Link relations for public gpg and ssh keys

46 views
Skip to first unread message

Christian Weiske

unread,
Sep 4, 2012, 7:42:02 AM9/4/12
to webf...@googlegroups.com
Hi,


What are the link relations for public gpg and ssh keys?
I'd like my gitorious instance be able to automatically authorize my ssh
keys when logging into my account, and publicizing them via webfinger
seems to be the best option.

I only found a discussion about that
> https://groups.google.com/forum/?fromgroups=#!topic/webfinger/InciYVDLtKs
without any

--
Regards/Mit freundlichen Grüßen
Christian Weiske

-= Geeking around in the name of science since 1982 =-

Paul E. Jones

unread,
Sep 11, 2012, 12:15:04 AM9/11/12
to webf...@googlegroups.com
I'm not sure if any have been defined. Unfortunately, there are a lot of link relations in use that are not defined.

IANA has some that are registered:
http://www.iana.org/assignments/link-relations/link-relations.xml

I also have a list of known link relations:
http://www.packetizer.com/webfinger/link_relations.html

My list was intended to cover those which were not formally described by a standard body, particularly those that were URIs. I did include a few that are (or should be) in IANA's list.

What we need is for all of this to be in one place. I'd be happy to continue publishing the URI-based link relations list if IANA will not.

Paul

Christian Weiske

unread,
Sep 11, 2012, 2:37:51 PM9/11/12
to webf...@googlegroups.com
Hello Paul,


> My list was intended to cover those which were not formally described
> by a standard body, particularly those that were URIs. I did include
> a few that are (or should be) in IANA's list.
>
> What we need is for all of this to be in one place. I'd be happy to
> continue publishing the URI-based link relations list if IANA will
> not.

How does one proceed to get them adopted by IANA?

Another question: What would be good relations?

GPG: gpg-key? gpg-id?
SSH: ssh-public-key? Does it matter if it's rsa or dsa? Should it
contain the full line ("ssh-rsa $key $name") or just the $key?
signature.asc

Melvin Carvalho

unread,
Sep 11, 2012, 2:50:32 PM9/11/12
to webf...@googlegroups.com
On 11 September 2012 20:37, Christian Weiske <cwe...@cweiske.de> wrote:
Hello Paul,


> My list was intended to cover those which were not formally described
> by a standard body, particularly those that were URIs.  I did include
> a few that are (or should be) in IANA's list.
>
> What we need is for all of this to be in one place.  I'd be happy to
> continue publishing the URI-based link relations list if IANA will
> not.

How does one proceed to get them adopted by IANA?

Another question: What would be good relations?

GPG: gpg-key? gpg-id?
SSH: ssh-public-key? Does it matter if it's rsa or dsa? Should it
contain the full line ("ssh-rsa $key $name") or just the $key?

I think there's a few ways of doing this. 

Why not just use a full URL in the link?

Currently from my homepage I have a few links marked up using html5:

http://www.melvincarvalho.com/

Modulus: http://www.w3.org/ns/auth/cert#modulus
Exponent: http://www.w3.org/ns/auth/cert#exponent

GPG Fingerprint: http://xmlns.com/wot/0.1/fingerprint
GPG hex ID : http://xmlns.com/wot/0.1/hex_id
GPG Ascii file : http://xmlns.com/wot/0.1/pubKeyAddress

There's a few others that I know of for displaying PEM and/or DER.  I think exponent/modulus is the cleanest perhaps because you can use them to verify/sigh/encrypt/decrypt quite easily in js with an ASN.1 parser.

Is there anything specific that you need?
 

Christian Weiske

unread,
Sep 11, 2012, 2:53:40 PM9/11/12
to webf...@googlegroups.com
Hello Melvin,
That's exactly what I was looking for, but I didn't know those URLs.


> There's a few others that I know of for displaying PEM and/or DER. I
> think exponent/modulus is the cleanest perhaps because you can use
> them to verify/sigh/encrypt/decrypt quite easily in js with an ASN.1
> parser.
>
> Is there anything specific that you need?
The URL for SSH keys is what I need, too.
signature.asc

Kingsley Idehen

unread,
Sep 11, 2012, 3:16:49 PM9/11/12
to webf...@googlegroups.com
On 9/11/12 2:53 PM, Christian Weiske wrote:
> Hello Melvin,
>
>
>
>
>> GPG Fingerprint: http://xmlns.com/wot/0.1/fingerprint
>> GPG hex ID : http://xmlns.com/wot/0.1/hex_id
>> GPG Ascii file : http://xmlns.com/wot/0.1/pubKeyAddress
> That's exactly what I was looking for, but I didn't know those URLs.
>
>
>> There's a few others that I know of for displaying PEM and/or DER. I
>> think exponent/modulus is the cleanest perhaps because you can use
>> them to verify/sigh/encrypt/decrypt quite easily in js with an ASN.1
>> parser.
>>
>> Is there anything specific that you need?
> The URL for SSH keys is what I need, too.
>
A little trickier, but maybe this post helps. Basically, I explain the
virtues of having a URI for your Public Key:

1. http://bit.ly/SmQLJe -- simple SSH setup guide for Linux

2. http://bit.ly/P0HVdI -- benefits of have a URI for your Public Key.



--

Regards,

Kingsley Idehen
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen





Christian Weiske

unread,
Sep 11, 2012, 3:28:26 PM9/11/12
to webf...@googlegroups.com
Hello Kingsley,
> > The URL for SSH keys is what I need, too.

> A little trickier, but maybe this post helps. Basically, I explain
> the virtues of having a URI for your Public Key:
> 1. http://bit.ly/SmQLJe -- simple SSH setup guide for Linux
> 2. http://bit.ly/P0HVdI -- benefits of have a URI for your Public Key.

So you use "application/x-ssh-key" as content type for ssh keys. You
don't include the type, though - I don't know if it's ssh-rsa or
ssh-dsa (or whatever comes tomorrror), so I cannot auto-populate my
authorized keys.

The other open question is still: What link relation should I use to
link my public key URL from my webfinger file? x-ssh-key?
signature.asc

Paul E. Jones

unread,
Sep 12, 2012, 12:14:55 PM9/12/12
to webf...@googlegroups.com
Christian,

> How does one proceed to get them adopted by IANA?

The procedure is documented here:
http://tools.ietf.org/html/rfc5988#section-6.2.1

If the link relations you want to register have wide utility, then you might want to go the route of registering a link relation name.

Of course, URIs do not need to be registered, but then we need a place to document them so people use the same URIs for the same purpose. As I mentioned, I'm happy to maintain a list, but it would be better if there was an SDO that did that.

> Another question: What would be good relations?
>
> GPG: gpg-key? gpg-id?
> SSH: ssh-public-key? Does it matter if it's rsa or dsa? Should it contain
> the full line ("ssh-rsa $key $name") or just the $key?


If you use token names registered with IANA, I would think gpg-key, for example, would work. They're just names. Names are not as important as the defined semantics, which is why the IETF wants an expert review of those names.

For URIs, anything would work. It would be nice if we could all agree on a specific domain for use with webfinger (e.g., webfinger.net), but that's not necessary. The benefit of using URIs is that any domain owner can define something and use it.

Paul


Kingsley Idehen

unread,
Sep 12, 2012, 12:29:21 PM9/12/12
to webf...@googlegroups.com
On 9/11/12 3:28 PM, Christian Weiske wrote:
> Hello Kingsley,
>
>
>>>> GPG Fingerprint: http://xmlns.com/wot/0.1/fingerprint
>>>> GPG hex ID : http://xmlns.com/wot/0.1/hex_id
>>>> GPG Ascii file : http://xmlns.com/wot/0.1/pubKeyAddress
>>> The URL for SSH keys is what I need, too.
>> A little trickier, but maybe this post helps. Basically, I explain
>> the virtues of having a URI for your Public Key:
>> 1. http://bit.ly/SmQLJe -- simple SSH setup guide for Linux
>> 2. http://bit.ly/P0HVdI -- benefits of have a URI for your Public Key.
> So you use "application/x-ssh-key" as content type for ssh keys. You
> don't include the type, though - I don't know if it's ssh-rsa or
> ssh-dsa (or whatever comes tomorrror), so I cannot auto-populate my
> authorized keys.

Ah! It's ssh-rsa. I'll update my guide.
>
> The other open question is still: What link relation should I use to
> link my public key URL from my webfinger file? x-ssh-key?

If there isn't one from IANA then just use a URI (you can make up your
own URI based name, worst case). You could use what we use as per:
http://id.myopenlink.net/describe/?url=http%3A%2F%2Fwww.openlinksw.com%2Fschemas%2Fcert%23hasPublicKey
. Thus, the URI (as per @href that anchors the text in About: ) would
be: http://www.openlinksw.com/schemas/cert#hasPublicKey ,

Melvin Carvalho

unread,
Sep 12, 2012, 12:41:53 PM9/12/12
to webf...@googlegroups.com, Dan Brickley, Story Henry, Manu Sporny
On 11 September 2012 20:53, Christian Weiske <cwe...@cweiske.de> wrote:
Hello Melvin,
That's exactly what I was looking for, but I didn't know those URLs.


> There's a few others that I know of for displaying PEM and/or DER.  I
> think exponent/modulus is the cleanest perhaps because you can use
> them to verify/sigh/encrypt/decrypt quite easily in js with an ASN.1
> parser.
>
> Is there anything specific that you need?
The URL for SSH keys is what I need, too.

Good question, I'm not sure anyone to date has officially modeled SSH keys on the Web, tho I understand that the SSH format is quite close (but not identical) to PEM.

CC: Dan, Henry, Manu (author of some public key vocabs) in case they know of anything that would fit
 

Melvin Carvalho

unread,
Sep 12, 2012, 12:59:18 PM9/12/12
to Henry Story, webf...@googlegroups.com, Dan Brickley, Manu Sporny


On 12 September 2012 18:44, Henry Story <henry...@bblfish.net> wrote:

On 12 Sep 2012, at 18:41, Melvin Carvalho <melvinc...@gmail.com> wrote:

>
> Is there anything specific that you need?
The URL for SSH keys is what I need, too.


Just asking, as I am not sure yet what is needed: 
  What is the URL for SSH keys? What kind of thing is that? Pointers would help.

Sorry, the original question was whether there is link relation (URI) to an ssh public key, eg that could be reused from an existing vocab
 

Henry

Social Web Architect
http://bblfish.net/


Melvin Carvalho

unread,
Sep 12, 2012, 1:03:45 PM9/12/12
to Henry Story, webf...@googlegroups.com, Dan Brickley, Manu Sporny
On 12 September 2012 18:44, Henry Story <henry...@bblfish.net> wrote:
On 12 Sep 2012, at 18:41, Melvin Carvalho <melvinc...@gmail.com> wrote:

>
> Is there anything specific that you need?
The URL for SSH keys is what I need, too.


Just asking, as I am not sure yet what is needed: 
  What is the URL for SSH keys? What kind of thing is that? Pointers would help.

FYI I believe RFC 4716 describes ssh public keys

http://www.ietf.org/rfc/rfc4716.txt
 

Henry Story

unread,
Sep 12, 2012, 1:14:22 PM9/12/12
to webf...@googlegroups.com, Henry Story, Dan Brickley, Manu Sporny

On Wednesday, 12 September 2012 18:59:20 UTC+2, melvincarvalho wrote:
Sorry, the original question was whether there is link relation (URI) to an ssh public key, eg that could be reused from an existing vocab

You want to link a page to a public key?

What would be the meaning of the link? That the primary topic of the page is identified by that public key?

Henry Story

unread,
Sep 12, 2012, 1:06:37 PM9/12/12
to Melvin Carvalho, webf...@googlegroups.com, Dan Brickley, Manu Sporny
You want to link a page to a public key?
What would be the meaning of the link? That the primary topic of the page is identified by that public key?

Henry

Kingsley Idehen

unread,
Sep 12, 2012, 2:55:24 PM9/12/12
to webf...@googlegroups.com
On 9/12/12 1:14 PM, Henry Story wrote:

On Wednesday, 12 September 2012 18:59:20 UTC+2, melvincarvalho wrote:
Sorry, the original question was whether there is link relation (URI) to an ssh public key, eg that could be reused from an existing vocab

You want to link a page to a public key?


They want to associate a document with a public key. In this case, assume a document that holds some identity oriented claims. Thus, emulating the relationship that would hold between something like an X.509 certificate (a document) and the public data it bears. Said document would have an "author" or "creator" relationship that ultimately enables triangulation of an association between the document creator and the public key it bears:

@prefix : <#> .
<> http://www.openlinksw.com/schemas/cert#hasPublicKey "public-key-data"^^xsd:hexBinary .
<> foaf:maker :this  .

What would be the meaning of the link? That the primary topic of the page is identified by that public key?


No that the document's creator was responsible for the public key relationship insertion :-)

Kingsley
 
 

Henry

Social Web Architect
http://bblfish.net/




Kingsley Idehen

unread,
Sep 12, 2012, 2:57:17 PM9/12/12
to webf...@googlegroups.com
On 9/12/12 2:55 PM, Kingsley Idehen wrote:
On 9/12/12 1:14 PM, Henry Story wrote:

On Wednesday, 12 September 2012 18:59:20 UTC+2, melvincarvalho wrote:
Sorry, the original question was whether there is link relation (URI) to an ssh public key, eg that could be reused from an existing vocab

You want to link a page to a public key?


They want to associate a document with a public key. In this case, assume a document that holds some identity oriented claims. Thus, emulating the relationship that would hold between something like an X.509 certificate (a document) and the public data it bears. Said document would have an "author" or "creator" relationship that ultimately enables triangulation of an association between the document creator and the public key it bears:

@prefix : <#> .
<> http://www.openlinksw.com/schemas/cert#hasPublicKey "public-key-data"^^xsd:hexBinary .
<> foaf:maker :this  .

What would be the meaning of the link? That the primary topic of the page is identified by that public key?


No that the document's creator was responsible for the public key relationship insertion :-)

To be clearer:



@prefix : <#> .
<> http://www.openlinksw.com/schemas/cert#hasPublicKey "public-key-data"^^xsd:hexBinary .
<> foaf:maker :this  .
<> a foaf:profileDocument .
:this a foaf:Person .

Kingsley

Christian Weiske

unread,
Sep 12, 2012, 3:04:45 PM9/12/12
to webf...@googlegroups.com, henry...@gmail.com, Henry Story, Dan Brickley, Manu Sporny
Hello Henry,


> > Sorry, the original question was whether there is link relation
> > (URI) to an ssh public key, eg that could be reused from an
> > existing vocab
> You want to link a page to a public key?
>
> What would be the meaning of the link? That the primary topic of the
> page is identified by that public key?

No, I want to express that the public ssh key belongs to me (my email
address), to enable automatic setup of services that I can ssh to (e.g.
git servers).

I'd just give them my email address, they use webfinger to find an LRDD
document about me, which in turn links to an URI that has my public ssh
key. Now the question is: what link relation can I use to express "this
is my public ssh key"?
signature.asc

Bob Wyman

unread,
Sep 12, 2012, 3:12:47 PM9/12/12
to webf...@googlegroups.com, Henry Story, Dan Brickley, Manu Sporny
On Wed, Sep 12, 2012 at 1:14 PM, Henry Story <henry...@gmail.com> wrote:

On Wednesday, 12 September 2012 18:59:20 UTC+2, melvincarvalho wrote:
Sorry, the original question was whether there is link relation (URI) to an ssh public key, eg that could be reused from an existing vocab

You want to link a page to a public key?

What would be the meaning of the link? That the primary topic of the page is identified by that public key?

Given that the link relation would live in a WebFinger profile, I believe the meaning of the link might be something like this: 
"This public-key is one that is or may be used by those who were able to create this link in this WebFinger profile."
Assuming that the profile, etc. hasn't been hacked, the correspondence between "those able to create the link" and some useful set of individuals will be useful.

For example: You might have some document that claimed to have been signed by "acct:b...@example.com." If you looked up the WebFinger profile for that URI and found a link to a public key, you could use that public key to verify the signature.

bob wyman

Kingsley Idehen

unread,
Sep 12, 2012, 3:41:52 PM9/12/12
to webf...@googlegroups.com
On 9/12/12 3:04 PM, Christian Weiske wrote:
> Hello Henry,
>
>
>>> Sorry, the original question was whether there is link relation
>>> (URI) to an ssh public key, eg that could be reused from an
>>> existing vocab
>> You want to link a page to a public key?
>>
>> What would be the meaning of the link? That the primary topic of the
>> page is identified by that public key?
> No, I want to express that the public ssh key belongs to me (my email
> address), to enable automatic setup of services that I can ssh to (e.g.
> git servers).

Meaning: you are denoting yourself via a mailto: scheme URI.

Semantic triangulation:
@prefix : <#> .
<> http://www.openlinksw.com/schemas/cert#hasPublicKey
"public-key-data"^^xsd:hexBinary .
<> foaf:maker :this .
<> a foaf:profileDocument .
:this a foaf:Person .
:this foaf:mbox <{Your-Mailto-Scheme-URI}> .
foaf:mbox a owl:inverseFunctionalProperty .

Henry: a few things are possible with this resource:

1. email address and ssh-rsa key association -- useful for ssh setup
2. use of <link rel="alternate".. /> to expose public key (in
alternative formats) e.g., for use with S/MIME re., email encryption
3. use of <link rel="cert:key" ../> -- using the full URI in @rel sets
the stage for WebID protocol based authentication for processors that
can make profile graphs from resources bearing <link/> based
relationships (of course, it can be fixed further with Microdata, RDFa,
or Turtle embedded in <script/> ).




>
> I'd just give them my email address, they use webfinger to find an LRDD
> document about me, which in turn links to an URI that has my public ssh
> key. Now the question is: what link relation can I use to express "this
> is my public ssh key"?

The one I suggested. Thus, it would be:

<link rel="http://www.openlinksw.com/schemas/cert#hasPublicKey"
href="{SSH-Format-Public-Key-Resource-URL}" ... />

Henry Story

unread,
Sep 12, 2012, 4:31:35 PM9/12/12
to Bob Wyman, webf...@googlegroups.com, Dan Brickley, Manu Sporny
Yes, that would be possible by using the same framework as the one used by WebID

There is at least one implementation of a WebID verifier ( OpenLink Virtuoso ) that even knows 
how to do the above for X509 Certificates that have a WebFinger URI in the Subject Alternative
name field. It seems to be a more direct route to have the document claimed to be signed directly
by a WebID URL of the form http://myserver.me/profile#me since that brings you directly to the 
document, and the signature. So we have not pushed for WebFinger usage in the SAN field.
But it is possible.

   I tend to think of WebFinger as more useful for human usage: we know people by their
e-mail address and so it is easier if we need to find someone via that e-mail to use the WebFinger
that to have to remember a URL.

For signed e-mail verification on the other hand a WebFinger lookup does seem like a very 
good idea though. If we can use the same ontology for e-mail signature verification as we do 
for WebID then we can increase the value proposition of both to the benefit of all.


Henry



bob wyman
 
 
 

Henry

Social Web Architect
http://bblfish.net/



Henry Story

unread,
Sep 12, 2012, 4:31:55 PM9/12/12
to Christian Weiske, webf...@googlegroups.com, henry...@gmail.com, Dan Brickley, Manu Sporny

On 12 Sep 2012, at 21:04, Christian Weiske <cwe...@cweiske.de> wrote:

> Hello Henry,
>
>
>>> Sorry, the original question was whether there is link relation
>>> (URI) to an ssh public key, eg that could be reused from an
>>> existing vocab
>> You want to link a page to a public key?
>>
>> What would be the meaning of the link? That the primary topic of the
>> page is identified by that public key?
>
> No, I want to express that the public ssh key belongs to me (my email
> address), to enable automatic setup of services that I can ssh to (e.g.
> git servers).
>
> I'd just give them my email address, they use webfinger to find an LRDD
> document about me, which in turn links to an URI that has my public ssh
> key. Now the question is: what link relation can I use to express "this
> is my public ssh key"?

So you want to put this link into your home page then (which is
where the html would be found).

If you want a bit more power and make things explicit you can use the

http://www.w3.org/ns/auth/cert#key

relation that links a URI for you to your public key using RDFa for
example as shown here:

http://www.w3.org/2005/Incubator/webid/spec/#rdfa-html-notation

Then you can use the

http://xmlns.com/foaf/0.1/primaryTopic relation from your home page
to an identifier that is about you in particular, where you can also
add a lot more detailed information about yourself.

This can work nicely with WebFinger resolution to allow a server to find your
home page if all you want to remember is your e-mail address. From the home
page it can find your public key, as shown in the W3C WebID spec

http://webid.info/spec/

We had also discussed linking to binary versions of certificates,
and that is something you can bring up on the W3C WebID Community
Group

http://www.w3.org/community/webid/

but we had found no good use case to make the protocol more complicated.
If you want to see WebID in action you can also look at the video here:

http://webid.info/

I think at this level one can have webfinger and WebID work very nicely
together. WebFinger should be seen as a protocol to use when you have
an e-mail address to find someone's home page and detailed relations that
person has to themselves and their social network.

WebID is then very useful for each user personally when they have their
own certificate already in their browser.

We now have a very nice demo application that shows how you can make your
WebID: try out https://my-profile.eu/ after watching the video.

Henry

>
> --
> Regards/Mit freundlichen Grüßen
> Christian Weiske
>
> -=≡ Geeking around in the name of science since 1982 ≡=-

Henry Story

unread,
Sep 12, 2012, 4:33:46 PM9/12/12
to Bob Wyman, webf...@googlegroups.com, Dan Brickley, Manu Sporny
On 12 Sep 2012, at 21:12, Bob Wyman <b...@wyman.us> wrote:

Yes, that would be possible by using the same framework as the one used by WebID

There is at least one implementation of a WebID verifier ( OpenLink Virtuoso ) that even knows 
how to do the above for X509 Certificates that have a WebFinger URI in the Subject Alternative
name field. It seems to be a more direct route to have the document claimed to be signed directly
by a WebID URL of the form http://myserver.me/profile#me since that brings you directly to the 
document, and the signature. So we have not pushed for WebFinger usage in the SAN field.
But it is possible.

   I tend to think of WebFinger as more useful for human usage: we know people by their
e-mail address and so it is easier if we need to find someone via that e-mail to use the WebFinger
that to have to remember a URL.

For signed e-mail verification on the other hand a WebFinger lookup does seem like a very 
good idea though. If we can use the same ontology for e-mail signature verification as we do 
for WebID then we can increase the value proposition of both to the benefit of all.


Henry


bob wyman
 
 
 

Henry

Social Web Architect
http://bblfish.net/


Kingsley Idehen

unread,
Sep 12, 2012, 4:51:06 PM9/12/12
to webf...@googlegroups.com
On 9/12/12 4:33 PM, Henry Story wrote:
For signed e-mail verification on the other hand a WebFinger lookup does seem like a very 
good idea though. If we can use the same ontology for e-mail signature verification as we do 
for WebID then we can increase the value proposition of both to the benefit of all.


Henry

+1

Right now, we use WebID (with Webfinger for handling mailto: and acct: scheme URIs) to handle:

1. email signature -- a WebID tweak to S/MIME

2. email filters -- via IMAP we can re-organize mails based on rules that are driven by WebID e.g., place all signed emails in an "signed mail" folder, place all signed emails that have been verified using the WebID protocol in an "Important" folder etc.. Can even do wonders based on social relationships e.g., if you claim to know 'Henry Story' then put in the "WebID" folder etc :-)
Reply all
Reply to author
Forward
0 new messages