.4
period-tag = date-and-or-time"/"date-and-or-time
/ date-and-or-time"/"duration-tag
/ duration-tag"/"date-and-or-time
/ duration-tag
Boese Expires April 22, 2013 [Page 7]
�
Internet-Draft Signed vCards October 2013
duration-tag = "P" *1(1*DIGIT"Y") *1(1*DIGIT"M") *1(1*DIGIT"D")
*1("T" *1(1*DIGIT"H") *1(1*DIGIT"M") *1(1*DIGIT"S") )
/ "P" 1*DIGIT "W"
/ "P" year month day "T" hour minute second
/ "P" year"-"month"-"day "T" hour":"minute":"second
; translation of ISO 8601 periods into ABNF
; https://en.wikipedia.org/wiki/ISO_8601#Durations
4. Identification Property Extensions
4.1. Property: PREFERRED-ID
Namespace:
Property name: PREFERRED-ID
Purpose: To list, in preferential order, which of the other fields (or
which other data) the authority suggests should be used for sorting and
identification purposes.
Value type: One or more of the following, comma-separated: The name of a
vCard property, with as many parameters are required to uniquely
identify it; or a literal string, enclosed in quotes.
Property parameters: DATE, GEO, CONFIDENCE
Description:
Given that some vCards have email addresses and some don't; some have
UIDs; some have Twitter handles; etc; there doesn't seem to be any
practical way to declare that one particular sort of field must to be
used as a canonical ID-string. Implementing full-fledged authentication
systems becomes easier by declaring which string are most useful to be
used as such.
Eg, "The UID is the preferred ID-string; but if your particular system
doesn't handle that, you could use the email address instead, or failing
that, the nickname."
As a practical example; the webfist protocol uses email addresses as
canonical ID strings, which, with a bit of hash function trickery,
allows for relatively easy lookups in the webfist ID database. Having
even just a short list of potential ID-strings could allow, if nothing
else, all of them to be hashed into a similar database, so that in the
Boese Expires April 22, 2013 [Page 8]
�
Internet-Draft Signed vCards October 2013
future, someone seeking to authenticate that identity can lookup
whichever one of those strings they happen to have available to them.
ABNF:
PREFERRED-ID-param = "VALUE=text"
PREFERRED-ID-value = component *("," component)
4.2. Property: AUTHORITY
Namespace:
Property name: AUTHORITY
Purpose: To identify which authority is the one responsible for the
vCard's data (which may or may not be the same as the person or group
described in the vCard itself, or as the person or group which
publishes the vCard).
Value type: A single text value
Description:
A text field describing the entity issuing the vCard, or who makes the
claim that the data within it is accurate. If a vCard is available
describing the authority, then if possible, the value of the AUTHORITY
field should contain an entry from the authority's card's PREFERRED-ID
property. This allows chains of vCards authenticating each other, in
the manner of certificate authorities.
ABNF:
AUTHORITY-param = "VALUE=text"
AUTHORITY-value = text
4.3. Property: SOCIALMEDIA
Namespace:
Property name: SOCIALMEDIA
Purpose: To list a social profile which the subject of the vCard is
associated with.
Value type: A URI or a text value.
Boese Expires April 22, 2013 [Page 9]
�
Internet-Draft Signed vCards October 2013
Description:
For SOCIALMEDIA, the TYPE parameter is a comma-separated list of values,
which aren't limited to a particular list, but can include "blog",
"profile", "im", the names of particular services, and so on. If the
value of SOCIALMEDIA is not a well-formed URI, but the TYPE includes a
social media service, then the value is assumed to be some form of
personal identifier (such as a username) in whatever format that social
profile provider prefers. That is, all of these would be valid:
SOCIALMEDIA;TYPE=twitter:http://twitter.com/TwitterHandle
SOCIALMEDIA;TYPE=twitter:@TwitterHandle
SOCIALMEDIA;TYPE=twitter:TwitterHandle
General recommendation: Company websites and personal homepages should
continue to use the URL property, while everything else should use the
SOCIALMEDIA property.
ABNF:
SOCIALMEDIA-param = "TYPE=" social-media-type
social-media-type = "rss" / "atom" / "feed" / "homepage" / "profile"
/ "content" / "blog" / "gallery" / text
;social-media-type MUST NOT be used with a property other than
;SOCIALMEDIA.
SOCIALMEDIA-value = text
4.4. Property: HASH
Namespace:
Property name: HASH
Purpose: Contains an ASCII-armored version of the cryptographic hash.
Value type: A single text value
Description:
An ASCII-armored hash, containing the output of an HMAC (Hash-based
message authentication code) algorithm whose input was the properties
and values listed in HASHLIST and the key in HASHKEY. If no HASHLIST
property is present, then it should be assumed that every property and
Boese Expires April 22, 2013 [Page 10]
�
Internet-Draft Signed vCards October 2013
value, save for HASH itself, are included, placed in alphabetical order.
If HASHKEY is not present, then it should be compared to an appropriate
key, such as the AUTHORITY's public key (preferably asserted in a
previous vCard with the KEY property).
ABNF:
HASH-param = "VALUE=text"
HASH-value = text
4.5. Property: HASHKEY
Namespace:
Property name: HASHKEY
Purpose: To identify the key used to generate the value of the HASH
property.
Value type: A single URI. It can also be reset to a text value.
Description:
This is nearly identity to vCard's KEY property, save for how it is
used. For example, by using the PREF parameter, it's possible to point
to multiple copies of the hashing key at different URIs, as well as
store a copy within the signed vCard itself, in case of eventual
linkrot.
Other possibilities include using ldap: URIs to point to certificates
in LDAP databases, or mid: or cid: URIs to point to keys stored in
particular messages or portions thereof.
As any given application will have different security requirements, no
particular behaviour is mandated should a HASHKEY URI be unavailable.
Cardinality: *
ABNF:
HASHKEY-param = HASHKEY-uri-param / HASHKEY-text-param
HASHKEY-value = HASHKEY-uri-value / HASHKEY-text-value
; Value and parameter MUST match.
HASHKEY-uri-param = "VALUE=uri" / mediatype-param
HASHKEY-uri-value = URI
Boese Expires April 22, 2013 [Page 11]
�
Internet-Draft Signed vCards October 2013
HASHKEY-text-param = "VALUE=text"
HASHKEY-text-value = text
HASHKEY-param =/ altid-param / pid-param / pref-param / type-param
/ any-param
4.6. Property: HASHLIST
Namespace:
Property name: HASHLIST
Purpose: A list of properties for which the cryptographic authentication
is being asserted.
Value type: A comma-separated list of property values, with as many of
the paramaters for each as are required to uniquely idenfity them.
Description:
Contains the list of property-and-parameter sets of the entries used to
create the partial vCard to compare to the HASH. If HASH is present but
HASHLIST isn't, then the set of properties is assumed to be everything
but the HASH itself.
If multiple properties of the same type are in the vCard, but not all
of them are being signed, then enough of the parameters (eg, ALTID)
should be included to differentiate which are part of the hash.
If any properties are listed on multiple lines, they should be unfolded
as given in RFC 6350 section 3.2 before being hashed.
ABNF:
HASHLIST-param = "VALUE=text"
HASHLIST-value = component *("," component)
5. Example: Author's vCard
BEGIN:VCARD
VERSION:4.0s
AUTHORITY:datapacrat@datapacrat.com
FN:Daniel Eliot Boese
N:Boese,Daniel,Eliot
NICKNAME:DataPacRat
EMAIL;PREF=1:datapacrat@datapacrat.com
Boese Expires April 22, 2013 [Page 12]
�
Internet-Draft Signed vCards October 2013
EMAIL;PREF=2:datapacrat@gmail.com
REV:20130830T120000Z
KEY;DATE=20130517;CONFIDENCE=50:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1ACA36542B26D0C3
PREFERRED-ID:FN,NICKNAME,"datapacrat@datapacrat.com",
"datapacrat@gmail.com","datapacrat.com"
SOCIALMEDIA;TYPE=homepage:http://www.datapacrat.com/
SOCIALMEDIA;TYPE=blog:http://blog.datapacrat.com/
SOCIALMEDIA;TYPE=profile:http://blog.datapacrat.com/about/
SOCIALMEDIA;TYPE=twitter:@DataPacRat
SOCIALMEDIA;TYPE=facebook:http://www.facebook.com/DataPacRat
SOCIALMEDIA;TYPE=gallery:http://datapacrat.deviantart.com/
HASHKEY:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1ACA36542B26D0C3
HASHLIST:EMAIL;PREF=1,AUTHORITY,KEY
HASH: iQEcBAEBAgAGBQJSISgUAAoJEBrKNlQrJtDDqz8IAKOZwtSJmfZXNcC2kDJlZz4j
Cl6lii3l2ZPoKXLLyzElGIiKEmUHJk4S1/4lEzabQkzaKsgCt3lORJuwtRKbbwVM
pKAeCTnyXMQx3XkB5lYkR2P0d93WtSBMMk/Dqz7nusdE+vUTGvbpdZMtGkus4abL
wX/Zn0k/eh3HmmfiUt/k/VQlc35ms6W/oMQVRqugfwxBSXP4gyZVadsDfvVRhYQE
3M/ry5ISzs061ljnHLX+gsBANInbipm87PruVLnoswtN+9Yh/QaRMKEKupONpRNL
yM+Mhg874bWq/II/CKIhv2fmWNX4lP0cB0Xgs/6YTWroM7NQk4iJ5dmFS3fqoEE=
=lBbY
END:VCARD
This leads to a partial vCard to hash, consisting of:
EMAIL;PREF=1:datapacrat@datapacrat.com
AUTHORITY:datapacrat@datapacrat.com
KEY;DATE=20130517;CONFIDENCE=50:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1ACA36542B26D0C3
The KEY line should be unfolded into a single line to create the hash.
6. Security Considerations
Signed vcards can contain cryptographic hashes. Depending on which
crypto algorithms are used, these may be vulnerable to offline attacks.
Programs should check that the key used to create the hash is linked to
the appropriate authentication authority.
When creating a new vCard, whether by hand or automatically generated,
care should be taken to set appropriate CONFIDENCE values, to prevent
further vCards based on such information from over- or under-estimating
their own CONFIDENCE values.
Boese Expires April 22, 2013 [Page 13]
�
Internet-Draft Signed vCards October 2013
7. IANA Considerations
The IANA is requested to add the following entries to the vCard
Parameters registry, defined in [RFC6350] section 10.3.2.
+-----------+--------------+------------------------+
| Namespace | Property | Reference |
+-----------+--------------+------------------------+
| | CONFIDENCE | RFCXXXX, section 3.1 |
| | DATE | RFCXXXX, section 3.2 |
+-----------+--------------+------------------------+
The IANA is requested to add the following entries to the vCard
Properties registry, defined in [RFC6350] section 10.3.1.
+-----------+--------------+------------------------+
| Namespace | Property | Reference |
+-----------+--------------+------------------------+
| | PREFERRED-ID | RFCXXXX, section 4.1 |
| | AUTHORITY | RFCXXXX, section 4.2 |
| | SOCIALMEDIA | RFCXXXX, section 4.3 |
| | HASH | RFCXXXX, section 4.4 |
| | HASHKEY | RFCXXXX, section 4.5 |
| | HASHLIST | RFCXXXX, section 4.6 |
+-----------+--------------+------------------------+
8. Acknowledgements
Simon Perreault for writing the original vCard 4.0 format.
9. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC6350] Perreault, S., "vCard Format Specification", RFC 6350,
August 2011.
Authors' Addresses
Daniel Eliot Boese
Email: datapacrat@datapacrat.com
URI: http://www.datapacrat.com
Boese Expires April 22, 2013 [Page 14]
