7

When adding a User ID to your OpenPGP key, you are typically asked (for example by GnuPG) to provide a name, a comment, and an email address (where each part is optional).

This format (Name (Comment) <email address>) is described by RFC 4880, section 5.11 (User ID Packet):

By convention, it includes an RFC 2822 [RFC2822] mail name-addr, but there are no restrictions on its content.

While it says it’s only a "convention" and there are "no restrictions on its content", the first sentence of this sections reads:

A User ID packet consists of UTF-8 text that is intended to represent the name and email address of the key holder.

I assume (please correct me if I’m wrong) that "intended to represent the name and email address" is not normative. So that would mean:

  1. I may specify any kind of content (it does not have to represent a name and/or an email address).
  2. If I specify a name and an email address, I don’t have to follow the address format described in RFC 2822.

Is this correct?

If so, I could specify any kind of URI (using angle brackets to delimit it). As the URI scheme would be included (contrary to the "convention" format), it could, for example, prevent people mistaking an XMPP address for an email address.

Examples of possible User IDs:

  • <mailto:unor@example.com> (my email address)
  • <xmpp:unor@example.org> (my JID)
  • <tel:+1-201-555-0123> (my telephone number)
  • <acct:12139@security.stackexchange.com> (my Security SE account)
  • <https://example.org/> (my website)

Is this sensible, maybe even recommended? Will it break something?

I especially wonder if tools (like keyservers, mail clients or key chains) will still find/associate a key with an email address if the full URI is specified (<mailto:unor@example.com>), and if they won’t interpret an XMPP address (<xmpp:unor@example.org>) as email address.

Community
  • 1
unor
  • 1,769
  • 1
  • 19
  • 38

1 Answers1

1

Standardization

Don't expect any clients to be able to read those user IDs. User IDs following the schema provided are not part of the standard and will very likely not be implemented.

This is especially valid for providing mail addresses, which do have a formalized representation, including a mailto: prefix would break that.

Arbitrary Strings are Allowed

Anything beyond name, mail address and possibly a comment is not standardized, but the standard does not disallow anything, you can provide any string you want. Consider whether somebody else will be able to understand what you want information you want to provide, and whether giving the information is reasonable (thus, would anybody approve/certify the user ID?).

Maybe try to avoid matching the schema defined by RFC 2822, and do not put anything in angle brackets which does not fit an e-mail address you're able to receive mail on, as this is what implementations (and possible other users) would expect.

OpenPGP Notations

Another way to give (usage) restrictions would be using notations, but again, there is no defined way of using them, and I haven't heard of any implementation actually taking use of them.

Community
  • 1
Jens Erat
  • 23,446
  • 12
  • 72
  • 96