JSContact Cryptographic Key Extensions
draft-hallambaker-jscontact-05
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (candidate for calext WG) | |
|---|---|---|---|
| Author | Phillip Hallam-Baker | ||
| Last updated | 2025-11-07 (Latest revision 2025-09-16) | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Call For Adoption By WG Issued | |
| Document shepherd | (None) | ||
| IESG | IESG state | I-D Exists | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-hallambaker-jscontact-05
Network Working Group P. M. Hallam-Baker
Internet-Draft ThresholdSecrets.com
Intended status: Informational 16 September 2025
Expires: 20 March 2026
JSContact Cryptographic Key Extensions
draft-hallambaker-jscontact-05
Abstract
Extensions to the JSContact data model for contact card data are
defined to provide improved support for describing cryptographic
credentials to be used with applications and services and to provide
support for authenticated updates to a contact card. These features
in combination provide a basis for establishing and maintaining peer-
to-peer trust.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 20 March 2026.
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Hallam-Baker Expires 20 March 2026 [Page 1]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Linking Keys to Services . . . . . . . . . . . . . . . . 3
1.2. Enhanced specification of cryptographic credentials . . . 4
1.3. Groups . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4. Authenticated Locators . . . . . . . . . . . . . . . . . 7
1.5. Authenticated Updates . . . . . . . . . . . . . . . . . . 7
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1. Requirements Language . . . . . . . . . . . . . . . . . . 9
2.2. Defined Terms . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Related Specifications . . . . . . . . . . . . . . . . . 9
2.4. Implementation Status . . . . . . . . . . . . . . . . . . 9
3. Card Extensions . . . . . . . . . . . . . . . . . . . . . . . 9
3.1. Additional Card Properties . . . . . . . . . . . . . . . 10
3.1.1. updates . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.2. serviceGroups . . . . . . . . . . . . . . . . . . . . 10
3.2. Extended Objects . . . . . . . . . . . . . . . . . . . . 11
3.2.1. EmailAddress . . . . . . . . . . . . . . . . . . . . 11
3.2.2. cryptoKeyIds . . . . . . . . . . . . . . . . . . . . 11
3.2.3. OnlineService . . . . . . . . . . . . . . . . . . . . 11
3.2.4. cryptoKeyIds . . . . . . . . . . . . . . . . . . . . 11
3.3. New Objects . . . . . . . . . . . . . . . . . . . . . . . 12
3.3.1. JsonWebKeySet . . . . . . . . . . . . . . . . . . . . 12
3.3.2. jsonWebKeys . . . . . . . . . . . . . . . . . . . . . 12
4. Application Profiles . . . . . . . . . . . . . . . . . . . . 12
4.1. S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2. OpenPGP . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.3. SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.4. Code Signing . . . . . . . . . . . . . . . . . . . . . . 17
4.5. Commit Signing . . . . . . . . . . . . . . . . . . . . . 19
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20
7. Normative References . . . . . . . . . . . . . . . . . . . . 20
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction
This document defines extensions to the JSContact data model for
contact card data [RFC9553] to provide improved support for
describing cryptographic credentials to be used with applications and
services and to provide support for authenticated updates to a
contact card.
The key design considerations for these extensions are as follows:
Hallam-Baker Expires 20 March 2026 [Page 2]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
* Maintain compatibility with the approach in the base
specification. Avoiding unexpected behavior from legacy
applications.
* Allow cryptographic credentials to be specified as JSON Web Key
Sets [RFC7517].
* Provide more descriptive information for use of cryptographic
credentials, in particular specifying which key is to be used with
which information service.
* Allow specification of groups of related email addresses and
information services.
* Enable automated updates to the contact card data with
cryptographic authentication.
In addition, specific guidance is provided on specifying credentials
for use with S/MIME, OpenPGP, SSH and Code Signing.
1.1. Linking Keys to Services
JSContact allows a card to specify online services and cryptographic
keys but does not provide a means of specifying which key is to be
used for which purpose. This is a particular problem with key
formats used to support a wide range of applications, an OpenPGP key
may be used to sign email or sign a repository commit.
The EmailAddress object and OnlineService object are extended to add
a keys property which MAY be used to specify the key identifiers of
the related keys.
For example, Alice has an email address entry that has keys for
signing and encrypting emails using S/MIME and OpenPGP.
Hallam-Baker Expires 20 March 2026 [Page 3]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
{
"@type":"Card",
...
"emails" : {
"EmailAddress": {
"@type": "EmailAddress",
"address": "[email protected]",
"label": "Main email",
"cryptoKeyIds": {
"MCBV-AP74-6FWL-45K7-MRPV-XISQ-CARZ": "smime",
"MBOH-BAER-57K4-MEFK-RTA3-K67Y-KA4F": "smime",
"MCUK-IIT7-WXOW-DUJU-5LWP-SC4L-HHWT": "openpgp",
"MCNS-D5JZ-PPCU-TQE5-R7Z4-KQHF-7FKK": "openpgp"}}},
...
}
1.2. Enhanced specification of cryptographic credentials
The JSContact cryptokeys property allows a card to specify
cryptographic credentials as URIs but not their intended uses. A
data URI containing an X.509v3 certificate might be intended for use
with S/MIME, for code signing or some entirely unrelated purpose.
Best design practice encourages the use of common cryptographic
infrastructures to support a wide range of applications but best use
practices encourage limiting the use of particular cryptographic keys
to a single application.
The use of the JSON Web Key (JWK) format provides a much richer
format for describing cryptographic keys and their properties than a
URI and a media type.
For example, Bob is trying to send an encrypted email to Alice, her
contact card lists two keys but only one is an encryption key with
the JWK use parameter enc:
[NB: This example is showing presentation as a JWK raw key alone, we
would probably want to present the certificate as well, this has been
left open so we can have a full discussion before fixing a scheme.]
Hallam-Baker Expires 20 March 2026 [Page 4]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
{
"@type":"Card",
...
"cryptoKeys" : {"MCBV-AP74-6FWL-45K7-MRPV-XISQ-CARZ" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "RSA",
"use": "any",
"n": "wJ8fBfJvJErn6wQfaOxXSYJJ5nzjjmh6m2xxBgPeYhaB0UJu6moixZ0
h2C482143EDpQ7IA4BWGlp1qs1Q_eBjPqX3I9cD7BHSn6mNzyUG96s9hUvXQ79Q-5F
bJ-aVbaat7TUbmfAzQu3UW_DFMrHbLztnJvhN5cUyIpncS965Nhdo0tMk3LP6xNovQ
MI474KtZdwwTUd2YG8YNGhq8_NGYRtiuqvFVmtNERXg62OrkEyMo0M5wtKUe19O0b1
ANkXAgfclWO462u52O8mxjzL0yGgg_dsH5VKQ49DjIsElvEjQEv3Z22t-2zRmyUB--
xY7AAjlPpoliGK8fHNnauoQ",
"e": "AQAB"}
]},
"MBOH-BAER-57K4-MEFK-RTA3-K67Y-KA4F" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "RSA",
"use": "any",
"n": "lh3QrtbxcyT3d4KaNrrrhs7zKU7wLa3uGuclPQ1m_bOBYNHc3ZJz6h-
9hztueRXWOU5qCOrUgnhm96CbZnduQk29kTIR_iLfAqi4N8ghLlefQuayfUjHnYeUR
VcdZBRPG88PRyw9DzZbeKKpq5_iiqjeAgaPqmhneym-qbpz5sn4wGT29M3X1uwbdTI
difc6u0ezDMEVIF1Bofva0gUa7EJQABXuvu-GXbDCQ2sYj4MI8O9kAE9GmXTc2WXVn
9ILznMLG78RRAt8C6ECZVYM4K28L-Uv0nR8g6hMcdD77fbpuooI73EKan4ofzWssRZ
MDV_U5SeqdvVI_g-Slep2jQ",
"e": "AQAB"}
]}
...
}
1.3. Groups
It is often convenient to organize related email addresses and online
services used for a common purpose into groups.
For example, Alice might create separate sets of SSH, repository
commit signing and code signing keys for code development:
Hallam-Baker Expires 20 March 2026 [Page 5]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
{
"@type":"Card",
...
"groups" : {
"ServiceGroup": {
"@type": "ServiceGroup",
"label": "Developer Key Set",
"members": {
"MDCO-377C-3R6S-X2SC-NHS6-BCQS-A623": true,
"MBJ7-VZZO-NY6R-4BGH-YUBY-4ADY-UTDT": true,
"MDZ7-XMQY-XHVJ-233R-P75B-2B4R-NFWU": true,
"MBFR-6JKU-GO3E-JIUU-X2DW-NUCK-L4VY": true,
"MAZ3-AMHL-GLHQ-HFNK-IWZ4-ZVAP-VDWD": true,
"MB6M-HCTS-VO6W-UMIX-FW2R-4XGJ-J5V7": true,
"MBIH-YWGE-7R6X-6QIS-77DR-NB4S-LPDC": true}}},
...
}
Each group identifier is specified as an online service:
{
"@type":"Card",
...
"onlineServices" : {"MDCO-377C-3R6S-X2SC-NHS6-BCQS-A623" : {
"@type": "OnlineService",
"service": "ssh",
"cryptoKeyIds": {
"MBEX-N46R-AIUQ-FYT6-IEUK-MGV7-SRPQ": "ssh"}},
"MBJ7-VZZO-NY6R-4BGH-YUBY-4ADY-UTDT" : {
"@type": "OnlineService",
"service": "commit",
"label": "commit",
"cryptoKeyIds": {
"MB4R-SUZM-6LM5-ZEAM-7WTO-ZUSP-TFWN": "credential"}},
"MDZ7-XMQY-XHVJ-233R-P75B-2B4R-NFWU" : {
"@type": "OnlineService",
"service": "code",
"contexts": {
"Pkix": true},
"label": "code Pkix",
"cryptoKeyIds": {
"MA2Q-STSG-HL6V-VNUU-Z426-SCKT-WF5Z": "credential"}}
...
}
Hallam-Baker Expires 20 March 2026 [Page 6]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
1.4. Authenticated Locators
The features described in this document are designed to support but
not require the exchange of JSContact data by means of an Encrypted
Authenticated Resource Locator (EARL) [draft-hallambaker-earl]. An
EARL is a URI form that contains a multi-purpose key that MAY be used
to locate, decrypt and authenticate an associated ciphertext package.
For example, Alice's JSContact information might be retrievable from
the EARL:
jscontact://example.com/el4z-elnf-ojn7-ap7c-rarh-mvho-kaib
Alice might publish her EARL on her business card either as text or
as a machine readable code such as a QR code. Alternatively, Alice
might publish the information as a prefixed DNS TXT record in the
domain she uses as her DNS handle:
_jscontact.alice.example.com TXT "jscontact=jscontact://example.com/e
l4z-elnf-ojn7-ap7c-rarh-mvho-kaib"
1.5. Authenticated Updates
The authenticated locator mechanisms described above are intended to
be used to establish a 'first contact' between the parties preserving
the maximum possible degree of trust from the context.
Once the initial contact exchange has been achieved, the credentials
exchanged in that first contact SHOULD be used to obtain and
authenticate future updates.
Contact cards that support updates MUST include a UID property.
Updates to contact cards MUST specify the same UID value.
The updates property provides an open framework for describing the
update mechanisms supported. The mechanisms provided to update the
contact MAY be different from the mechanism originally used to
distribute it.
For example, Alice publishes her current contact card by means of a
DNS TXT record containing an EARL and a QR code encoding the same
EARL on the business card she presents when meeting people in person.
Applications MAY update the card by polling the URI specified in the
updates entry and verifying the signature on the plaintext enveloped
data returned.
Hallam-Baker Expires 20 March 2026 [Page 7]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
{
"@type":"Card",
...
"updates" : {
"update1" : {
"@type": "Update",
"uri": "https://contacts.example.com/NDNV-L6BK-GWRM-542G-YPQZ-UQG
P-MKQS",
"keys": {
"MDA4-2QRJ-OY5U-CTCN-TJCM-7ROT-3NC6": "sign"}}}
...
"cryptoKeys" : {
"MDA4-2QRJ-OY5U-CTCN-TJCM-7ROT-3NC6" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "OKP",
"kid": "MDA4-2QRJ-OY5U-CTCN-TJCM-7ROT-3NC6",
"crv": "Ed448",
"x": "aqKL0pKeDkY2Z1thiu5evlzwHraIUFVdJMkMp67dk9ujlV8x5WsvVEz
V9Ummn9tfoFV4jWF3nmuA"}
]}}
...
}
Since it is easier to update information on a Web site than in DNS or
on a business card, it is likely that some users will prefer to use
these mechanisms to distribute pro-forma contact information
consisting of basic contact information and update information alone.
Therefore, contact applications SHOULD attempt to update contact
cards providing update information on receipt.
Retrieving a plaintext signed contact assertion via HTTPS provides a
simple but limited update mechanism providing end-to-end integrity
but not confidentiality. While the contact information is delivered
over an encrypted transport, the contact card is stored unencrypted
on the server which may not be acceptable in certain applications.
Another limitation is that the relying party is required to poll the
contact service for updates. A more sophisticated updates protocol
might provide update notifications. Such considerations are outside
the scope of this document and left for future work.
[Remark: Addition of a JOSE based encryption scheme would be
straightforward. This would require extension of the envelope
specification and to pass a decryption key to the parties the contact
is passed to.]
Hallam-Baker Expires 20 March 2026 [Page 8]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
A contact card MAY specify multiple update mechanisms providing a
degree of resilience in the case that a publication service stops
providing service.
For example, Alice might choose three independent contact directory
services publishing her contact information on all three ensuring
that the people she has shared her contact information with can
remain in contact years or even decades after the initial contact
exchange.
2. Definitions
This section presents the related specifications and standards, the
terms that are used as terms of art within the documents and the
terms used as requirements language.
2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2.2. Defined Terms
TBS
2.3. Related Specifications
JSContact: A JSON Representation of Contact Data [RFC9553]. Describe
s the format used for contact data interchange.
JSON Web Key (JWK) [RFC7517]. Describes publishing public keys in
JSON format.
Encrypted Authenticated Resource Locator [draft-hallambaker-earl]. D
escribes a URI form that provides means of retrieving, decrypting
and authenticating an associated ciphertext.
2.4. Implementation Status
Reference code under the MIT Open-Source license has been developed
to demonstrate all the features described in this document.
3. Card Extensions
The JSContact objects specified in [RFC9553] is extended as described
in the following sections.
Hallam-Baker Expires 20 March 2026 [Page 9]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
3.1. Additional Card Properties
The following properties are added to the Card object specified in
[RFC9553].
3.1.1. updates
"updates": String[Update] (optional) Specifies mechanisms for
obtaining updates to the card.
An Update object has all the properties of the Resource data type,
with the following additional definitions:
"protocol": String (optional) The IANA update protocol identifier
"keys": String[String] (optional) The identifiers of the set of
cryptographic keys to be used to authenticate the updated contact
information and their use.
"updates": {
"update1": {
"@type": "Update",
"uri": "https://contacts.example.com/NDNV-L6BK-GWRM-542G-YPQZ-UQG
P-MKQS",
"keys": {
"MDA4-2QRJ-OY5U-CTCN-TJCM-7ROT-3NC6": "sign"}}}
3.1.2. serviceGroups
"serviceGroups": String[ServiceGroup] (optional) Specifies groups of
related email addresses and online services.
A ServiceGroup object has all the properties of the Resource data
type, with the following additional definition:
"members": String[Boolean] (optional) The identifiers of the service
group members. The boolean value corresponding to each MUST be true.
Hallam-Baker Expires 20 March 2026 [Page 10]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
"serviceGroups": {
"NBUQ-JHKR-MLIE-4MOE-BSQV-EGNC-XNIH": {
"@type": "ServiceGroup",
"label": "Developer Key Set",
"members": {
"MDCO-377C-3R6S-X2SC-NHS6-BCQS-A623": true,
"MBJ7-VZZO-NY6R-4BGH-YUBY-4ADY-UTDT": true,
"MDZ7-XMQY-XHVJ-233R-P75B-2B4R-NFWU": true,
"MBFR-6JKU-GO3E-JIUU-X2DW-NUCK-L4VY": true,
"MAZ3-AMHL-GLHQ-HFNK-IWZ4-ZVAP-VDWD": true,
"MB6M-HCTS-VO6W-UMIX-FW2R-4XGJ-J5V7": true,
"MBIH-YWGE-7R6X-6QIS-77DR-NB4S-LPDC": true}}}
3.2. Extended Objects
The following objects specified in [RFC9553] are extended to add the
specified properties.
3.2.1. EmailAddress
An EmailAddress object has the following properties.
3.2.2. cryptoKeyIds
"cryptoKeyIds": String[String] (optional) The identifiers of the set
of cryptographic keys to be used to authenticate the updated contact
information and their use.
"cryptoKeyIds": {
"MCBV-AP74-6FWL-45K7-MRPV-XISQ-CARZ": "smime",
"MBOH-BAER-57K4-MEFK-RTA3-K67Y-KA4F": "smime",
"MCUK-IIT7-WXOW-DUJU-5LWP-SC4L-HHWT": "openpgp",
"MCNS-D5JZ-PPCU-TQE5-R7Z4-KQHF-7FKK": "openpgp"}
3.2.3. OnlineService
An OnlineService object has the following properties.
3.2.4. cryptoKeyIds
"cryptoKeyIds": String[String] (optional) The identifiers of the set
of cryptographic keys to be used to authenticate the updated contact
information and their use.
"cryptoKeyIds": {
"MCDT-ILSJ-UXCH-LQKG-2Z6F-3O7Q-SFFN": "ssh"}
Hallam-Baker Expires 20 March 2026 [Page 11]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
3.3. New Objects
The following object is defined:
3.3.1. JsonWebKeySet
A JsonWebKeySet object has all the properties of the CryptoKey data
type, with the following additional definition:
3.3.2. jsonWebKeys
"jsonWebKeys": JWK[] (optional) A Json Web Key Set.
The JWK object is defined in [RFC7517].
"jsonWebKeys": [{
"kty": "RSA",
"use": "any",
"n": "xXs93LBkrGyNDumBvoUKE_NTW1kkEy7YnlnbzZxoIvGF4JjrRuR9pW87dHP
u1xEU2cfrZ_o_g9IqDFheHC7NeCJG4Ngpdmwx2puYTeOT_M8eBCMqjPIItZNq
7Dzt06LtJGekQpVr9tZXg-yA6yTbA6Lc8nd_qHSFzI5wu5Zq8WhI4HotlKcYn
21w7m75pkV7veNmnaEtTB6PijjyaH_Gnx5_25T8U0vupHu01RobR4UmhLUc9G
4VPqEP2Qm2T47D4CJ_dmcVRy4j510Tk1_ICEdevvvskNTM0WBNGWoguBC7_5x
Ge_n-Y9kazjrornekcu2JH7UkfeRohpqmV61nfQ",
"e": "AQAB"}]
4. Application Profiles
This section _will_ provide guidance on how to encode cryptographic
keys for specific applications. It is currently a placeholder so the
relevant expert groups have an opportunity to advise the precise
means by which the relevant information is presented.
4.1. S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a
consistent way to send and receive secure MIME data over SMTP and
other messaging transports.
Certificates issued for use with S/MIME are commonly used for other
purposes, for example TLS client authentication. For the purposes of
this discussion, our focus is strictly limited to the use of the
certificate for messaging.
If the messaging protocol is SMTP, the service is specified as an
EmailAddress, otherwise the OnlineService structure is used with the
appropriate service specifier.
Hallam-Baker Expires 20 March 2026 [Page 12]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
Strawman proposal:
* Use a single JWK entry with an x5c to specify the encryption key
cert, signature key cert and cert path.
* Specify the JWK in the keys section of the corresponding
EmailAddress or OnlineService with the key identifier of the
corresponding JWK and the 'smime' use.
{
"@type":"Card",
...
"cryptoKeys" : {"MCBV-AP74-6FWL-45K7-MRPV-XISQ-CARZ" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "RSA",
"use": "any",
"n": "wJ8fBfJvJErn6wQfaOxXSYJJ5nzjjmh6m2xxBgPeYhaB0UJu6moixZ0
h2C482143EDpQ7IA4BWGlp1qs1Q_eBjPqX3I9cD7BHSn6mNzyUG96s9hUvXQ79Q-5F
bJ-aVbaat7TUbmfAzQu3UW_DFMrHbLztnJvhN5cUyIpncS965Nhdo0tMk3LP6xNovQ
MI474KtZdwwTUd2YG8YNGhq8_NGYRtiuqvFVmtNERXg62OrkEyMo0M5wtKUe19O0b1
ANkXAgfclWO462u52O8mxjzL0yGgg_dsH5VKQ49DjIsElvEjQEv3Z22t-2zRmyUB--
xY7AAjlPpoliGK8fHNnauoQ",
"e": "AQAB"}
]},
"MBOH-BAER-57K4-MEFK-RTA3-K67Y-KA4F" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "RSA",
"use": "any",
"n": "lh3QrtbxcyT3d4KaNrrrhs7zKU7wLa3uGuclPQ1m_bOBYNHc3ZJz6h-
9hztueRXWOU5qCOrUgnhm96CbZnduQk29kTIR_iLfAqi4N8ghLlefQuayfUjHnYeUR
VcdZBRPG88PRyw9DzZbeKKpq5_iiqjeAgaPqmhneym-qbpz5sn4wGT29M3X1uwbdTI
difc6u0ezDMEVIF1Bofva0gUa7EJQABXuvu-GXbDCQ2sYj4MI8O9kAE9GmXTc2WXVn
9ILznMLG78RRAt8C6ECZVYM4K28L-Uv0nR8g6hMcdD77fbpuooI73EKan4ofzWssRZ
MDV_U5SeqdvVI_g-Slep2jQ",
"e": "AQAB"}
]}
...
}
4.2. OpenPGP
OpenPGP provides encryption with public key or symmetric
cryptographic algorithms, digital signatures, compression, and key
management.
Hallam-Baker Expires 20 March 2026 [Page 13]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
OpenPGP key management is commonly used for many purposes including
signing repository commits. For the purposes of this section, our
focus is strictly limited to the use of keys for messaging.
If the messaging protocol is SMTP, the service is specified as an
EmailAddress, otherwise the OnlineService structure is used with the
appropriate service specifier.
Strawman proposal:
* User specifies their OpenPGP primary key as an OnlineService with
service type 'openpgp'. This is also the place any key server
information would be placed.
* The first key in the keys entry of the service is the key
identifier of the primary key
* The sub keys are the following keys
* The corresponding key entries are of type JsonWebKey
* The key data is specified as a binary data property
* Other services specify the subkeys that they use.
Hallam-Baker Expires 20 March 2026 [Page 14]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
{
"@type":"Card",
...
"cryptoKeys" : {"MCUK-IIT7-WXOW-DUJU-5LWP-SC4L-HHWT" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "RSA",
"use": "any",
"n": "uU7YmNP_cnvG7JlCpAopOzG4O5AMQA2BQy2K0FyGz2T_6xSulN4_kKn
1xiUirXE3apYbu-VxNaAarl-yjPCyPAqzaYXpfu63iVQwqRDubiGP4fsBd4wbbV6qP
pKJGaSocCih5b65jnxw_UvMz1UPqD7KBZYuSOlwha2-1_1B-skpYN4G6XdqoOLrBjB
SnNy-0aB5Mu3I-yy_7lZRbfm0UKjXANJlkv7SEvCc51OwyPYc8mQkjDHcGwbB98Ug-
71jwIVMCz9WTmf2FtdgRDaKNppyrZ6GUSn7M1xbW-OtkA8wID4Bxiqbz9v9CWr4xEv
Vt8MhoWARGY576rsg6o9h9Q",
"e": "AQAB"}
]},
"MCNS-D5JZ-PPCU-TQE5-R7Z4-KQHF-7FKK" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "RSA",
"use": "any",
"n": "5FB6MlSnk-oqZt6v7UZv6W7H9UHIWytS-bmZzLneDrQhuspmpJbBmZC
1IeQvLFBC2J9dft9BmQsIlvfZD7z-WDFWRlsroSn5WMXT1S9ByescjYy7G9oapL0k8
SJFkcNdim5B301EVq1Zxk-G62921wMMD0wuubEIKjEwUypBD7cS6QkWCcLmV1v0WpR
LlBqdpl8CE8uI_CYynR7et49JctIQFLYYhzMUNPsVff6ki8Y4U6xEZEly_5MtL6EKD
ivyUoBoPafmurPrfAGJBYdQjcp1D7b5nBmy0ss934MXut17j8HiWQdUoAT7NfW68Td
tv23SIQsCu6pIRUbky4M2bQ",
"e": "AQAB"}
]}
...
}
4.3. SSH
Although the SSH protocol does support certificates these are not
currently widely used on the client side and it is not clear that the
use case of a single user specifying multiple SSH client keys for use
on multiple devices has been fully distinguished from the use case of
a corporation certifying keys for multiple employees.
If the user only has a client single key for a given use, this can be
specified as JWK public key parameters.
If the user is making use of client side SSH certificates to
provision each device with separate SSH credentials, the contact card
should specify the SSH certificate.
Hallam-Baker Expires 20 March 2026 [Page 15]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
{
"@type":"Card",
...
"onlineServices" : {"MAQS-NB2W-KQNY-UP6J-KXB3-EQEE-JL6I" : {
"@type": "OnlineService",
"service": "ssh",
"label": "Main SSH key",
"cryptoKeyIds": {
"MCDT-ILSJ-UXCH-LQKG-2Z6F-3O7Q-SFFN": "ssh"}},
"MDCO-377C-3R6S-X2SC-NHS6-BCQS-A623" : {
"@type": "OnlineService",
"service": "ssh",
"cryptoKeyIds": {
"MBEX-N46R-AIUQ-FYT6-IEUK-MGV7-SRPQ": "ssh"}}}
{
"@type":"Card",
...
"cryptoKeys" : {"MCDT-ILSJ-UXCH-LQKG-2Z6F-3O7Q-SFFN" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "RSA",
"use": "any",
"n": "xXs93LBkrGyNDumBvoUKE_NTW1kkEy7YnlnbzZxoIvGF4JjrRuR9pW8
7dHPu1xEU2cfrZ_o_g9IqDFheHC7NeCJG4Ngpdmwx2puYTeOT_M8eBCMqjPIItZNq7
Dzt06LtJGekQpVr9tZXg-yA6yTbA6Lc8nd_qHSFzI5wu5Zq8WhI4HotlKcYn21w7m7
5pkV7veNmnaEtTB6PijjyaH_Gnx5_25T8U0vupHu01RobR4UmhLUc9G4VPqEP2Qm2T
47D4CJ_dmcVRy4j510Tk1_ICEdevvvskNTM0WBNGWoguBC7_5xGe_n-Y9kazjrorne
kcu2JH7UkfeRohpqmV61nfQ",
"e": "AQAB"}
]},
"MBEX-N46R-AIUQ-FYT6-IEUK-MGV7-SRPQ" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "RSA",
"use": "any",
"n": "2Wg7e1bAhTBYYh5SxJraa2GxMut3ZdpYrCaYxyQcQIl23_orqoBAF67
FaKB0rrk2OZuxeFFJv8hmtz4l6QroQ36uB53CsnUm-rr6MYR9YMnoXXC_rL_EM1fkV
-spbk81N9mbj_TllmtzX4zCNuvEIEFPdJwQZiz7o3gHelZm33u9ChM6UiW9vsGFgBs
1zF1JBpJ0SW2Yu8F2J5-uizFiuuhCj-XH-G2wWTHCJ89AMUi6ngqd0p1mBYFGRb1h8
aMOKYRkgWVr_82eZIPh1aeRGvZGw0p6Ieb5DhSQeE_L9_WYk3kzG2v0SIyLTgNjoPo
u5resE-H9cQSd2ofR6IUK9Q",
"e": "AQAB"}
]}}
Hallam-Baker Expires 20 March 2026 [Page 16]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
4.4. Code Signing
Code signing typically makes use of PKIX certificates. While a
single certificate could in practice be used for multiple platforms,
each code signing program tends to have their own requirements and
set of recognized CAs.
It is however useful for a user to specify their own personal
hierarchy with a personal root for testing and development purposes.
A developer may have multiple code signing keys for the same
platform. For example, separate signing keys for each development
machine.
Some mechanism is required to allow development and production keys
to be distinguished.
{
"@type":"Card",
...
"onlineServices" : {"MDZ7-XMQY-XHVJ-233R-P75B-2B4R-NFWU" : {
"@type": "OnlineService",
"service": "code",
"contexts": {
"Pkix": true},
"label": "code Pkix",
"cryptoKeyIds": {
"MA2Q-STSG-HL6V-VNUU-Z426-SCKT-WF5Z": "credential"}},
"MBFR-6JKU-GO3E-JIUU-X2DW-NUCK-L4VY" : {
"@type": "OnlineService",
"service": "code",
"contexts": {
"Windows": true},
"label": "code Windows",
"cryptoKeyIds": {
"MCFE-K7IZ-JRHA-AA6H-CJZF-SDFQ-LSH3": "credential"}},
"MAZ3-AMHL-GLHQ-HFNK-IWZ4-ZVAP-VDWD" : {
"@type": "OnlineService",
"service": "code",
"contexts": {
"Apple": true},
"label": "code Apple",
"cryptoKeyIds": {
"MC2X-ZQSD-EOAR-WYN7-B7DN-SBD3-X44Y": "credential"}},
"MB6M-HCTS-VO6W-UMIX-FW2R-4XGJ-J5V7" : {
"@type": "OnlineService",
"service": "code",
"contexts": {
Hallam-Baker Expires 20 March 2026 [Page 17]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
"Android": true},
"label": "code Android",
"cryptoKeyIds": {
"MB5H-DVYY-57VQ-P4YH-7XTK-2GTL-URNG": "credential"}},
"MBIH-YWGE-7R6X-6QIS-77DR-NB4S-LPDC" : {
"@type": "OnlineService",
"service": "code",
"contexts": {
"Linux": true},
"label": "code Linux",
"cryptoKeyIds": {
"MAT6-O4LN-KZ66-JK76-L4QG-WWER-F4JI": "credential"}}}
{
"@type":"Card",
...
"cryptoKeys" : {"MA2Q-STSG-HL6V-VNUU-Z426-SCKT-WF5Z" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "EC",
"use": "any",
"kid": "MA2Q-STSG-HL6V-VNUU-Z426-SCKT-WF5Z",
"crv": "P-256",
"x": "9zPl5LQW7yRBMRzk2FQJ5-F5G6kUa88BCdGKd36eK_Y",
"y": "8uUirOWL7cF79nUY6tXmo34fx2lOVQq_P52JjckbspY"}
]},
"MCFE-K7IZ-JRHA-AA6H-CJZF-SDFQ-LSH3" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "EC",
"use": "any",
"kid": "MCFE-K7IZ-JRHA-AA6H-CJZF-SDFQ-LSH3",
"crv": "P-256",
"x": "sF3A0qaKYEa0Ak2Y0VbBM79XfJnumtlosElrksOsgyI",
"y": "GiMDcmQT5DGtgW2XCCUhIPSarEvQE75BKDYMkDocSow"}
]},
"MC2X-ZQSD-EOAR-WYN7-B7DN-SBD3-X44Y" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "EC",
"use": "any",
"kid": "MC2X-ZQSD-EOAR-WYN7-B7DN-SBD3-X44Y",
"crv": "P-256",
"x": "ebUjncmK0LhAxHsosAlljF0ZvKix7LVn_50otvAhKDU",
"y": "38vwap7VVaU9GQ6YPpE0vmqGa-wycQCW21hsRvi1t-E"}
]},
"MB5H-DVYY-57VQ-P4YH-7XTK-2GTL-URNG" : {
"@type": "JsonWebKeySet",
Hallam-Baker Expires 20 March 2026 [Page 18]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
"jsonWebKeys": [{
"kty": "EC",
"use": "any",
"kid": "MB5H-DVYY-57VQ-P4YH-7XTK-2GTL-URNG",
"crv": "P-256",
"x": "Y90738DH7MJiwTBRw-ApJLJ0yMfjL0gz263A5w8ddw4",
"y": "dOk-a8RvtuE3cbJSmadKM1xHhemvHbQbTmde3KlJeKA"}
]},
"MAT6-O4LN-KZ66-JK76-L4QG-WWER-F4JI" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "EC",
"use": "any",
"kid": "MAT6-O4LN-KZ66-JK76-L4QG-WWER-F4JI",
"crv": "P-256",
"x": "Na8zkJNzYv_5SHxLwggsUj8iu3lRVISchN9_xuBX0y0",
"y": "b9-7540dFagjgUg5qhB-Hnx3MTXVakieomOA4_MTNrI"}
]}}
4.5. Commit Signing
OpenPGP key management is commonly used for signing repository
commits.
This use is specified by means of an OnlineService with the service
type 'commit' with key entries for the set of authorized signing
keys.
Hallam-Baker Expires 20 March 2026 [Page 19]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
{
"@type":"Card",
...
"onlineServices" : {"MBJ7-VZZO-NY6R-4BGH-YUBY-4ADY-UTDT" : {
"@type": "OnlineService",
"service": "commit",
"label": "commit",
"cryptoKeyIds": {
"MB4R-SUZM-6LM5-ZEAM-7WTO-ZUSP-TFWN": "credential"}}}
{
"@type":"Card",
...
"cryptoKeys" : {"MB4R-SUZM-6LM5-ZEAM-7WTO-ZUSP-TFWN" : {
"@type": "JsonWebKeySet",
"jsonWebKeys": [{
"kty": "EC",
"use": "any",
"kid": "MB4R-SUZM-6LM5-ZEAM-7WTO-ZUSP-TFWN",
"crv": "P-256",
"x": "lzT1bFqzRTHXmRfQfAMTD5JRfeWNViYmaVXqo4WeNzo",
"y": "uFgVeDUVmZDPfBc_533QWwCOzo11doqnMC4-_q6O6NQ"}
]}}
5. IANA Considerations
This document does not specify any actions for IANA yet but it
will...[TBS]
6. Acknowledgements
Many thanks to Robert Stepanek who helped refine the approach to
extending the schema.
7. Normative References
[draft-hallambaker-earl]
Hallam-Baker, P., "Encrypted Authenticated Resource
Locator", Work in Progress, Internet-Draft, draft-
hallambaker-earl-00, 10 April 2025,
<https://datatracker.ietf.org/doc/html/draft-hallambaker-
earl-00>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
Hallam-Baker Expires 20 March 2026 [Page 20]
Internet-Draft JSContact Cryptographic Key Extensions September 2025
[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517,
DOI 10.17487/RFC7517, May 2015,
<https://www.rfc-editor.org/rfc/rfc7517>.
[RFC9553] Stepanek, R. and M. Loffredo, "JSContact: A JSON
Representation of Contact Data", RFC 9553,
DOI 10.17487/RFC9553, May 2024,
<https://www.rfc-editor.org/rfc/rfc9553>.
Author's Address
Phillip Hallam-Baker
ThresholdSecrets.com
Email: [email protected]
Hallam-Baker Expires 20 March 2026 [Page 21]