Skip to content
Snippets Groups Projects
Commit cde50084 authored by Cédric Moreau's avatar Cédric Moreau
Browse files

Updated protocol with "keychange" document

parent 2b067ded
Branches
Tags 0.40.6
No related merge requests found
...@@ -12,6 +12,7 @@ ...@@ -12,6 +12,7 @@
* [Formats](#formats) * [Formats](#formats)
* [Public key](#public-key) * [Public key](#public-key)
* [Membership](#membership) * [Membership](#membership)
* [Keychange](#keychange)
* [Keyblock](#keyblock) * [Keyblock](#keyblock)
* [Amendment](#amendment) * [Amendment](#amendment)
* [Transaction](#transaction) * [Transaction](#transaction)
...@@ -182,8 +183,51 @@ A [Membership](#membership) is to be considered valid if: ...@@ -182,8 +183,51 @@ A [Membership](#membership) is to be considered valid if:
* `Issuer` matches signature's key ID * `Issuer` matches signature's key ID
* `Membership` matches either `IN` or `OUT` value * `Membership` matches either `IN` or `OUT` value
### Keychange
A keychange is a document describing changes to be applied to a [Public key](#public-key) for its components (OpenPGP key material) and membership state.
#### Structure
#####----T:PUBLIC_KEY_FINGERPRINT----#####
KeyPackets:
[packets]
CertificationPackets:
[packets]
Membership:
VERSION:FINGERPRINT:TYPE:TIMESTAMP:USER_ID
[base64_signature]
Field | Data
--------------------- | ------------------------------------------
T | Type of change: either `F`,`N`,`U`,`L` or `B` for respectively `FOUNDER`,`NEWCOMER`,`UPDATE`,`LEAVER` and `BACK` meaning.
KeyPackets | OpenPGP key material field. Value is an OpenPGP packet list base64 encoded. Allowed packets are public key, user ID, self-certification, subkey and subkey binding packets.
CertificationPackets | OpenPGP key material field. Value is an OpenPGP packet list base64 encoded. Allowed packets are other keys' certification packets.
Membership | Field for writing [Membership](#membership) document data.
#### Coherence
Depending the provided `T` type, fields have different format requirements. Below is a table summing up the rules about it:
Type | Field | Requirement
----------- | ---------------------|----------------------------
`FOUNDER` | KeyPackets | Must contain a single public key, plus a single user ID and self-certification packet. May contain subkeys and subkey bindings.
`FOUNDER` | CertificationPackets | Must NOT be provided.
`FOUNDER` | Membership | Must contain an `IN` membership with a `USER_ID` field matching exactly `KeyPackets` user ID.
`NEWCOMER` | KeyPackets | Same rule as `FOUNDER`.
`NEWCOMER` | CertificationPackets | May contain any number of other keys' certification packets.
`NEWCOMER` | Membership | Must contain an `IN` membership with a `USER_ID` field matching exactly `KeyPackets` user ID.
`UPDATE` | KeyPackets | May only contain subkeys and subkey bindings packets.
`UPDATE` | CertificationPackets | May contain any number of other keys' certification packets.
`UPDATE` | Membership | Must NOT be provided.
`LEAVER` | KeyPackets | Must NOT be provided.
`LEAVER` | CertificationPackets | Must NOT be provided.
`LEAVER` | Membership | Must contain an `OUT` membership without
`BACK` | KeyPackets | May only contain subkeys and subkey bindings packets.
`BACK` | CertificationPackets | May contain any number of other keys' certification packets.
`BACK` | Membership | Must contain an `IN` membership without `USER_ID` field.
### Keyblock ### Keyblock
A Keyblock is a document gathering public key informations in order to build a Web Of Trust (WoT) representation. A Keyblock is a document gathering [keychanges](#keychange) in order to build a Web Of Trust (WoT) representation.
#### Structure #### Structure
...@@ -202,15 +246,8 @@ A Keyblock is a document gathering public key informations in order to build a W ...@@ -202,15 +246,8 @@ A Keyblock is a document gathering public key informations in order to build a W
... ...
-MEMBER_OUT_KEY_FINGERPRINT -MEMBER_OUT_KEY_FINGERPRINT
... ...
PublicKeys: KeysChanges:
#####-----PUBLIC_KEY_FINGERPRINT-----##### [keychange]
[packets]
...
Memberships:
VERSION:FINGERPRINT:TYPE:TIMESTAMP:USER_ID
MembershipsSignatures:
#####-----PUBLIC_KEY_FINGERPRINT-----#####
[signature_packet]
... ...
BOTTOM_SIGNATURE BOTTOM_SIGNATURE
...@@ -226,10 +263,7 @@ PreviousHash | Previous keyblock fingerprint ...@@ -226,10 +263,7 @@ PreviousHash | Previous keyblock fingerprint
PreviousIssuer | Previous keyblock issuer's fingerprint PreviousIssuer | Previous keyblock issuer's fingerprint
MembersCount | Number of members in the WoT MembersCount | Number of members in the WoT
MembersChanges | Public keys' fingerprint: with a `+` for joining or with a `-` for leaving MembersChanges | Public keys' fingerprint: with a `+` for joining or with a `-` for leaving
PublicKeys | Public keys' packets. Packets are grouped by their target key fingerprint. KeysChanges | List of [keychanges](#keychange)
Memberships | Membership entries, under shorthand format
MembershipsSignatures | Signatures attached to `Memberships`.
#### Coherence #### Coherence
To be a valid keyblock document, a keyblock must match the following rules: To be a valid keyblock document, a keyblock must match the following rules:
...@@ -240,19 +274,7 @@ To be a valid keyblock document, a keyblock must match the following rules: ...@@ -240,19 +274,7 @@ To be a valid keyblock document, a keyblock must match the following rules:
* `MembersChanges` is a multiline field whose lines are either: * `MembersChanges` is a multiline field whose lines are either:
* `+` followed by an SHA-1 hash * `+` followed by an SHA-1 hash
* `-` followed by an SHA-1 hash * `-` followed by an SHA-1 hash
* `PublicKeys` is a multiline field whose lines are divided in blocks composed by: * `KeysChanges` is a multiline field of [keychanges](#keychange)
* A first line with `#PUBLIC_KEY_FINGERPRINT`, where `PUBLIC_KEY_FINGERPRINT` is an SHA-1 hash
* A bunch of lines under Base64 format, representing OpenPGP public key, user ID and certification packets
* It cannot be found two lines with same `#PUBLIC_KEY_FINGERPRINT`
* `PublicKeys` is sorted by `PUBLIC_KEY_FINGERPRINT`, ascending
* `Memberships` is a multiline field whose lines follow the `VERSION:KEY_ID:TYPE:TIMESTAMP` pattern:
* `VERSION` is a membership version field
* `FINGERPRINT` is a membership signing key fingerprint
* `TYPE` is either `IN` or `OUT` value
* `TIMESTAMP` is a timestamp value
* `USER_ID` is a string targeting an existing UserID of the attached key
* `Memberships` is `FINGERPRINT` sorted, ascending
* `MembershipsSignatures` is a multiline field composed of Base64 lines, sorted by `PUBLIC_KEY_FINGERPRINT`, ascending
The document must be ended with a `BOTTOM_SIGNATURE`, which is an OpenPGP armored signature. The document must be ended with a `BOTTOM_SIGNATURE`, which is an OpenPGP armored signature.
...@@ -263,6 +285,7 @@ The document must be ended with a `BOTTOM_SIGNATURE`, which is an OpenPGP armore ...@@ -263,6 +285,7 @@ The document must be ended with a `BOTTOM_SIGNATURE`, which is an OpenPGP armore
* `MembersChanges` must contain `-KEY` for all memberships of the block with `TYPE = OUT` * `MembersChanges` must contain `-KEY` for all memberships of the block with `TYPE = OUT`
* `MembersChanges` may contain `-KEY` without a corresponding `TYPE = OUT` membership * `MembersChanges` may contain `-KEY` without a corresponding `TYPE = OUT` membership
* `MembersChanges` must *not* contain `+KEY` if the corresponding `TYPE = IN` membership is not present in the block * `MembersChanges` must *not* contain `+KEY` if the corresponding `TYPE = IN` membership is not present in the block
* It cannot be found two keychange with same `PUBLIC_KEY_FINGERPRINT`
##### Specific rules ##### Specific rules
* If `Number` equals `0`, `PreviousHash` and `PreviousIssuer` must not be provided * If `Number` equals `0`, `PreviousHash` and `PreviousIssuer` must not be provided
...@@ -271,7 +294,7 @@ The document must be ended with a `BOTTOM_SIGNATURE`, which is an OpenPGP armore ...@@ -271,7 +294,7 @@ The document must be ended with a `BOTTOM_SIGNATURE`, which is an OpenPGP armore
#### Keychain #### Keychain
A Keychain is a chaining of Keyblock. Such a document describes a WoT over the time. A Keychain is a chaining of Keyblock. Such a document describes a WoT over the time.
Each keyblock, other than the keyblock#0 must follow the following rules: Each keyblock, other than the keyblock#0 must follow these rules:
* Its `Number` field has the same value as preceding keyblock + 1 * Its `Number` field has the same value as preceding keyblock + 1
* Its `Currency` field has exactly the same value as preceding keyblock * Its `Currency` field has exactly the same value as preceding keyblock
...@@ -280,6 +303,13 @@ Each keyblock, other than the keyblock#0 must follow the following rules: ...@@ -280,6 +303,13 @@ Each keyblock, other than the keyblock#0 must follow the following rules:
* Its `MembersCount` field is either equal to: * Its `MembersCount` field is either equal to:
* the sum of all `+` count minus the sum of all `-` count from `MembersChanges` field since keyblock#0, this block included * the sum of all `+` count minus the sum of all `-` count from `MembersChanges` field since keyblock#0, this block included
* previous block `MembersCount` + the sum of all `+` count minus the sum of all `-` count from `MembersChanges` of this keyblock * previous block `MembersCount` + the sum of all `+` count minus the sum of all `-` count from `MembersChanges` of this keyblock
* `FOUNDER` type can be present **only** for keyblock#0
* For a given `PUBLIC_KEY_FINGERPRINT`:
* First keychange must be either `FOUNDER` or `NEWCOMER`
* `NEWCOMER` type can be present only 1 time and cannot follow a keychange
* `UPDATE` type cannot follow `LEAVE` type and must follow a keychange
* `LEAVE` type cannot follow `LEAVE` type and must follow a keychange
* `BACK` type must follow `LEAVE` type
### Amendment ### Amendment
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment