| Internet-Draft | User Attributes in OpenPGP | August 2025 |
| Gallagher | Expires 12 February 2026 | [Page] |
This document updates the specification of User Attribute Packets and Subpackets in OpenPGP.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://andrewgdotcom.gitlab.io/openpgp-user-attributes. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-gallagher-openpgp-user-attributes/.¶
Discussion of this document takes place on the OpenPGP Working Group mailing list (mailto:openpgp@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/openpgp/. Subscribe at https://www.ietf.org/mailman/listinfo/openpgp/.¶
Source for this draft and an issue tracker can be found at https://gitlab.com/andrewgdotcom/openpgp-user-attributes.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 12 February 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
User Attributes are a much-maligned and often-abused feature of OpenPGP. Currently their only specified use is to contain images, however it is known that some implementations use the Private and Experimental User Attribute Subpacket range for various internal purposes.¶
In this document, we simplify the specification of User Attribute packets and subpackets, and use them to implement currently-missing functionality in OpenPGP.¶
The term "OpenPGP Certificate" is used in this document interchangeably with "OpenPGP Transferable Public Key", as defined in Section 10.1 of [RFC9580].¶
The term "Component key" is used in this document to mean either a primary key or subkey.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
User Attribute Packets are simple containers for one or more User Attribute Subpackets. These subpackets are wire-format compatible with Signature Subpackets, but the only currently defined type is the Image Attribute Subpacket type.¶
The Image Attribute Subpacket (Type 1) has some unusual features, and is over-specified:¶
The image header has a little-endian length field, uniquely for OpenPGP.¶
It has a version octet that represents an entire registry but with only one version specified.¶
It has an encoding format octet that represents an entire registry with only one value specified.¶
The v1 image header has a further 12 octets of unused fields.¶
The Image Attribute Subpacket has been abused to store large amounts of data on the OpenPGP keyservers, and as a result most modern keyservers refuse to handle any User Attribute packets. Further, we wish to minimise the quantity of human-readable information in the OpenPGP wire format. Images and other data without meaning at the OpenPGP layer SHOULD instead be stored at the application layer, for example in a vCard [RFC6350].¶
The use of Image Attribute subpackets is therefore deprecated:¶
Code point 1 in the User Attribute Subpacket Registry should be updated to "Image Attribute Subpacket (deprecated)".¶
No further Image Attribute versions or encoding formats will be supported; the values of both these fields are hereby fixed at 1.¶
The OpenPGP Image Attribute Versions and OpenPGP Image Attribute Encoding Formats registries should be deleted.¶
A User Attribute packet SHOULD NOT contain more than one Image Attribute subpacket.¶
The Embedded Signature Subpacket (Type 32) from the Signature Subpacket Types registry is duplicated into the User Attribute Subpacket registry, with the same wire format (Section 5.2.3.34 of [RFC9580]).¶
A User Attribute Packet MAY contain one or more Embedded Signature subpackets. These can be used to distribute signatures that cannot otherwise be included in the certificate packet grammar.¶
Placing embedded signatures in User Attribute subpackets rather than signature subpackets avoids several issues arising from signature cumulation rules. For example, if an embedded signature is included in the hashed or unhashed subpackets area of another signature, it must be duplicated into all future signatures over the same subject. Otherwise, a receiving implementation that ignores or discards older signature packets might ignore or discard the embedded signature.¶
Unless otherwise specified, all signatures embedded in User Attribute packets MUST be made by a component key of the current certificate.¶
We update the following signature types to be "embeddable" (see Section 5 of [I-D.gallagher-openpgp-signatures]), and specify their use in User Attributes:¶
An Embedded Signature Subpacket MAY contain a Certification Revocation signature (Type 0x30):¶
The key holder might not trust that a third party will distribute certification revocations over their (possibly fraudulent) certificate [REVOC-16]. The key holder MAY instead distribute the revocation signature in their own certificate using an Embedded Signature subpacket of a User Attribute packet.¶
((TODO: can we identify the third party certificate in the revocation sig?))¶
If the key holder wishes to delete a User ID or User Attribute from their own certificate using a redacting revocation signature [REVOC-2], they cannot append the revocation signature to the redacted User ID or User Attribute packet, because the redacted packet is no longer part of the certificate packet sequence. In order to distribute the revocation signature, it MAY be included in an Embedded Signature subpacket of a separate User Attribute packet. The revocation signature can be validated by a receiving implementation that already has a copy of the redacted User ID or User Attribute.¶
A User Attribute MUST NOT contain subpackets of more than one type. A receiving implementation MUST disregard the entire User Attribute packet if it contains subpackets of more than one type.¶
A certification signature over a User Attribute packet SHOULD NOT contain subpackets of the Direct or First Party Certification categories (Section 7.2 of [I-D.gallagher-openpgp-signatures]), and any such subpackets MUST be ignored.¶
The deprecation of Image Attribute subpackets should increase both security and reliability, by removing a significant abuse vector.¶
Distribution of third-party revocations in the certificate of the signer should be more reliable than existing methods, thereby increasing overall trust in the certification process.¶
IANA is requested to perform the following tasks:¶
Delete the OpenPGP Image Attribute Versions and OpenPGP Image Attribute Encoding Format registries.¶
Update the contents of the OpenPGP User Attribute Subpacket Types Registry to read:¶
| Type | Name | Reference |
|---|---|---|
| 1 | Image Attribute (Deprecated) | Section 3.1 |
| 32 | Embedded Signature | Section 3.2 |
Update the following entry in the OpenPGP Signature Types Registry to read:¶
| ID | Name | Embeddable | Reference |
|---|---|---|---|
| 0x30 | Certification Revocation Signature | Yes | [RFC9580], Section 3.2.1 |
We have allocated code points in the User Attribute Subpacket Types registry that permit wire-format and semantics compatibility between User Attribute subpackets and Signature subpackets. Code point 1 is reserved in the Signature Subpacket Types registry, and code point 32 represents a subpacket type that is compatible in both wire format and semantics. While not strictly required, it is RECOMMENDED that code points should be allocated so as to minimise semantics and wire format incompatibility between the two Subpacket Type registries. Signature subpacket code points outside of the General or Attribute Value categories SHOULD NOT be shared with the User Attribute registry.¶
The author would like to thank Daniel Kahn Gillmor, Heiko Schäfer and Wiktor Kwapisiewicz for discussions.¶
Note to RFC Editor: this section should be removed before publication.¶