vcarddav D. Boese Internet-Draft Intended status: Standards Track Expires: Mar 9, 2014 Sep 9, 2013 vCard Format Extensions : Signed vCards draft-boese-vcarddav-signedvcard-02 Abstract The base vCard 4.0 specification defines a large number of properties. This specification adds two new parameters and six new properties to vCard 4.0, which allow the use of cryptography and public-key infrastructure (PKI) for identity assertion. Note Discussion and suggestions for improvement are requested, and should be sent to vcarddav@ietf.org. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 9, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Boese Expires March 9, 2013 [Page 1] Internet-Draft Signed vCards September 2013 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction 1.1. Terminology Used in This Document 2. Version Extension 3. Identification Parameter Extensions 3.1. Parameter: CONFIDENCE 3.2. Parameter: DATE 4. Identification Property Extensions 4.1. Property: PREFERRED-ID 4.2. Property: AUTHORITY 4.3. Property: SOCIALMEDIA 4.1. Property: HASH 4.2. Property: HASHKEY 4.3. Property: HASHLIST 5. Example: Author's vCard 6. Security Considerations 7. IANA Considerations 8. Acknowledgements 9. Normative References Authors' Addresses 1. Introduction The base vCard 4.0 specification defines a large number of properties. This specification adds two new parameters and six new properties to vCard 4.0, which allow the use of cryptography and public-key infrastructure (PKI) for identity assertion. Online identities are often much more complicated than having a single email address in one's PGP key identity field, and adding a surprisingly small number of items to the vCard format can allow for vCards to cover a much more comprehensive range of them. vCard is the source for several other formats, such as hCard and jCard, which contain the same information in a different format. This creates some difficulty in writing a canonical text-string to compare against a cryptographic hash. This problem is solved by including enough information to reconstruct a partial vCard, no matter what format that information is saved in; and that partial vCard will be what is compared against the hash. Boese Expires March 9, 2013 [Page 2] Internet-Draft Signed vCards September 2013 Several other properties and parameters are added, to make it easier for users to assert various aspects of their identity, to revoke other aspects, and to integrate with webs-of-trust, up to the point of Signed vCards being able to be used as the basis for an ad-hoc mesh-networked certificate authority system. (A protocol based on webfist, but without webfist's reliance on DKIM-verified email addresses as identification strings, is one possibility.) 1.1. Terminology Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Syntax specifications shown here use the augmented Backus-Naur Form (ABNF) as described in [RFC5234], and are specified as in the base vcard specification [RFC6350]. 2. Version Extension. Simplistically, Signed vCards have an 's' in the version number. More complicatedly: The 's' is meant as a signal that a vCard interpreter needs to include crypto libraries to fully interpret all the information in the vCard. Thus, a vCard which is compatible with the fields here MAY have an 's'; a vCard which includes the HASH property MUST have an 's'. In order to prevent confusing a revocation of a part of an identity with an assertion, a vCard which uses a negative number in a CONFIDENCE field also SHOULD have an 's'. 3. Identification Parameter Extensions 3.1. Parameter: CONFIDENCE Namespace: Parameter name: CONFIDENCE Purpose: To specify the confidence of the authority that the information of the given parameter is accurate, measured in decibans. Value type: A single number, usually an integer. Boese Expires March 9, 2013 [Page 3] Internet-Draft Signed vCards September 2013 Description: In order to avoid the problems of mixing up 99.9999999999% confidence with 99.999999999% confidence, the CONFIDENCE parameter uses a logarithmic scale instead of a linear one. A deciban is 10 times the base 10 log of the odds. n decibans means odds of 10^(n/10) to one. A CONFIDENCE value of 0 decibans indicates odds of 1:1 (ie, 50%) that the information is correct. A change of 10 decibans changes the odds by a factor of 10; 10 decibans means 1:10 odds (~90%), 20 decibans 1:100 odds (~99%), -10 decibans 10:1 odds against (~10%). A change of 1 deciban is roughly equivalent to changing the odds by a factor of 5:4. Given human factors, it is rare for hand-typed data to be able to have a CONFIDENCE that every single bit is accurate of more than 50 decibans. Without getting into the details of recursion, and given that at least one out of roughly ten billion people is thoroughly disconnected from reality, it's very difficult for a human to have more than 100 decibans of confidence in anything, even that H2O is a useful description of water or that the subjective reality they are experiencing is connected to the same subjective reality experienced by other humans. Here is a table covering enough integer deciban values to allow for easy reference. Decibans / Level of belief / Rough Odds / notes -30 / 0.1% / 1:1,000 -20 / 1.0% / 1:100 -10 / 9.9% / 1:10 -9 / 11.2% / 1:8 -8 / 13.7% / 1:6 -7 / 16.7% / 1:5 -6 / 20.0% / 1:4 -5 / 24.0% / 1:3 -4 / 28.5% / 2:5 / a reasonable doubt -3 / 33.3% / 1:2 -2 / 38.7% / 2:3 / probable cause -1 / 44.3% / 4:5 0 / 50.0% / 1:1 / neither belief nor disbelief; agnosticism 1 / 55.7% / 5:4, 1.25:1 / preponderance of the evidence 2 / 61.3% / 3:2, 1.5:1 3 / 66.6% / 2:1 / clear and convincing evidence 4 / 71.5% / 5:2, 2.5:1 5 / 76.0% / 3:1 / beyond a reasonable doubt, 1 standard deviation Boese Expires March 9, 2013 [Page 4] Internet-Draft Signed vCards September 2013 6 / 80.0% / 4:1 7 / 83.3% / 5:1 8 / 86.3% / 6:1 9 / 88.8% / 8:1 10 / 90.9% / 10:1 11 / 92.6% / 25:2, 12.5:1 12 / 92.5% / 15:1 13 / 95.2% / 20:1 / 2 standard deviations 14 / 96.2% / 25:1 15 / 96.8% / 30:1 16 / 97.6% / 40:1 17 / 98.0% / 50:1 18 / 98.4% / 60:1 19 / 98.8% / 80:1 20 / 99.0% / 100:1 26 / 99.7% / 400:1 / 3 standard deviations 42 / 99.993% / 16,000:1 / 4 standard deviations 62 / 99.99994% / 1.5 million:1 / 5 standard deviations 87 / 99.9999998% / 500 million:1 / 6 standard deviations 99 / 99.99999998% / 8 billion:1 100 / 99.99999999% / 10 billion:1 116 / 99.9999999997% / 400 billion:1 / 7 standard deviations If a user wishes to manually generate signed vCards, but does not have much experience with mathematics, then one option to get rough estimates of what CONFIDENCE values are appropriate could be to use Laplace's Sunrise Formula, also known as the Rule of Succession. This takes two pieces of input: the number of times in which something might have gone one way or the other; and the number of times it went one way. For example, it might be used with the number of times an email has been received from a particular address, and the number of times that email has been from the owner of that address instead of viral spam. The formula produces an estimate of the odds that future trials will go the same way, by calculating: FutureProbability = (Successes + 1) / (TotalTrials + 2) For the example, if one has received 1,000 emails from an address, out of which 1 was spam, then the formula says that the future probability will be on the order of (999+1) / (1,000+2) = 1,000/1,002. This implies that a CONFIDENCE value based on this data would be on the order of 30 decibans - but, barring other forms of evidence, it would take around 10,000 such emails before a claim of 40 decibans of confidence would be warranted. Boese Expires March 9, 2013 [Page 5] Internet-Draft Signed vCards September 2013 Note that this is an extremely simple formula, and there are many better ones that can provide more accurate results, and take into account more kinds of evidence. Any user who knows of a better method to generate CONFIDENCE values should use those ways; the Sunrise Formula is provided as a basis for users who have nothing else to create estimates with. More sophisticated Bayesian analyses can be used to create ad-hoc certificate authority systems. This would involve one vCard with an authority describing itself, and signing it; another vCard where that authority issues a card describing a second entity and its key, using the CONFIDENCE parameter to give its Bayesianically-generated level of belief; and a third card where that second entity describes a third, offering its CONFIDENCE level. A user with access to all the vCards could then determine, based on its own trust-level of the root authority, how much to trust the other entities. This trust of the root authority could be generated either with the Sunrise Formula, or with an analysis of web-of-trust data. Examples: BIRTHPLACE;CONFIDENCE=50:Winnipeg, Manitoba, Canada ABNF: confidence-param = "CONFIDENCE=" (INTEGER / FLOAT) 3.2. Parameter: DATE Namespace: Parameter name: DATE Purpose: To identify the particular moment, or the period of time, for which the property's value is being described. Value type: A date, or a time, or a date-time, or a period of time (from ISO 8601). Description: An ISO 8601 date, time, date-time, or period, for the property for which is being described. Eg, if an email address is being described for the year 2012, then the corresponding DATE could have the value 2012-01-01/P1Y. Boese Expires March 9, 2013 [Page 6] Internet-Draft Signed vCards September 2013 DATE can be combined with the existing GEO parameter for full four-dimensional time-and-space locations, such as to indicate that a person was in a particular place at a particular time. CONFIDENCE and DATE can be combined for identity revocation. Eg: EMAIL;DATE=2012-01-01/P1Y;CONFIDENCE=50:example@example.com EMAIL;DATE=2013-01-01;CONFIDENCE=-50:example@example.com would indicate that the given email address is/was/will-be in use for all of 2012, but cease to be used as of 2013. Example: BDAY:1990-01-01 FN;DATE=1990-01-01/2010-06-12:Jane Doe EMAIL;DATE=P2Y/2010-06-12:janedoe@example.com ADR;DATE=P2Y/2010-06-12:;;123 Main Street;Any Town;CA;91921-1234;U.S.A. ANNIVERSARY:2010-06-12 FN;DATE=2010-06-12:Jane Doe Smith ADR;DATE=2010-06-12:;;456 Blackacre Road;Any Town;CA;91925;U.S.A. EMAIL;DATE=2010-06-12/P9M:johnandjane@example.com EMAIL;DATE=2011-03-15:johnandjaneandrick@example.com ABNF: DATE-param = "DATE=" date-tag date-tag = instant-tag / period-tag instant-tag = date-and-or-time ; from RFC 6350 section 4.3.4 period-tag = date-and-or-time"/"date-and-or-time / date-and-or-time"/"duration-tag / duration-tag"/"date-and-or-time / duration-tag duration-tag = "P" *1(1*DIGIT"Y") *1(1*DIGIT"M") *1(1*DIGIT"D") *1("T" *1(1*DIGIT"H") *1(1*DIGIT"M") *1(1*DIGIT"S") ) / "P" 1*DIGIT "W" / "P" year month day "T" hour minute second / "P" year"-"month"-"day "T" hour":"minute":"second Boese Expires March 9, 2013 [Page 7] Internet-Draft Signed vCards September 2013 ; translation of ISO 8601 periods into ABNF ; https://en.wikipedia.org/wiki/ISO_8601#Durations 4. Identification Property Extensions 4.1. Property: PREFERRED-ID Namespace: Property name: PREFERRED-ID Purpose: To list, in preferential order, which of the other fields (or which other data) the authority suggests should be used for sorting and identification purposes. Value type: One or more of the following, comma-separated: The name of a vCard property, with as many parameters are required to uniquely identify it; or a literal string, enclosed in quotes. Property parameters: DATE, GEO, CONFIDENCE Description: Given that some vCards have email addresses and some don't; some have UIDs; some have Twitter handles; etc; there doesn't seem to be any practical way to declare that one particular sort of field must to be used as a canonical ID-string. Implementing full-fledged authentication systems becomes easier by declaring which string are most useful to be used as such. Eg, "The UID is the preferred ID-string; but if your particular system doesn't handle that, you could use the email address instead, or failing that, the nickname." As a practical example; the webfist protocol uses email addresses as canonical ID strings, which, with a bit of hash function trickery, allows for relatively easy lookups in the webfist ID database. Having even just a short list of potential ID-strings could allow, if nothing else, all of them to be hashed into a similar database, so that in the future, someone seeking to authenticate that identity can lookup whichever one of those strings they happen to have available to them. Boese Expires March 9, 2013 [Page 8] Internet-Draft Signed vCards September 2013 ABNF: PREFERRED-ID-param = "VALUE=text" PREFERRED-ID-value = component *("," component) 4.2. Property: AUTHORITY Namespace: Property name: AUTHORITY Purpose: To identify which authority is the one responsible for the vCard's data (which may or may not be the same as the person or group described in the vCard itself, or as the person or group which publishes the vCard). Value type: A single text value Description: A text field describing the entity issuing the vCard, or who makes the claim that the data within it is accurate. If a vCard is available describing the authority, then if possible, the value of the AUTHORITY field should contain an entry from the authority's card's PREFERRED-ID property. This allows chains of vCards authenticating each other, in the manner of certificate authorities. ABNF: AUTHORITY-param = "VALUE=text" AUTHORITY-value = text 4.3. Property: SOCIALMEDIA Namespace: Property name: SOCIALMEDIA Purpose: To list a social profile which the subject of the vCard is associated with. Value type: A URI or a text value. Description: Boese Expires March 9, 2013 [Page 9] Internet-Draft Signed vCards September 2013 For SOCIALMEDIA, the TYPE parameter is a comma-separated list of values, which aren't limited to a particular list, but can include "blog", "profile", "im", the names of particular services, and so on. If the value of SOCIALMEDIA is not a well-formed URI, but the TYPE includes a social media service, then the value is assumed to be some form of personal identifier (such as a username) in whatever format that social profile provider prefers. That is, all of these would be valid: SOCIALMEDIA;TYPE=twitter:http://twitter.com/TwitterHandle SOCIALMEDIA;TYPE=twitter:@TwitterHandle SOCIALMEDIA;TYPE=twitter:TwitterHandle General recommendation: Company websites and personal homepages should continue to use the URL property, while everything else should use the SOCIALMEDIA property. ABNF: SOCIALMEDIA-param = "TYPE=" social-media-type social-media-type = "rss" / "atom" / "feed" / "homepage" / "profile" / "content" / "blog" / "gallery" / text ;social-media-type MUST NOT be used with a property other than ;SOCIALMEDIA. SOCIALMEDIA-value = text 4.4. Property: HASH Namespace: Property name: HASH Purpose: Contains an ASCII-armored version of the cryptographic hash. Value type: A single text value Description: An ASCII-armored hash, containing a cryptographic signature of a text stream consisting of the properties and values listed in HASHLIST. If no HASHLIST property is present, then it should be assumed that every Boese Expires March 9, 2013 [Page 10] Internet-Draft Signed vCards September 2013 property and value, save for HASH itself, are included, placed in alphabetical order. If HASHKEY is not present, then it should be compared to an appropriate key, such as the AUTHORITY's public key (preferably asserted in a previous vCard with the KEY property). ABNF: HASH-param = "VALUE=text" HASH-value = text 4.5. Property: HASHKEY Namespace: Property name: HASHKEY Purpose: To identify the key used to generate the value of the HASH property. Value type: A single URI. It can also be reset to a text value. Cardinality: * ABNF: HASHKEY-param = HASHKEY-uri-param / HASHKEY-text-param HASHKEY-value = HASHKEY-uri-value / HASHKEY-text-value ; Value and parameter MUST match. HASHKEY-uri-param = "VALUE=uri" / mediatype-param HASHKEY-uri-value = URI HASHKEY-text-param = "VALUE=text" HASHKEY-text-value = text HASHKEY-param =/ altid-param / pid-param / pref-param / type-param / any-param 4.6. Property: HASHLIST Namespace: Property name: HASHLIST Purpose: A list of properties for which the cryptographic authentication is being asserted. Boese Expires March 9, 2013 [Page 11] Internet-Draft Signed vCards September 2013 Value type: A comma-separated list of property values, with as many of the paramaters for each as are required to uniquely idenfity them. Description: Contains the list of property-and-parameter sets of the entries used to create the partial vCard to compare to the HASH. If HASH is present but HASHLIST isn't, then the set of properties is assumed to be everything but the HASH itself. If multiple properties of the same type are in the vCard, but not all of them are being signed, then enough of the parameters (eg, ALTID) should be included to differentiate which are part of the hash. If any properties are listed on multiple lines, they should be unfolded as given in RFC 6350 section 3.2 before being hashed. ABNF: HASHLIST-param = "VALUE=text" HASHLIST-value = component *("," component) 5. Example: Author's vCard BEGIN:VCARD VERSION:4.0s AUTHORITY:datapacrat@datapacrat.com FN:Daniel Eliot Boese N:Boese,Daniel,Eliot NICKNAME:DataPacRat EMAIL;PREF=1:datapacrat@datapacrat.com EMAIL;PREF=2:datapacrat@gmail.com REV:20130830T120000Z KEY;DATE=20130517;CONFIDENCE=50: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1ACA36542B26D0C3 PREFERRED-ID:FN,NICKNAME,"datapacrat@datapacrat.com", "datapacrat@gmail.com","datapacrat.com" SOCIALMEDIA;TYPE=homepage:http://www.datapacrat.com/ SOCIALMEDIA;TYPE=blog:http://blog.datapacrat.com/ SOCIALMEDIA;TYPE=profile:http://blog.datapacrat.com/about/ SOCIALMEDIA;TYPE=twitter:@DataPacRat SOCIALMEDIA;TYPE=facebook:http://www.facebook.com/DataPacRat SOCIALMEDIA;TYPE=gallery:http://datapacrat.deviantart.com/ HASHKEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1ACA36542B26D0C3 Boese Expires March 9, 2013 [Page 12] Internet-Draft Signed vCards September 2013 HASHLIST:EMAIL;PREF=1,AUTHORITY,KEY HASH: iQEcBAEBAgAGBQJSISgUAAoJEBrKNlQrJtDDqz8IAKOZwtSJmfZXNcC2kDJlZz4j Cl6lii3l2ZPoKXLLyzElGIiKEmUHJk4S1/4lEzabQkzaKsgCt3lORJuwtRKbbwVM pKAeCTnyXMQx3XkB5lYkR2P0d93WtSBMMk/Dqz7nusdE+vUTGvbpdZMtGkus4abL wX/Zn0k/eh3HmmfiUt/k/VQlc35ms6W/oMQVRqugfwxBSXP4gyZVadsDfvVRhYQE 3M/ry5ISzs061ljnHLX+gsBANInbipm87PruVLnoswtN+9Yh/QaRMKEKupONpRNL yM+Mhg874bWq/II/CKIhv2fmWNX4lP0cB0Xgs/6YTWroM7NQk4iJ5dmFS3fqoEE= =lBbY END:VCARD This leads to a partial vCard to hash, consisting of: EMAIL;PREF=1:datapacrat@datapacrat.com AUTHORITY:datapacrat@datapacrat.com KEY;DATE=20130517;CONFIDENCE=50: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1ACA36542B26D0C3 The KEY line should be unfolded into a single line to create the hash. 6. Security Considerations Signed vcards can contain cryptographic hashes. Depending on which crypto algorithms are used, these may be vulnerable to offline attacks. Programs should check that the key used to create the hash is linked to the appropriate authentication authority. When creating a new vCard, whether by hand or automatically generated, care should be taken to set appropriate CONFIDENCE values, to prevent further vCards based on such information from over- or under-estimating their own CONFIDENCE values. 7. IANA Considerations The IANA is requested to add the following entries to the vCard Parameters registry, defined in [RFC6350] section 10.3.2. +-----------+--------------+------------------------+ | Namespace | Property | Reference | +-----------+--------------+------------------------+ | | CONFIDENCE | RFCXXXX, section 3.1 | | | DATE | RFCXXXX, section 3.2 | +-----------+--------------+------------------------+ The IANA is requested to add the following entries to the vCard Properties registry, defined in [RFC6350] section 10.3.1. Boese Expires March 9, 2013 [Page 13] Internet-Draft Signed vCards September 2013 +-----------+--------------+------------------------+ | Namespace | Property | Reference | +-----------+--------------+------------------------+ | | PREFERRED-ID | RFCXXXX, section 4.1 | | | AUTHORITY | RFCXXXX, section 4.2 | | | SOCIALMEDIA | RFCXXXX, section 4.3 | | | HASH | RFCXXXX, section 4.4 | | | HASHKEY | RFCXXXX, section 4.5 | | | HASHLIST | RFCXXXX, section 4.6 | +-----------+--------------+------------------------+ 8. Acknowledgements Simon Perreault for writing the original vCard 4.0 format. 9. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. [RFC6350] Perreault, S., "vCard Format Specification", RFC 6350, August 2011. Authors' Addresses Daniel Eliot Boese Email: datapacrat@datapacrat.com URI: http://www.datapacrat.com Boese Expires March 9, 2013 [Page 14]