<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc2181 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2181.xml">
<!ENTITY rfc2822 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2822.xml">
<!ENTITY rfc3597 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3597.xml">

<!ENTITY rfc4033 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4033.xml">
<!ENTITY rfc4034 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4034.xml">
<!ENTITY rfc4035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4035.xml">

<!ENTITY rfc4648 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4648.xml">

<!ENTITY rfc4880 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4880.xml">

<!ENTITY rfc5754 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5754.xml">

<!ENTITY rfc6530 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6530.xml">
<!ENTITY rfc6672 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6672.xml">
<!ENTITY rfc6698 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6698.xml">

<!--ENTITY I-D.draft-shaw-openpgp-hkp-00 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-shaw-openpgp-hkp-00.xml"-->

]>

<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>

<?rfc strict='yes'?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>

<rfc ipr="trust200902"
    docName="draft-wouters-dane-openpgp-02"
    category="std"
>

<front>
<title abbrev="DANE for OpenPGP public keys">
Using DANE to Associate OpenPGP public keys with email addresses
</title>

<author initials='P.' surname="Wouters" fullname='Paul Wouters'>
<organization>Red Hat</organization>
<address>
<email>pwouters@redhat.com</email>
</address>
</author>

<date month="February" year="2014"/>

<abstract>

<t>
OpenPGP is a message format for email (and file) encryption, that lacks a
standarized lookup mechanism to obtain OpenPGP public keys. This document
specifies a standarized method for securely publishing and locating
OpenPGP public keys in DNS using a new OPENPGPKEY DNS Resource Record.
</t>

</abstract>

</front>

<middle>

<section anchor="introduction" title="Introduction">

<t>
To encrypt a message to a target recipient using OpenPGP <xref
target='RFC4880'/>, possession of the recipient's OpenPGP public key is
required. To obtain that public key, two problems need to be solved by the
sender's email client, MUA or MTA. Where does one find the recipient's
public key and how does one trust that the found key actually belongs
to the intended recipient.
</t>
<t>
Obtaining a public key is not a straightforward process as there are no
trusted standarized locations for publishing OpenPGP public keys indexed
by email address. Instead, OpenPGP clients rely on "well-known key
servers" that are accessed using the web based HKP protocol or manually
by users using a variety of differently formatted front-end web pages.
</t>
<t>
Currently deployed key servers have no method of validating any uploaded
OpenPGP public key. The key servers simply store and publish.  Anyone can
add public keys with any identities and anyone can add signatures to any
other public key using forged malicious identities.  Furthermore, once
uploaded, public keys cannot be deleted. People who did not pre-sign a
key revocation can never remove their public key from these key servers
once they lost their private key.
</t>

<t>
The lack of association of email address and public key lookup is
also preventing email clients, MTAs and MUAs from encrypting a received
message to the target receipient forcing the software to send the message
unencryped. Currently deployed MTA's only support encrypting the transport
of the email, not the email contents itself.
</t>
<t>
This document describes a mechanism to associate a user's OpenPGP public
key with their email address, using a new DNS RRtype.
</t>
<t>
The proposed new DNS Resource Record type is secured using DNSSEC. This
trust model is not meant to replace the "web of trust" model. However,
it can be used to encrypt a message that would otherwise have to be sent
out unencrypted, where it could be monitored by a third party in transit
or located in plaintext on a storage or email server.
</t>


<section anchor="terminology" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in RFC 2119 <xref target='RFC2119'/>.</t>

<t>This document also makes use of standard DNSSEC and DANE
terminology. See DNSSEC <xref target='RFC4033'/>, 
<xref target='RFC4034'/>, <xref target='RFC4035'/>, and DANE <xref
target='RFC6698'/> for these terms.</t>
</section>

</section>

<section anchor="openpgpkey_rr" title="The OPENPGPKEY Resource Record">
<t>
The OPENPGPKEY DNS resource record (RR) is used to associate an end entity
OpenPGP public key with an email address, thus forming a "OpenPGP public
key association".
</t>

<t>
The type value allocated for the OPENPGPKEY RR type is [TBD].  The
OPENPGPKEY RR is class independent.  The OPENPGPKEY RR has no special
TTL requirements.
</t>

<section anchor="openpgpkey_rrdata" title="The OPENPGPKEY RDATA component">
<t>
The RDATA (or RHS) of an OPENPGPKEY Resource Record contains a single
value consisting of a <xref target='RFC4880'/> formatted OpenPGP public
keyring.
</t>
</section>

<section anchor="openpgpkey_wformat" title="The OPENPGPKEY RDATA wire format">
<t>
The RDATA Wire Format is the binary OpenPGP public keyring as specified in
<xref target='RFC4880'/> without any ascii armor or base64 encoding.
</t>
</section>

<section anchor="openpgpkey_pformat" title="The OPENPGPKEY RDATA presentation format">
<t>
The RDATA Presentation Format, as visible in textual zone files, consists
of the <xref target='RFC4880'/> formatted OpenPGP public keyring encoded
in Base64 <xref target="RFC4648"/>
</t>
</section>
</section>

<section anchor="openpgpkey_loc" title="Location of the OpenPGPKEY record">
<t>Email addresses are mapped into DNS using the following method:
<list style="numbers">

<t>
The user name (the "left-hand side" of the email address, called
the "local-part" in the mail message format definition <xref
target="RFC2822"/> and the "local part" in the specification for
internationalized email <xref target="RFC6530"/>), is hashed using the
SHA2-224 <xref target="RFC5754"/> algorithm to become the left-most
label in the prepared domain name. This does not include the at symbol
("@") that separates the left and right sides of the email address.
</t>
<t>
The DNS does not allow the use of all characters that are supported in
"local-part" of email addresses as defined in <xref target="RFC2822"/>
and <xref target="RFC6530"/> . The SHA2-224 hashing of the user name
ensures that none of these characters would need to be placed directly
in the DNS.
</t>

<t>
The string "_openpgpkey" becomes the second left-most label in the
prepared domain name.
</t>

<t>
The domain name (the "right-hand side" of the email address, called the
"domain" in RFC 2822) is appended to the result of step 2 to complete
the prepared domain name.
</t>
</list></t>

<t>
For example, to request an OPENPGPKEY resource record for a user whose email address
is "hugh@example.com", an OPENPGPKEY query would be placed for the following QNAME:
"8d5730bd8d76d417bf974c03f59eedb7af98cb5c3dc73ea8ebbd54b7._openpgpkey.example.com"
The corresponding RR in the example.com zone might look like:

<figure><artwork><![CDATA[
8d5730bd8d76d417bf974c03f59eedb7af98cb5c3dc73ea8ebbd54b7._openpgpkey.example.com. IN OPENPGPKEY <encoded public key>
]]></artwork></figure>
</t>

</section>

<section title='OpenPGP Key size and DNS'>
<t>
Although the reliability of the transport of large DNS Resoruce Records
has improved in the last years, it is still recommended to keep the DNS
records as small as possible without sacrificing the security properties
of the public key. The algorithm type and key size of OpenPGP keys should
not be modified to accomodate this section.
</t>

<t>
OpenPGP supports various attributes that do not contribute to the
security of a key, such as an embedded image file. It is recommended
that these properties are not exported to OpenPGP public keyrings that
are used to create OPENPGPKEY Resource Records. Some OpenPGP software,
for example GnuPG, have support for a "minimal key export" that is well
suited to use as OPENPGPKEY RDATA. See <xref target='AppendixA'/>
</t>
</section>

<section anchor="security" title='Security Considerations'>
<t>
OPENPGPKEY usage considerations are published in <xref target="OPENPGPKEY-USAGE"/>
</t>

<section title='Email address information leak'>
<t>
Email addresses are not secret. Using them causes its publication.
The hashing of the user name in this document is not a security feature.
Publishing OPENPGPKEY records however, will create a list of hashes of
valid email addresses, which could simplify obtaining a list of valid
email addresses for a particular domain.  It is desirable to not ease
the harvesting of email addresses where possible.
</t>
<t>
The domain name part of the email address is not used as part of the
hash so that hashes can be used in multiple zones deployed using DNAME
<xref target="RFC6672"/>. This does makes it slightly easier and cheaper
to brute-force the SHA2-224 hashes into common and short user names, as
single rainbow tables can be re-used accross domains. This can be somewhat
countered by using NSEC3.
</t>
<t>
DNS zones that are signed with DNSSEC using NSEC for denial of existence
are susceptible to zone-walking, a mechanism that allows someone to
enumerate all the OPENPGPKEY hashes in a zone. This can be used in
combination with previously hashed common or short user names (in
rainbow tables) to deduce valid email addresses. DNSSEC-signed zones
using NSEC3 for denial of existence instead of NSEC are significantly
harder to brute-force after performing a zone-walk.
</t>
</section>

<section title='Forward security of OpenPGP versus DNSSEC'>
<t>
DNSSEC key sizes are chosen based on the fact that these keys can be
rolled with next to no requirement for security in the future. If one
doubts the strength or security of the DNSSEC key for whatever reason,
one simply rolls to a new DNSSEC key with a stronger algorithm or larger
key size. On the other hand, OpenPGP key sizes are chosen based on how many
years (or decades) their encryption should remain unbreakable by adversaries
that own large scale computational resources.
</t>
<t>
This effectively means that anyone who can obtain a DNSSEC private key of
a domain name via coercion, theft or brute force calculations, can replace
any OPENPGPKEY record in that zone and all of the delegated child zones,
irrespective of the key size of the OpenPGP keypair. Any future messages
encrypted with the malicious OpenPGP key could then be read.
</t>
<t>
Therefor, an OpenPGP key obtained via an OPENPGPKEY record can only
be trusted as much as the DNS domain can be trusted, and are no
substitute for in-person key verification of the "Web of Trust". See
<xref target="OPENPGPKEY-USAGE"/> for more in-depth information on safe
usage of OPENPGPKEY based OpenPGP keys.
</t>
</section>
</section>

<section title='IANA Considerations'>
<section anchor="ianarrtype" title='OPENPGPKEY RRtype'>
<t>
This document uses a new DNS RR type, OPENPGPKEY, whose value [TBD] has been
allocated by IANA from the Resource Record (RR) TYPEs subregistry of
the Domain Name System (DNS) Parameters registry.
</t>
</section>
</section>


<section title='Acknowledgements'>
<t>
This document is based on RFC-4255 and draft-ietf-dane-smime whose authors
are Paul Hoffman, Jacob Schlyter and W. Griffin. Olafur Gudmundsson provided
feedback and suggested various improvements. Willem Toorop contributed the
gpg and hexdump command options.
</t>
</section>

</middle>

<back>

<references title="Normative References">

&rfc2119;
&rfc4033;
&rfc4034;
&rfc4035;
&rfc4648;
&rfc4880;
&rfc5754;

</references>

<references title="Informative References">

<!-- &I-D.draft-shaw-openpgp-hkp-00; -->
&rfc2181;
&rfc2822;
&rfc3597;
&rfc6530;
&rfc6672;
&rfc6698;

   <reference anchor='OPENPGPKEY-USAGE'>
      <front>
      <title>Usage considerations with the DNS OPENPGPKEY record</title>
      <author initials='P' surname='Wouters' fullname='P. Wouters'>
      <organization>Red Hat</organization>
      </author>
      <date month='January' day='1' year='2014' />
      <abstract><t>
   This document describes usage considerations for OPENPGPKEY DNS records
   for users, email clients, MUA's and MTA's.
       </t></abstract>
      </front>
      <seriesInfo name='Internet-Draft' value='draft-wouters-openpgpkey-usage' />
      <format type='TXT' 
            target='http://www.ietf.org/internet-drafts/draft-wouters-openpgpkey-usage-00.txt' />
   </reference>


</references>

    <section title="Generating OPENPGPKEY records" anchor="AppendixA">
    <t>The commonly available GnuPG software can be used to generate the RRdata portion of
       an OPENPGPKEY record:

<figure><artwork align="left"><![CDATA[

gpg --export --export-options export-minimal \
    hugh@example.com | base64

]]></artwork></figure>

The --armor or -a option of the gpg command should NOT be used, as it
adds additional markers around the armored key.
</t>

<t>When DNS software reading or signing the zone file does not yet support the OPENPGPKEY RRtype, the Generic
Record Syntax of <xref target='RFC3597'/> can be used to generate the RDATA. One needs to calculate
the number of octets and the actual data in hexadecimal:

<figure><artwork align="left"><![CDATA[

gpg --export --export-options export-minimal \
    hugh@example.com | wc -c

gpg --export --export-options export-minimal \
    hugh@example.com | hexdump -e \
       '"\t" /1 "%.2x"' -e '/32 "\n"'

]]></artwork></figure>

These values can then be used to generate a generic record:


<figure><artwork align="left"><![CDATA[

<SHA2-224(hugh)>._openpgpkey.example.com. IN TYPE65280 \# <numOctets> <keydata in hex>

]]></artwork></figure>

</t>
<t>The openpgpkey command in the hash-slinger software can be used to generate complete OPENPGPKEY records

<figure><artwork align="left"><![CDATA[

~> openpgpkey --output rfc hugh@example.com
8d5730bd8d[...]bbd54b7._openpgpkey.example.com. IN OPENPGPKEY mQCNAzIG[...]

~> openpgpkey --output generic hugh@example.com
8d5730bd8d[...]bbd54b7._openpgpkey.example.com. IN TYPE65280 \# 2313 99008d03[...]


]]></artwork></figure>

</t>
    </section>


</back>

</rfc>

