[messaging] Affirmations

Vincent Breitmoser valodim at mugenguild.com
Mon Jan 5 06:44:30 PST 2015

Hi all,

I am currently writing my master's thesis titled "Complementing the Web of Trust
with Affirmations" (working title), and would be interested in everybody's
thoughts on the matter. I spent the better part of 2014 working on OpenKeychain
with Dominik Schürmann, this thesis sort of follows up on that.

So, affirmations.

Short version: An affirmation is a user attribute packet in a pgp keyring which
associates that keyring with a resource on the internet.

Longer version: Ever since keybase.io was revealed in early 2014, I loved their
general idea of associating pgp keys with resources on the web (like everybody
else I guess). What I liked less were their ideas of a centralized
infrastructure, with a common namespace and proofs residing on a central
repository. Keybase's proofs are semantically very close to user ids, so can't
they simply be distributed together with keyrings as an extension to rfc4880?

Turns out that, yes they can. Besides user ids, pgp keyrings can contain user
attributes, which are treated very similarly in regards to certification. User
attributes have a subtype, the only defined type of which is "JPEG". The rfc
states that user attribute subtypes which are not supported by an implementation
should be treated as "user ids with opaque content, but its certificates may
still be verified." I checked the sks source and forged some test keyrings, and
user attributes of unknown type are treated correctly[1].

So my proposal is a new user attribute subtype, which ties a resource on the web
to the keyring by mutual proof of control. It can be self-certified, certified
by others, revoked, and most importantly distributed via keyservers just like a
regular user id. I am still in the process of doing background research and
theoretical evaluation of the concept. I plan to write the standard as an
internet draft, extending rfc4880, but I'm still in the process of working out a
number of details. Some things will probably become more clear during the
prototype implementation process, and I'm hoping to get some input here as
well. I will be implementing both a standalone application and support in
OpenKeychain as part of my thesis.

There is a project based on the same idea called "keygraph"[2], but it never
really took off. I am not aware of any serious effort to standardize or
implement this, and I would be very interested in exchanging notes if someone
else is working on a similar approach.

To keep this mail at a reasonable size, I will write more on the technical
details (i.e. packet format & proof format) as planned so far in separate mails
soonish. I would love to hear general thoughts and comments (and doubts?) on the

 - Vincent Breitmoser

[1]: http://subset.pool.sks-keyservers.net/pks/lookup?op=vindex&search=0x73776167&fingerprint=on
[2]: https://github.com/keygraph/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150105/24471a46/attachment.sig>

More information about the Messaging mailing list