Archive pep handshake draft 04.
authorHernâni Marques <hernani@pep.foundation>
Wed, 08 Jan 2020 18:29:08 +0100
changeset 1209001949056b13
parent 1208 68bdebe8b9a9
child 1210 ff555a037005
Archive pep handshake draft 04.
pep-handshake/archive/draft-marques-pep-handshake-04.html
pep-handshake/archive/draft-marques-pep-handshake-04.txt
pep-handshake/archive/draft-marques-pep-handshake-04.xml
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/pep-handshake/archive/draft-marques-pep-handshake-04.html	Wed Jan 08 18:29:08 2020 +0100
     1.3 @@ -0,0 +1,869 @@
     1.4 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
     1.5 +  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
     1.6 +
     1.7 +<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
     1.8 +<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
     1.9 +  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
    1.10 +
    1.11 +  <title>pretty Easy privacy (pEp): Contact and Channel Authentication through Handshake</title>
    1.12 +
    1.13 +  <style type="text/css" title="Xml2Rfc (sans serif)">
    1.14 +  /*<![CDATA[*/
    1.15 +	  a {
    1.16 +	  text-decoration: none;
    1.17 +	  }
    1.18 +      /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
    1.19 +      a.info {
    1.20 +          /* This is the key. */
    1.21 +          position: relative;
    1.22 +          z-index: 24;
    1.23 +          text-decoration: none;
    1.24 +      }
    1.25 +      a.info:hover {
    1.26 +          z-index: 25;
    1.27 +          color: #FFF; background-color: #900;
    1.28 +      }
    1.29 +      a.info span { display: none; }
    1.30 +      a.info:hover span.info {
    1.31 +          /* The span will display just on :hover state. */
    1.32 +          display: block;
    1.33 +          position: absolute;
    1.34 +          font-size: smaller;
    1.35 +          top: 2em; left: -5em; width: 15em;
    1.36 +          padding: 2px; border: 1px solid #333;
    1.37 +          color: #900; background-color: #EEE;
    1.38 +          text-align: left;
    1.39 +      }
    1.40 +	  a.smpl {
    1.41 +	  color: black;
    1.42 +	  }
    1.43 +	  a:hover {
    1.44 +	  text-decoration: underline;
    1.45 +	  }
    1.46 +	  a:active {
    1.47 +	  text-decoration: underline;
    1.48 +	  }
    1.49 +	  address {
    1.50 +	  margin-top: 1em;
    1.51 +	  margin-left: 2em;
    1.52 +	  font-style: normal;
    1.53 +	  }
    1.54 +	  body {
    1.55 +	  color: black;
    1.56 +	  font-family: verdana, helvetica, arial, sans-serif;
    1.57 +	  font-size: 10pt;
    1.58 +	  max-width: 55em;
    1.59 +	  
    1.60 +	  }
    1.61 +	  cite {
    1.62 +	  font-style: normal;
    1.63 +	  }
    1.64 +	  dd {
    1.65 +	  margin-right: 2em;
    1.66 +	  }
    1.67 +	  dl {
    1.68 +	  margin-left: 2em;
    1.69 +	  }
    1.70 +	
    1.71 +	  ul.empty {
    1.72 +	  list-style-type: none;
    1.73 +	  }
    1.74 +	  ul.empty li {
    1.75 +	  margin-top: .5em;
    1.76 +	  }
    1.77 +	  dl p {
    1.78 +	  margin-left: 0em;
    1.79 +	  }
    1.80 +	  dt {
    1.81 +	  margin-top: .5em;
    1.82 +	  }
    1.83 +	  h1 {
    1.84 +	  font-size: 14pt;
    1.85 +	  line-height: 21pt;
    1.86 +	  page-break-after: avoid;
    1.87 +	  }
    1.88 +	  h1.np {
    1.89 +	  page-break-before: always;
    1.90 +	  }
    1.91 +	  h1 a {
    1.92 +	  color: #333333;
    1.93 +	  }
    1.94 +	  h2 {
    1.95 +	  font-size: 12pt;
    1.96 +	  line-height: 15pt;
    1.97 +	  page-break-after: avoid;
    1.98 +	  }
    1.99 +	  h3, h4, h5, h6 {
   1.100 +	  font-size: 10pt;
   1.101 +	  page-break-after: avoid;
   1.102 +	  }
   1.103 +	  h2 a, h3 a, h4 a, h5 a, h6 a {
   1.104 +	  color: black;
   1.105 +	  }
   1.106 +	  img {
   1.107 +	  margin-left: 3em;
   1.108 +	  }
   1.109 +	  li {
   1.110 +	  margin-left: 2em;
   1.111 +	  margin-right: 2em;
   1.112 +	  }
   1.113 +	  ol {
   1.114 +	  margin-left: 2em;
   1.115 +	  margin-right: 2em;
   1.116 +	  }
   1.117 +	  ol p {
   1.118 +	  margin-left: 0em;
   1.119 +	  }
   1.120 +	  p {
   1.121 +	  margin-left: 2em;
   1.122 +	  margin-right: 2em;
   1.123 +	  }
   1.124 +	  pre {
   1.125 +	  margin-left: 3em;
   1.126 +	  background-color: lightyellow;
   1.127 +	  padding: .25em;
   1.128 +	  }
   1.129 +	  pre.text2 {
   1.130 +	  border-style: dotted;
   1.131 +	  border-width: 1px;
   1.132 +	  background-color: #f0f0f0;
   1.133 +	  width: 69em;
   1.134 +	  }
   1.135 +	  pre.inline {
   1.136 +	  background-color: white;
   1.137 +	  padding: 0em;
   1.138 +	  }
   1.139 +	  pre.text {
   1.140 +	  border-style: dotted;
   1.141 +	  border-width: 1px;
   1.142 +	  background-color: #f8f8f8;
   1.143 +	  width: 69em;
   1.144 +	  }
   1.145 +	  pre.drawing {
   1.146 +	  border-style: solid;
   1.147 +	  border-width: 1px;
   1.148 +	  background-color: #f8f8f8;
   1.149 +	  padding: 2em;
   1.150 +	  }
   1.151 +	  table {
   1.152 +	  margin-left: 2em;
   1.153 +	  }
   1.154 +	  table.tt {
   1.155 +	  vertical-align: top;
   1.156 +	  }
   1.157 +	  table.full {
   1.158 +	  border-style: outset;
   1.159 +	  border-width: 1px;
   1.160 +	  }
   1.161 +	  table.headers {
   1.162 +	  border-style: outset;
   1.163 +	  border-width: 1px;
   1.164 +	  }
   1.165 +	  table.tt td {
   1.166 +	  vertical-align: top;
   1.167 +	  }
   1.168 +	  table.full td {
   1.169 +	  border-style: inset;
   1.170 +	  border-width: 1px;
   1.171 +	  }
   1.172 +	  table.tt th {
   1.173 +	  vertical-align: top;
   1.174 +	  }
   1.175 +	  table.full th {
   1.176 +	  border-style: inset;
   1.177 +	  border-width: 1px;
   1.178 +	  }
   1.179 +	  table.headers th {
   1.180 +	  border-style: none none inset none;
   1.181 +	  border-width: 1px;
   1.182 +	  }
   1.183 +	  table.left {
   1.184 +	  margin-right: auto;
   1.185 +	  }
   1.186 +	  table.right {
   1.187 +	  margin-left: auto;
   1.188 +	  }
   1.189 +	  table.center {
   1.190 +	  margin-left: auto;
   1.191 +	  margin-right: auto;
   1.192 +	  }
   1.193 +	  caption {
   1.194 +	  caption-side: bottom;
   1.195 +	  font-weight: bold;
   1.196 +	  font-size: 9pt;
   1.197 +	  margin-top: .5em;
   1.198 +	  }
   1.199 +	
   1.200 +	  table.header {
   1.201 +	  border-spacing: 1px;
   1.202 +	  width: 95%;
   1.203 +	  font-size: 10pt;
   1.204 +	  color: white;
   1.205 +	  }
   1.206 +	  td.top {
   1.207 +	  vertical-align: top;
   1.208 +	  }
   1.209 +	  td.topnowrap {
   1.210 +	  vertical-align: top;
   1.211 +	  white-space: nowrap; 
   1.212 +	  }
   1.213 +	  table.header td {
   1.214 +	  background-color: gray;
   1.215 +	  width: 50%;
   1.216 +	  }
   1.217 +	  table.header a {
   1.218 +	  color: white;
   1.219 +	  }
   1.220 +	  td.reference {
   1.221 +	  vertical-align: top;
   1.222 +	  white-space: nowrap;
   1.223 +	  padding-right: 1em;
   1.224 +	  }
   1.225 +	  thead {
   1.226 +	  display:table-header-group;
   1.227 +	  }
   1.228 +	  ul.toc, ul.toc ul {
   1.229 +	  list-style: none;
   1.230 +	  margin-left: 1.5em;
   1.231 +	  margin-right: 0em;
   1.232 +	  padding-left: 0em;
   1.233 +	  }
   1.234 +	  ul.toc li {
   1.235 +	  line-height: 150%;
   1.236 +	  font-weight: bold;
   1.237 +	  font-size: 10pt;
   1.238 +	  margin-left: 0em;
   1.239 +	  margin-right: 0em;
   1.240 +	  }
   1.241 +	  ul.toc li li {
   1.242 +	  line-height: normal;
   1.243 +	  font-weight: normal;
   1.244 +	  font-size: 9pt;
   1.245 +	  margin-left: 0em;
   1.246 +	  margin-right: 0em;
   1.247 +	  }
   1.248 +	  li.excluded {
   1.249 +	  font-size: 0pt;
   1.250 +	  }
   1.251 +	  ul p {
   1.252 +	  margin-left: 0em;
   1.253 +	  }
   1.254 +	
   1.255 +	  .comment {
   1.256 +	  background-color: yellow;
   1.257 +	  }
   1.258 +	  .center {
   1.259 +	  text-align: center;
   1.260 +	  }
   1.261 +	  .error {
   1.262 +	  color: red;
   1.263 +	  font-style: italic;
   1.264 +	  font-weight: bold;
   1.265 +	  }
   1.266 +	  .figure {
   1.267 +	  font-weight: bold;
   1.268 +	  text-align: center;
   1.269 +	  font-size: 9pt;
   1.270 +	  }
   1.271 +	  .filename {
   1.272 +	  color: #333333;
   1.273 +	  font-weight: bold;
   1.274 +	  font-size: 12pt;
   1.275 +	  line-height: 21pt;
   1.276 +	  text-align: center;
   1.277 +	  }
   1.278 +	  .fn {
   1.279 +	  font-weight: bold;
   1.280 +	  }
   1.281 +	  .hidden {
   1.282 +	  display: none;
   1.283 +	  }
   1.284 +	  .left {
   1.285 +	  text-align: left;
   1.286 +	  }
   1.287 +	  .right {
   1.288 +	  text-align: right;
   1.289 +	  }
   1.290 +	  .title {
   1.291 +	  color: #990000;
   1.292 +	  font-size: 18pt;
   1.293 +	  line-height: 18pt;
   1.294 +	  font-weight: bold;
   1.295 +	  text-align: center;
   1.296 +	  margin-top: 36pt;
   1.297 +	  }
   1.298 +	  .vcardline {
   1.299 +	  display: block;
   1.300 +	  }
   1.301 +	  .warning {
   1.302 +	  font-size: 14pt;
   1.303 +	  background-color: yellow;
   1.304 +	  }
   1.305 +	
   1.306 +	
   1.307 +	  @media print {
   1.308 +	  .noprint {
   1.309 +		display: none;
   1.310 +	  }
   1.311 +	
   1.312 +	  a {
   1.313 +		color: black;
   1.314 +		text-decoration: none;
   1.315 +	  }
   1.316 +	
   1.317 +	  table.header {
   1.318 +		width: 90%;
   1.319 +	  }
   1.320 +	
   1.321 +	  td.header {
   1.322 +		width: 50%;
   1.323 +		color: black;
   1.324 +		background-color: white;
   1.325 +		vertical-align: top;
   1.326 +		font-size: 12pt;
   1.327 +	  }
   1.328 +	
   1.329 +	  ul.toc a::after {
   1.330 +		content: leader('.') target-counter(attr(href), page);
   1.331 +	  }
   1.332 +	
   1.333 +	  ul.ind li li a {
   1.334 +		content: target-counter(attr(href), page);
   1.335 +	  }
   1.336 +	
   1.337 +	  .print2col {
   1.338 +		column-count: 2;
   1.339 +		-moz-column-count: 2;
   1.340 +		column-fill: auto;
   1.341 +	  }
   1.342 +	  }
   1.343 +	
   1.344 +	  @page {
   1.345 +	  @top-left {
   1.346 +		   content: "Internet-Draft"; 
   1.347 +	  } 
   1.348 +	  @top-right {
   1.349 +		   content: "December 2010"; 
   1.350 +	  } 
   1.351 +	  @top-center {
   1.352 +		   content: "Abbreviated Title";
   1.353 +	  } 
   1.354 +	  @bottom-left {
   1.355 +		   content: "Doe"; 
   1.356 +	  } 
   1.357 +	  @bottom-center {
   1.358 +		   content: "Expires June 2011"; 
   1.359 +	  } 
   1.360 +	  @bottom-right {
   1.361 +		   content: "[Page " counter(page) "]"; 
   1.362 +	  } 
   1.363 +	  }
   1.364 +	
   1.365 +	  @page:first { 
   1.366 +		@top-left {
   1.367 +		  content: normal;
   1.368 +		}
   1.369 +		@top-right {
   1.370 +		  content: normal;
   1.371 +		}
   1.372 +		@top-center {
   1.373 +		  content: normal;
   1.374 +		}
   1.375 +	  }
   1.376 +  /*]]>*/
   1.377 +  </style>
   1.378 +
   1.379 +  <link href="#rfc.toc" rel="Contents">
   1.380 +<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
   1.381 +<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Requirements Language">
   1.382 +<link href="#rfc.section.1.2" rel="Chapter" title="1.2 Terms">
   1.383 +<link href="#rfc.section.2" rel="Chapter" title="2 Problem Statement">
   1.384 +<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Use Cases">
   1.385 +<link href="#rfc.section.2.2" rel="Chapter" title="2.2 Existing Solutions">
   1.386 +<link href="#rfc.section.3" rel="Chapter" title="3 The pEp Handshake Proposal">
   1.387 +<link href="#rfc.section.3.1" rel="Chapter" title="3.1 Verification Process">
   1.388 +<link href="#rfc.section.3.1.1" rel="Chapter" title="3.1.1 Short, Long and Full Trustword Mapping">
   1.389 +<link href="#rfc.section.3.1.2" rel="Chapter" title="3.1.2 Display Modes">
   1.390 +<link href="#rfc.section.4" rel="Chapter" title="4 Security Considerations">
   1.391 +<link href="#rfc.section.5" rel="Chapter" title="5 Privacy Considerations">
   1.392 +<link href="#rfc.section.6" rel="Chapter" title="6 IANA Considerations">
   1.393 +<link href="#rfc.section.7" rel="Chapter" title="7 Implementation Status">
   1.394 +<link href="#rfc.section.7.1" rel="Chapter" title="7.1 Introduction">
   1.395 +<link href="#rfc.section.7.2" rel="Chapter" title="7.2 Current software implementing pEp">
   1.396 +<link href="#rfc.section.8" rel="Chapter" title="8 Acknowledgements">
   1.397 +<link href="#rfc.references" rel="Chapter" title="9 References">
   1.398 +<link href="#rfc.references.1" rel="Chapter" title="9.1 Normative References">
   1.399 +<link href="#rfc.references.2" rel="Chapter" title="9.2 Informative References">
   1.400 +<link href="#rfc.appendix.A" rel="Chapter" title="A Document Changelog">
   1.401 +<link href="#rfc.appendix.B" rel="Chapter" title="B Open Issues">
   1.402 +<link href="#rfc.authors" rel="Chapter">
   1.403 +
   1.404 +
   1.405 +  <meta name="generator" content="xml2rfc version 2.37.3 - https://tools.ietf.org/tools/xml2rfc" />
   1.406 +  <link rel="schema.dct" href="http://purl.org/dc/terms/" />
   1.407 +
   1.408 +  <meta name="dct.creator" content="Marques, H. and B. Hoeneisen" />
   1.409 +  <meta name="dct.identifier" content="urn:ietf:id:draft-marques-pep-handshake-04" />
   1.410 +  <meta name="dct.issued" scheme="ISO8601" content="2020-01-08" />
   1.411 +  <meta name="dct.abstract" content="In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed; the latter to prevent man-in-the-middle (MITM) attacks.This document proposes a new method to easily verify a public key is authentic by a Handshake process that allows users to easily authenticate their communication channel. The new method is targeted to Opportunistic Security scenarios and is already implemented in several applications of pretty Easy privacy (pEp)." />
   1.412 +  <meta name="description" content="In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed; the latter to prevent man-in-the-middle (MITM) attacks.This document proposes a new method to easily verify a public key is authentic by a Handshake process that allows users to easily authenticate their communication channel. The new method is targeted to Opportunistic Security scenarios and is already implemented in several applications of pretty Easy privacy (pEp)." />
   1.413 +
   1.414 +</head>
   1.415 +
   1.416 +<body>
   1.417 +
   1.418 +  <table class="header">
   1.419 +    <tbody>
   1.420 +    
   1.421 +    	<tr>
   1.422 +<td class="left">Network Working Group</td>
   1.423 +<td class="right">H. Marques</td>
   1.424 +</tr>
   1.425 +<tr>
   1.426 +<td class="left">Internet-Draft</td>
   1.427 +<td class="right">B. Hoeneisen</td>
   1.428 +</tr>
   1.429 +<tr>
   1.430 +<td class="left">Intended status: Standards Track</td>
   1.431 +<td class="right">pEp Foundation</td>
   1.432 +</tr>
   1.433 +<tr>
   1.434 +<td class="left">Expires: July 11, 2020</td>
   1.435 +<td class="right">January 08, 2020</td>
   1.436 +</tr>
   1.437 +
   1.438 +    	
   1.439 +    </tbody>
   1.440 +  </table>
   1.441 +
   1.442 +  <p class="title">pretty Easy privacy (pEp): Contact and Channel Authentication through Handshake<br />
   1.443 +  <span class="filename">draft-marques-pep-handshake-04</span></p>
   1.444 +  
   1.445 +  <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
   1.446 +<p>In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed; the latter to prevent man-in-the-middle (MITM) attacks.</p>
   1.447 +<p>This document proposes a new method to easily verify a public key is authentic by a Handshake process that allows users to easily authenticate their communication channel. The new method is targeted to Opportunistic Security scenarios and is already implemented in several applications of pretty Easy privacy (pEp).</p>
   1.448 +<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
   1.449 +<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
   1.450 +<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF).  Note that other groups may also distribute working documents as Internet-Drafts.  The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
   1.451 +<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.  It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
   1.452 +<p>This Internet-Draft will expire on July 11, 2020.</p>
   1.453 +<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
   1.454 +<p>Copyright (c) 2020 IETF Trust and the persons identified as the document authors.  All rights reserved.</p>
   1.455 +<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document.  Please review these documents carefully, as they describe your rights and restrictions with respect to this document.  Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
   1.456 +
   1.457 +  
   1.458 +  <hr class="noprint" />
   1.459 +  <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
   1.460 +  <ul class="toc">
   1.461 +
   1.462 +  	<li>1.   <a href="#rfc.section.1">Introduction</a>
   1.463 +</li>
   1.464 +<ul><li>1.1.   <a href="#rfc.section.1.1">Requirements Language</a>
   1.465 +</li>
   1.466 +<li>1.2.   <a href="#rfc.section.1.2">Terms</a>
   1.467 +</li>
   1.468 +</ul><li>2.   <a href="#rfc.section.2">Problem Statement</a>
   1.469 +</li>
   1.470 +<ul><li>2.1.   <a href="#rfc.section.2.1">Use Cases</a>
   1.471 +</li>
   1.472 +<li>2.2.   <a href="#rfc.section.2.2">Existing Solutions</a>
   1.473 +</li>
   1.474 +</ul><li>3.   <a href="#rfc.section.3">The pEp Handshake Proposal</a>
   1.475 +</li>
   1.476 +<ul><li>3.1.   <a href="#rfc.section.3.1">Verification Process</a>
   1.477 +</li>
   1.478 +<ul><li>3.1.1.   <a href="#rfc.section.3.1.1">Short, Long and Full Trustword Mapping</a>
   1.479 +</li>
   1.480 +<li>3.1.2.   <a href="#rfc.section.3.1.2">Display Modes</a>
   1.481 +</li>
   1.482 +</ul></ul><li>4.   <a href="#rfc.section.4">Security Considerations</a>
   1.483 +</li>
   1.484 +<li>5.   <a href="#rfc.section.5">Privacy Considerations</a>
   1.485 +</li>
   1.486 +<li>6.   <a href="#rfc.section.6">IANA Considerations</a>
   1.487 +</li>
   1.488 +<li>7.   <a href="#rfc.section.7">Implementation Status</a>
   1.489 +</li>
   1.490 +<ul><li>7.1.   <a href="#rfc.section.7.1">Introduction</a>
   1.491 +</li>
   1.492 +<li>7.2.   <a href="#rfc.section.7.2">Current software implementing pEp</a>
   1.493 +</li>
   1.494 +</ul><li>8.   <a href="#rfc.section.8">Acknowledgements</a>
   1.495 +</li>
   1.496 +<li>9.   <a href="#rfc.references">References</a>
   1.497 +</li>
   1.498 +<ul><li>9.1.   <a href="#rfc.references.1">Normative References</a>
   1.499 +</li>
   1.500 +<li>9.2.   <a href="#rfc.references.2">Informative References</a>
   1.501 +</li>
   1.502 +</ul><li>Appendix A.   <a href="#rfc.appendix.A">Document Changelog</a>
   1.503 +</li>
   1.504 +<li>Appendix B.   <a href="#rfc.appendix.B">Open Issues</a>
   1.505 +</li>
   1.506 +<li><a href="#rfc.authors">Authors' Addresses</a>
   1.507 +</li>
   1.508 +
   1.509 +
   1.510 +  </ul>
   1.511 +
   1.512 +  <h1 id="rfc.section.1">
   1.513 +<a href="#rfc.section.1">1.</a> <a href="#introduction" id="introduction">Introduction</a>
   1.514 +</h1>
   1.515 +<p id="rfc.section.1.p.1">In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed.</p>
   1.516 +<p id="rfc.section.1.p.2">Examples for key distribution include:</p>
   1.517 +<p></p>
   1.518 +
   1.519 +<ul>
   1.520 +<li>Exchange public keys out-of-band before encrypted communication</li>
   1.521 +<li>Use of centralized public key stores (e.g., OpenPGP Key Servers)</li>
   1.522 +<li>Ship public keys in-band when communicating</li>
   1.523 +</ul>
   1.524 +<p id="rfc.section.1.p.4">To prevent man-in-the-middle (MITM) attacks, additionally the authenticity of a public key needs to be verified. Methods to authenticate public keys of peers include, e.g., to verify digital signatures of public keys (which may be signed in a hierarchical or flat manner, e.g., by a Web of Trust (WoT)), to compare the public key&#8217;s fingerprints via a suitable independent channel, or to scan a QR mapping of the fingerprint (cf. <a href="#problem-statement" class="xref">Section 2</a>).</p>
   1.525 +<p id="rfc.section.1.p.5">This document proposes a new method to verify the authenticity of public keys by a Handshake process that allows users to easily verify their communication channel. Fingerprints of the involved peers are combined and mapped to (common) Trustwords <a href="#I-D.birk-pep-trustwords" class="xref">[I-D.birk-pep-trustwords]</a>. The successful manual comparison of these Trustwords is used to consider the communication channel as trusted.</p>
   1.526 +<p id="rfc.section.1.p.6">The proposed method is already implemented and used in applications of pretty Easy privacy (pEp) <a href="#I-D.birk-pep" class="xref">[I-D.birk-pep]</a>. This document is targeted to applications based on the pEp framework and Opportunistic Security <a href="#RFC7435" class="xref">[RFC7435]</a>. However, it may be also used in other applications as suitable.</p>
   1.527 +<p id="rfc.section.1.p.7">Note: The pEp framework <a href="#I-D.birk-pep" class="xref">[I-D.birk-pep]</a> proposes to automatize the use of end-to-end encryption for Internet users of email and other messaging applications and introduces methods to easily allow authentication.</p>
   1.528 +<h1 id="rfc.section.1.1">
   1.529 +<a href="#rfc.section.1.1">1.1.</a> <a href="#requirements-language" id="requirements-language">Requirements Language</a>
   1.530 +</h1>
   1.531 +<p id="rfc.section.1.1.p.1">The key words &#8220;MUST&#8221;, &#8220;MUST NOT&#8221;, &#8220;REQUIRED&#8221;, &#8220;SHALL&#8221;, &#8220;SHALL NOT&#8221;, &#8220;SHOULD&#8221;, &#8220;SHOULD NOT&#8221;, &#8220;RECOMMENDED&#8221;, &#8220;MAY&#8221;, and &#8220;OPTIONAL&#8221; in this document are to be interpreted as described in <a href="#RFC2119" class="xref">[RFC2119]</a>.</p>
   1.532 +<h1 id="rfc.section.1.2">
   1.533 +<a href="#rfc.section.1.2">1.2.</a> <a href="#terms" id="terms">Terms</a>
   1.534 +</h1>
   1.535 +<p id="rfc.section.1.2.p.1">The following terms are defined for the scope of this document:</p>
   1.536 +<p></p>
   1.537 +
   1.538 +<ul><li>Trustwords: A scalar-to-word representation of 16-bit numbers (0 to 65535) to natural language words. When doing a Handshake, peers are shown combined Trustwords of both public keys involved to ease the comparison. <a href="#I-D.birk-pep-trustwords" class="xref">[I-D.birk-pep-trustwords]</a>
   1.539 +</li></ul>
   1.540 +<p></p>
   1.541 +
   1.542 +<ul><li>Trust On First Use (TOFU): cf. <a href="#RFC7435" class="xref">[RFC7435]</a>, which states: &#8220;In a protocol, TOFU calls for accepting and storing a public key or credential associated with an asserted identity, without authenticating that assertion. Subsequent communication that is authenticated using the cached key or credential is secure against an MiTM attack, if such an attack did not succeed during the vulnerable initial communication.&#8221;</li></ul>
   1.543 +<p></p>
   1.544 +
   1.545 +<ul><li>Man-in-the-middle (MITM) attack: cf. <a href="#RFC4949" class="xref">[RFC4949]</a>, which states: &#8220;A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.&#8221;</li></ul>
   1.546 +<h1 id="rfc.section.2">
   1.547 +<a href="#rfc.section.2">2.</a> <a href="#problem-statement" id="problem-statement">Problem Statement</a>
   1.548 +</h1>
   1.549 +<p id="rfc.section.2.p.1">To secure a communication channel, in public key cryptography each involved peer needs a key pair. Its public key needs to be shared to other peers by some means. However, the key obtained by the receiver may have been substituted or tampered with to allow for re-encryption attacks. To prevent such man-in-the-middle (MITM) attacks, an important step is to verify the authenticity of a public key obtained.</p>
   1.550 +<h1 id="rfc.section.2.1">
   1.551 +<a href="#rfc.section.2.1">2.1.</a> <a href="#use-cases" id="use-cases">Use Cases</a>
   1.552 +</h1>
   1.553 +<p id="rfc.section.2.1.p.1">Such a verification process is useful in at least two scenarios:</p>
   1.554 +<p></p>
   1.555 +
   1.556 +<ul>
   1.557 +<li>Verify channels to peers, e.g., to make sure opportunistically exchanged keys for end-to-end encryption are authentic.</li>
   1.558 +<li>Verify channels between own devices (in multi-device contexts), e.g., for the purpose of importing and synchronizing keys among different devices belonging to the same user (cf. <a href="#I-D.pep-keysync" class="xref">[I-D.pep-keysync]</a>). This scenario is comparable to Bluetooth pairing before starting data transfers.</li>
   1.559 +</ul>
   1.560 +<h1 id="rfc.section.2.2">
   1.561 +<a href="#rfc.section.2.2">2.2.</a> <a href="#existing-solutions" id="existing-solutions">Existing Solutions</a>
   1.562 +</h1>
   1.563 +<p id="rfc.section.2.2.p.1">Current methods to authenticate public keys of peers include:</p>
   1.564 +<p></p>
   1.565 +
   1.566 +<ul>
   1.567 +<li>Digitally signed public keys are verified by a chain of trust. Two trust models are common in today&#8217;s implementations.  <ul>
   1.568 +<li>Signing is carried out hierarchically, e.g. in a Public Key Infrastructure (PKI) <a href="#RFC5280" class="xref">[RFC5280]</a>, in which case the verification is based on a chain of trust with a Trust Anchor (TA) at the root.</li>
   1.569 +<li>Signing of public keys is done in a flat manner (by a Web of Trust), e.g., key signing in OpenPGP <a href="#RFC4880" class="xref">[RFC4880]</a>, where users sign the public keys of other users. Verification may be based on transitive trust.</li>
   1.570 +</ul>
   1.571 +</li>
   1.572 +<li>Peers are expected to directly compare the public key&#8217;s fingerprints by any suitable independent channel &#8211; e.g, by phone or with a face-to-face meeting. This method is often used in OpenPGP <a href="#RFC4880" class="xref">[RFC4880]</a> contexts.</li>
   1.573 +<li>The public keys&#8217; fingerprints are mapped into a QR code, which is expected to be scanned between the peers when they happen to meet face-to-face. This method is, e.g., used in the chat application Threema <a href="#threema" class="xref">[threema]</a>.</li>
   1.574 +<li>The public keys&#8217; fingerprints are mapped into numerical codes which decimal digits only (so-called &#8220;safety numbers&#8221;), which makes the strings the humans need to compare easier in respect to hexacodes, but longer and thus nevertheless cumbersome. This method is e.g. used in the chat application Signal <a href="#signal" class="xref">[signal]</a>.</li>
   1.575 +</ul>
   1.576 +<p id="rfc.section.2.2.p.3">Some of the methods can even be used in conjunction with Trustwords <a href="#I-D.birk-pep-trustwords" class="xref">[I-D.birk-pep-trustwords]</a> or the PGP Word list <a href="#PGP.wl" class="xref">[PGP.wl]</a>.</p>
   1.577 +<p id="rfc.section.2.2.p.4">None of the existing solutions meets all requirements set up by pEp <a href="#I-D.birk-pep" class="xref">[I-D.birk-pep]</a>, e.g.:</p>
   1.578 +<p></p>
   1.579 +
   1.580 +<ul>
   1.581 +<li>Easy solution that can be handled easily by ordinary users</li>
   1.582 +<li>In case privacy and security contradict each other, privacy is always preferred over security (e.g., the Web of Trust contradicts privacy)</li>
   1.583 +<li>No central entities</li>
   1.584 +</ul>
   1.585 +<p id="rfc.section.2.2.p.6">Most of today&#8217;s systems lack easy ways for users to authenticate their communication channel. Some methods leak private data (e.g., their social graph) or depend on central entities. Thus, none of today&#8217;s systems fulfills all of the pEp requirements (cf. above).</p>
   1.586 +<h1 id="rfc.section.3">
   1.587 +<a href="#rfc.section.3">3.</a> <a href="#the-pep-handshake-proposal" id="the-pep-handshake-proposal">The pEp Handshake Proposal</a>
   1.588 +</h1>
   1.589 +<p id="rfc.section.3.p.1">In pretty Easy privacy (pEp), the proposed approach for peers to authenticate each other is to engage in the pEp Handshake.</p>
   1.590 +<p id="rfc.section.3.p.2">In current pEp implementations (cf. <a href="#current-software-implementing-pep" class="xref">Section 7.2</a>), the same kinds of keys as in OpenPGP are used. Such keys include a fingerprint as cryptographic hash over the public key. This fingerprint is normally represented in a hexadecimal form, consisting of ten 4-digit hexadecimal blocks, e.g.:</p>
   1.591 +<p></p>
   1.592 +
   1.593 +<ul class="empty"><li>8E31 EF52 1D47 5183 3E9D EADC 0FFE E7A5 7E5B AD19</li></ul>
   1.594 +<p id="rfc.section.3.p.4">Each block may also be represented in decimal numbers from 0 to 65535 or in other numerical forms, e.g.</p>
   1.595 +<p></p>
   1.596 +
   1.597 +<ul>
   1.598 +<li>Hexadecimal: 8E31</li>
   1.599 +<li>Decimal: 36401</li>
   1.600 +<li>Binary: 1000111000110001</li>
   1.601 +</ul>
   1.602 +<h1 id="rfc.section.3.1">
   1.603 +<a href="#rfc.section.3.1">3.1.</a> <a href="#verification-process" id="verification-process">Verification Process</a>
   1.604 +</h1>
   1.605 +<p id="rfc.section.3.1.p.1">In the pEp Handshake the fingerprints of any two peers involved are combined and displayed in form of Trustwords <a href="#I-D.birk-pep-trustwords" class="xref">[I-D.birk-pep-trustwords]</a> for easy comparison by the involved parties.</p>
   1.606 +<p id="rfc.section.3.1.p.2">The default verification process involves three steps:</p>
   1.607 +<p></p>
   1.608 +
   1.609 +<ol>
   1.610 +<li>Combining fingerprints by XOR function  <br><br> Any two peers&#8217; fingerprints are combined bit-by-bit using the Exclusive-OR (XOR) function resulting in the Combined Fingerprint (CFP).</li>
   1.611 +<li>Mapping result to Trustwords:  <br><br> The CFP is then mapped to 16-bit Trustwords (i.e., every 4-digit hexadecimal block is mapped to a given Trustword) resulting in the Trustword Mapping (TWM).</li>
   1.612 +<li>Verify Trustwords over independent channel  <br><br> The resulting Trustwords (TWM) are compared and verified over an independent channel, e.g., a phone line. If this step was successful, the channel can be marked as authenticated.</li>
   1.613 +</ol>
   1.614 +<p id="rfc.section.3.1.p.4">Note: In prior implementations of pEp the fingerprints of any two peers were concatenated. While this has the advantage that the own identity&#8217;s Trustwords can be printed on a business card (like with fingerprints) or on contact sites or in signature texts of emails, this at the same time has the drawback that users might not carefully compare the words as they start to remember and recognize their Trustwords in the concatenated mapping. The avoid this undesired training effect, Trustwords for any peer-to-peer combination shall (very likely) differ.</p>
   1.615 +<h1 id="rfc.section.3.1.1">
   1.616 +<a href="#rfc.section.3.1.1">3.1.1.</a> <a href="#short-long-and-full-trustword-mapping" id="short-long-and-full-trustword-mapping">Short, Long and Full Trustword Mapping</a>
   1.617 +</h1>
   1.618 +<p id="rfc.section.3.1.1.p.1">The more an ordinary user needs to contribute to a process, the less likely a user will carry out all steps carefully. In particular, it was observed that a simple (manual) comparison of OpenPGP fingerprints is rarely carried out to the full extent, i.e., mostly only parts of the fingerprint are compared, if at all.</p>
   1.619 +<p id="rfc.section.3.1.1.p.2">For usability reasons and to create incentives for people to actually carry out a Handshake (while maintaining an certain level of entropy), pEp allows for different entropy levels, i.e.:</p>
   1.620 +<p></p>
   1.621 +
   1.622 +<ol>
   1.623 +<li>Full Trustword Mapping (F-TWM) MUST represent the maximum entropy achievable by the mapping. This means all Trustwords of a TWM MUST be displayed and compared.  <br><br> E.g., the fingerprint  <ul class="empty"><li>F482 E952 2F48 618B 01BC 31DC 5428 D7FA ACDC 3F13</li></ul>
   1.624 +<p> is mapped to  </p>
   1.625 +<ul class="empty"><li>dog house brother town fat bath school banana kite task</li></ul>
   1.626 +</li>
   1.627 +<li>Long Trustword Mapping (L-TWM) requires a number of Trustwords that MUST retain at least 128 bits of entropy. Thus, L-TWM results into at least eight Trustwords to be compared by the user.  <br><br> E.g., the fingerprint  <ul class="empty"><li>F482 E952 2F48 618B 01BC 31DC 5428 D7FA ACDC [ 3F13 ]</li></ul>
   1.628 +<p> is mapped to  </p>
   1.629 +<ul class="empty"><li>dog house brother town fat bath school banana kite [ remaining Trustword(s) omitted ]</li></ul>
   1.630 +</li>
   1.631 +<li>Short Trustword Mapping (S-TWM) requires a number of Trustwords that MUST retain at least 64 bits of entropy.  Thus, S-TWM results into at least four Trustwords to be compared by the user.  <br><br> E.g., the fingerprint  <ul class="empty"><li>F482 E952 2F48 618B 01BC [ 31DC 5428 D7FA ACDC 3F13 ]</li></ul>
   1.632 +<p> is mapped to  </p>
   1.633 +<ul class="empty"><li>dog house brother town fat [ remaining Trustwords omitted ]</li></ul>
   1.634 +</li>
   1.635 +</ol>
   1.636 +<h1 id="rfc.section.3.1.2">
   1.637 +<a href="#rfc.section.3.1.2">3.1.2.</a> <a href="#display-modes" id="display-modes">Display Modes</a>
   1.638 +</h1>
   1.639 +<p id="rfc.section.3.1.2.p.1">The pEp Handshake has three display modes for the verification process. All of the following modes MUST be implemented:</p>
   1.640 +<p></p>
   1.641 +
   1.642 +<ol>
   1.643 +<li>S-TWM mode (default)  <br><br> By default the S-TWM SHOULD be displayed to the user for comparison and verification. An easy way to switch to L-TWM mode MUST be implemented. An easy way to switch to fingerprint mode (see below) SHOULD be implemented. An easy way to switch to F-TWM mode MAY be implemented</li>
   1.644 +<li>L-TWM mode  <br><br> There are situations, where S-TWM is not sufficient (e.g., communication parties that are more likely under attack), in which the L-TWM MAY be displayed to the user by default. An easy way to switch to F-TWM mode MUST be implemented. An easy way to switch to fingerprint mode (see below) SHOULD be implemented. An easy way to switch to S-TWM mode MAY be implemented</li>
   1.645 +<li>F-TWM mode  <br><br> The full F-TWM MUST be implemented too, to address high risk secenarios.  An easy way to switch to fingerprint mode (see below) SHOULD be implemented. Easy ways to switch to L-TWM or S-TWM mode MAY be implemented.</li>
   1.646 +<li>Fingerprint mode (fallback)  <br><br> To retain compatibility to existing OpenPGP users (that know nothing about Trustwords), the fingerprint mode, a fallback to compare the original fingerprints (usually in hexadecimal form) MAY be used.  An easy way to switch to a least one of the TWM modes MUST be implemented.</li>
   1.647 +</ol>
   1.648 +<p id="rfc.section.3.1.2.p.3">If the verification process was successful, the user confirms it, e.g. by setting a check mark. Once the user has confirmed it, the Privacy Status <a href="#I-D.marques-pep-rating" class="xref">[I-D.marques-pep-rating]</a> for this channel MUST be updated accordingly.</p>
   1.649 +<h1 id="rfc.section.4">
   1.650 +<a href="#rfc.section.4">4.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
   1.651 +</h1>
   1.652 +<p id="rfc.section.4.p.1">A (global) adversary can pre-generate all Trustwords any two users expect to compare and try to engage in MITM attacks which fit &#8211; it MUST NOT be assumed public keys and thus fingerprints to be something to stay secret, especially as in pEp public keys are aggressively distributed to all peers. Also similar Trustwords can be generated, which spelled on the phone might sound very similar.</p>
   1.653 +<h1 id="rfc.section.5">
   1.654 +<a href="#rfc.section.5">5.</a> <a href="#privacy-considerations" id="privacy-considerations">Privacy Considerations</a>
   1.655 +</h1>
   1.656 +<p id="rfc.section.5.p.1">[[ TODO ]]</p>
   1.657 +<h1 id="rfc.section.6">
   1.658 +<a href="#rfc.section.6">6.</a> <a href="#iana-considerations" id="iana-considerations">IANA Considerations</a>
   1.659 +</h1>
   1.660 +<p id="rfc.section.6.p.1">This document has no actions for IANA.</p>
   1.661 +<h1 id="rfc.section.7">
   1.662 +<a href="#rfc.section.7">7.</a> <a href="#implementation-status" id="implementation-status">Implementation Status</a>
   1.663 +</h1>
   1.664 +<h1 id="rfc.section.7.1">
   1.665 +<a href="#rfc.section.7.1">7.1.</a> <a href="#introduction-1" id="introduction-1">Introduction</a>
   1.666 +</h1>
   1.667 +<p id="rfc.section.7.1.p.1">This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in <a href="#RFC7942" class="xref">[RFC7942]</a>.  The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors.  This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.</p>
   1.668 +<p id="rfc.section.7.1.p.2">According to <a href="#RFC7942" class="xref">[RFC7942]</a>, &#8220;[&#8230;] this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit.&#8221;</p>
   1.669 +<h1 id="rfc.section.7.2">
   1.670 +<a href="#rfc.section.7.2">7.2.</a> <a href="#current-software-implementing-pep" id="current-software-implementing-pep">Current software implementing pEp</a>
   1.671 +</h1>
   1.672 +<p id="rfc.section.7.2.p.1">The following software implementing the pEp protocols (to varying degrees) already exists:</p>
   1.673 +<p></p>
   1.674 +
   1.675 +<ul>
   1.676 +<li>pEp for Outlook as add-on for Microsoft Outlook, release <a href="#SRC.pepforoutlook" class="xref">[SRC.pepforoutlook]</a>
   1.677 +</li>
   1.678 +<li>pEp for Android (based on a fork of the K9 MUA), release <a href="#SRC.pepforandroid" class="xref">[SRC.pepforandroid]</a>
   1.679 +</li>
   1.680 +<li>Enigmail/pEp as add-on for Mozilla Thunderbird, release <a href="#SRC.enigmailpep" class="xref">[SRC.enigmailpep]</a>
   1.681 +</li>
   1.682 +<li>pEp for iOS (implemented in a new MUA), beta <a href="#SRC.pepforios" class="xref">[SRC.pepforios]</a>
   1.683 +</li>
   1.684 +</ul>
   1.685 +<p id="rfc.section.7.2.p.3">pEp for Android, iOS and Outlook are provided by pEp Security, a commercial entity specializing in end-user software implementing pEp while Enigmail/pEp is pursued as community project, supported by the pEp Foundation.</p>
   1.686 +<p id="rfc.section.7.2.p.4">All software is available as Free Software and published also in source form.</p>
   1.687 +<p id="rfc.section.7.2.p.5">Handshake is already implemented in all platforms listed above.</p>
   1.688 +<h1 id="rfc.section.8">
   1.689 +<a href="#rfc.section.8">8.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
   1.690 +</h1>
   1.691 +<p id="rfc.section.8.p.1">Special thanks to Volker Birk and Leon Schumacher who developed the original concept of the pEp Handshake.</p>
   1.692 +<p id="rfc.section.8.p.2">This work was initially created by pEp Foundation, and then reviewed and extended with funding by the Internet Society&#8217;s Beyond the Net Programme on standardizing pEp. <a href="#ISOC.bnet" class="xref">[ISOC.bnet]</a></p>
   1.693 +<h1 id="rfc.references">
   1.694 +<a href="#rfc.references">9.</a> References</h1>
   1.695 +<h1 id="rfc.references.1">
   1.696 +<a href="#rfc.references.1">9.1.</a> Normative References</h1>
   1.697 +<table><tbody>
   1.698 +<tr>
   1.699 +<td class="reference"><b id="I-D.birk-pep">[I-D.birk-pep]</b></td>
   1.700 +<td class="top">
   1.701 +<a>Birk, V.</a>, <a>Marques, H.</a> and <a>B. Hoeneisen</a>, "<a href="https://tools.ietf.org/html/draft-birk-pep-05">pretty Easy privacy (pEp): Privacy by Default</a>", Internet-Draft draft-birk-pep-05, November 2019.</td>
   1.702 +</tr>
   1.703 +<tr>
   1.704 +<td class="reference"><b id="I-D.birk-pep-trustwords">[I-D.birk-pep-trustwords]</b></td>
   1.705 +<td class="top">
   1.706 +<a>Hoeneisen, B.</a> and <a>H. Marques</a>, "<a href="https://tools.ietf.org/html/draft-birk-pep-trustwords-04">IANA Registration of Trustword Lists: Guide, Template and IANA Considerations</a>", Internet-Draft draft-birk-pep-trustwords-04, July 2019.</td>
   1.707 +</tr>
   1.708 +<tr>
   1.709 +<td class="reference"><b id="RFC2119">[RFC2119]</b></td>
   1.710 +<td class="top">
   1.711 +<a>Bradner, S.</a>, "<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
   1.712 +</tr>
   1.713 +<tr>
   1.714 +<td class="reference"><b id="RFC4949">[RFC4949]</b></td>
   1.715 +<td class="top">
   1.716 +<a>Shirey, R.</a>, "<a href="https://tools.ietf.org/html/rfc4949">Internet Security Glossary, Version 2</a>", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007.</td>
   1.717 +</tr>
   1.718 +<tr>
   1.719 +<td class="reference"><b id="RFC7435">[RFC7435]</b></td>
   1.720 +<td class="top">
   1.721 +<a>Dukhovni, V.</a>, "<a href="https://tools.ietf.org/html/rfc7435">Opportunistic Security: Some Protection Most of the Time</a>", RFC 7435, DOI 10.17487/RFC7435, December 2014.</td>
   1.722 +</tr>
   1.723 +</tbody></table>
   1.724 +<h1 id="rfc.references.2">
   1.725 +<a href="#rfc.references.2">9.2.</a> Informative References</h1>
   1.726 +<table><tbody>
   1.727 +<tr>
   1.728 +<td class="reference"><b id="I-D.marques-pep-rating">[I-D.marques-pep-rating]</b></td>
   1.729 +<td class="top">
   1.730 +<a>Marques, H.</a> and <a>B. Hoeneisen</a>, "<a href="https://tools.ietf.org/html/draft-marques-pep-rating-02">pretty Easy privacy (pEp): Mapping of Privacy Rating</a>", Internet-Draft draft-marques-pep-rating-02, July 2019.</td>
   1.731 +</tr>
   1.732 +<tr>
   1.733 +<td class="reference"><b id="I-D.pep-keysync">[I-D.pep-keysync]</b></td>
   1.734 +<td class="top">
   1.735 +<a>Birk, V.</a>, <a>Hoeneisen, B.</a> and <a>K. Bristol</a>, "<a href="https://tools.ietf.org/html/draft-pep-keysync-00">pretty Easy privacy (pEp): Key Synchronization Protocol (KeySync)</a>", Internet-Draft draft-pep-keysync-00, November 2019.</td>
   1.736 +</tr>
   1.737 +<tr>
   1.738 +<td class="reference"><b id="ISOC.bnet">[ISOC.bnet]</b></td>
   1.739 +<td class="top">
   1.740 +<a>Simao, I.</a>, "<a href="https://www.internetsociety.org/blog/2017/06/12-innovative-projects-selected-for-beyond-the-net-funding/">Beyond the Net. 12 Innovative Projects Selected for Beyond the Net Funding. Implementing Privacy via Mass Encryption: Standardizing pretty Easy privacy&#8217;s protocols</a>", June 2017.</td>
   1.741 +</tr>
   1.742 +<tr>
   1.743 +<td class="reference"><b id="PGP.wl">[PGP.wl]</b></td>
   1.744 +<td class="top">"<a href="https://en.wikipedia.org/w/index.php?title=PGP_word_list&amp;oldid=749481933">PGP word list</a>", November 2017.</td>
   1.745 +</tr>
   1.746 +<tr>
   1.747 +<td class="reference"><b id="RFC4880">[RFC4880]</b></td>
   1.748 +<td class="top">
   1.749 +<a>Callas, J.</a>, <a>Donnerhacke, L.</a>, <a>Finney, H.</a>, <a>Shaw, D.</a> and <a>R. Thayer</a>, "<a href="https://tools.ietf.org/html/rfc4880">OpenPGP Message Format</a>", RFC 4880, DOI 10.17487/RFC4880, November 2007.</td>
   1.750 +</tr>
   1.751 +<tr>
   1.752 +<td class="reference"><b id="RFC5280">[RFC5280]</b></td>
   1.753 +<td class="top">
   1.754 +<a>Cooper, D.</a>, <a>Santesson, S.</a>, <a>Farrell, S.</a>, <a>Boeyen, S.</a>, <a>Housley, R.</a> and <a>W. Polk</a>, "<a href="https://tools.ietf.org/html/rfc5280">Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</a>", RFC 5280, DOI 10.17487/RFC5280, May 2008.</td>
   1.755 +</tr>
   1.756 +<tr>
   1.757 +<td class="reference"><b id="RFC7942">[RFC7942]</b></td>
   1.758 +<td class="top">
   1.759 +<a>Sheffer, Y.</a> and <a>A. Farrel</a>, "<a href="https://tools.ietf.org/html/rfc7942">Improving Awareness of Running Code: The Implementation Status Section</a>", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016.</td>
   1.760 +</tr>
   1.761 +<tr>
   1.762 +<td class="reference"><b id="signal">[signal]</b></td>
   1.763 +<td class="top">"<a href="https://signal.org/">Signal</a>", n.d..</td>
   1.764 +</tr>
   1.765 +<tr>
   1.766 +<td class="reference"><b id="SRC.enigmailpep">[SRC.enigmailpep]</b></td>
   1.767 +<td class="top">"<a href="https://enigmail.net/index.php/en/download/source-code">Source code for Enigmail/pEp</a>", July 2019.</td>
   1.768 +</tr>
   1.769 +<tr>
   1.770 +<td class="reference"><b id="SRC.pepforandroid">[SRC.pepforandroid]</b></td>
   1.771 +<td class="top">"<a href="https://pep-security.lu/gitlab/android/pep">Source code for pEp for Android</a>", July 2019.</td>
   1.772 +</tr>
   1.773 +<tr>
   1.774 +<td class="reference"><b id="SRC.pepforios">[SRC.pepforios]</b></td>
   1.775 +<td class="top">"<a href="https://pep-security.ch/dev/repos/pEp_for_iOS/">Source code for pEp for iOS</a>", July 2019.</td>
   1.776 +</tr>
   1.777 +<tr>
   1.778 +<td class="reference"><b id="SRC.pepforoutlook">[SRC.pepforoutlook]</b></td>
   1.779 +<td class="top">"<a href="https://pep-security.lu/dev/repos/pEp_for_Outlook/">Source code for pEp for Outlook</a>", July 2019.</td>
   1.780 +</tr>
   1.781 +<tr>
   1.782 +<td class="reference"><b id="threema">[threema]</b></td>
   1.783 +<td class="top">"<a href="https://threema.ch">Threema - Seriously secure messaging</a>", n.d..</td>
   1.784 +</tr>
   1.785 +</tbody></table>
   1.786 +<h1 id="rfc.appendix.A">
   1.787 +<a href="#rfc.appendix.A">Appendix A.</a> <a href="#document-changelog" id="document-changelog">Document Changelog</a>
   1.788 +</h1>
   1.789 +<p id="rfc.section.A.p.1">[[ RFC Editor: This section is to be removed before publication ]]</p>
   1.790 +<p></p>
   1.791 +
   1.792 +<ul>
   1.793 +<li>draft-marques-pep-handshake-04: <ul><li>Updated Terms and References</li></ul>
   1.794 +</li>
   1.795 +<li>draft-marques-pep-handshake-03: <ul><li>Updated Terms and References</li></ul>
   1.796 +</li>
   1.797 +<li>draft-marques-pep-handshake-02: <ul>
   1.798 +<li>Update Sections &#8220;Display modes&#8221; and &#8220;Short, Long and Full Trustword Mapping&#8221;</li>
   1.799 +<li>Add Privacy and IANA Considerations sections</li>
   1.800 +<li>Minor editorial changes</li>
   1.801 +</ul>
   1.802 +</li>
   1.803 +<li>draft-marques-pep-handshake-01: <ul>
   1.804 +<li>Fix references</li>
   1.805 +<li>Rewrite Sections &#8220;Display modes&#8221; and &#8220;Short, Long and Full Trustword Mapping&#8221;</li>
   1.806 +<li>Add reason why not to concatenate and map fingerprints instead</li>
   1.807 +<li>Minor editorial changes</li>
   1.808 +</ul>
   1.809 +</li>
   1.810 +<li>draft-marques-pep-handshake-00: <ul><li>Initial version</li></ul>
   1.811 +</li>
   1.812 +</ul>
   1.813 +<h1 id="rfc.appendix.B">
   1.814 +<a href="#rfc.appendix.B">Appendix B.</a> <a href="#open-issues" id="open-issues">Open Issues</a>
   1.815 +</h1>
   1.816 +<p id="rfc.section.B.p.1">[[ RFC Editor: This section should be empty and is to be removed before publication ]]</p>
   1.817 +<p></p>
   1.818 +
   1.819 +<ul><li>Add description for further processes to change the trust level, e.g., to remove trust or even mistrust a peer and alike.</li></ul>
   1.820 +<h1 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h1>
   1.821 +<div class="avoidbreak">
   1.822 +  <address class="vcard">
   1.823 +	<span class="vcardline">
   1.824 +	  <span class="fn">Hernani Marques</span> 
   1.825 +	  <span class="n hidden">
   1.826 +		<span class="family-name">Marques</span>
   1.827 +	  </span>
   1.828 +	</span>
   1.829 +	<span class="org vcardline">pEp Foundation</span>
   1.830 +	<span class="adr">
   1.831 +	  <span class="vcardline">Oberer Graben 4</span>
   1.832 +
   1.833 +	  <span class="vcardline">
   1.834 +		<span class="locality">CH-8400 Winterthur</span>,  
   1.835 +		<span class="region"></span>
   1.836 +		<span class="code"></span>
   1.837 +	  </span>
   1.838 +	  <span class="country-name vcardline">Switzerland</span>
   1.839 +	</span>
   1.840 +	<span class="vcardline">EMail: <a href="mailto:hernani.marques@pep.foundation">hernani.marques@pep.foundation</a></span>
   1.841 +
   1.842 +<span class="vcardline">URI: <a href="https://pep.foundation/">https://pep.foundation/</a></span>
   1.843 +
   1.844 +  </address>
   1.845 +</div><div class="avoidbreak">
   1.846 +  <address class="vcard">
   1.847 +	<span class="vcardline">
   1.848 +	  <span class="fn">Bernie Hoeneisen</span> 
   1.849 +	  <span class="n hidden">
   1.850 +		<span class="family-name">Hoeneisen</span>
   1.851 +	  </span>
   1.852 +	</span>
   1.853 +	<span class="org vcardline">pEp Foundation</span>
   1.854 +	<span class="adr">
   1.855 +	  <span class="vcardline">Oberer Graben 4</span>
   1.856 +
   1.857 +	  <span class="vcardline">
   1.858 +		<span class="locality">CH-8400 Winterthur</span>,  
   1.859 +		<span class="region"></span>
   1.860 +		<span class="code"></span>
   1.861 +	  </span>
   1.862 +	  <span class="country-name vcardline">Switzerland</span>
   1.863 +	</span>
   1.864 +	<span class="vcardline">EMail: <a href="mailto:bernie.hoeneisen@pep.foundation">bernie.hoeneisen@pep.foundation</a></span>
   1.865 +
   1.866 +<span class="vcardline">URI: <a href="https://pep.foundation/">https://pep.foundation/</a></span>
   1.867 +
   1.868 +  </address>
   1.869 +</div>
   1.870 +
   1.871 +</body>
   1.872 +</html>
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/pep-handshake/archive/draft-marques-pep-handshake-04.txt	Wed Jan 08 18:29:08 2020 +0100
     2.3 @@ -0,0 +1,728 @@
     2.4 +
     2.5 +
     2.6 +
     2.7 +
     2.8 +Network Working Group                                         H. Marques
     2.9 +Internet-Draft                                              B. Hoeneisen
    2.10 +Intended status: Standards Track                          pEp Foundation
    2.11 +Expires: July 11, 2020                                  January 08, 2020
    2.12 +
    2.13 +
    2.14 + pretty Easy privacy (pEp): Contact and Channel Authentication through
    2.15 +                               Handshake
    2.16 +                     draft-marques-pep-handshake-04
    2.17 +
    2.18 +Abstract
    2.19 +
    2.20 +   In interpersonal messaging end-to-end encryption means for public key
    2.21 +   distribution and verification of its authenticity are needed; the
    2.22 +   latter to prevent man-in-the-middle (MITM) attacks.
    2.23 +
    2.24 +   This document proposes a new method to easily verify a public key is
    2.25 +   authentic by a Handshake process that allows users to easily
    2.26 +   authenticate their communication channel.  The new method is targeted
    2.27 +   to Opportunistic Security scenarios and is already implemented in
    2.28 +   several applications of pretty Easy privacy (pEp).
    2.29 +
    2.30 +Status of This Memo
    2.31 +
    2.32 +   This Internet-Draft is submitted in full conformance with the
    2.33 +   provisions of BCP 78 and BCP 79.
    2.34 +
    2.35 +   Internet-Drafts are working documents of the Internet Engineering
    2.36 +   Task Force (IETF).  Note that other groups may also distribute
    2.37 +   working documents as Internet-Drafts.  The list of current Internet-
    2.38 +   Drafts is at https://datatracker.ietf.org/drafts/current/.
    2.39 +
    2.40 +   Internet-Drafts are draft documents valid for a maximum of six months
    2.41 +   and may be updated, replaced, or obsoleted by other documents at any
    2.42 +   time.  It is inappropriate to use Internet-Drafts as reference
    2.43 +   material or to cite them other than as "work in progress."
    2.44 +
    2.45 +   This Internet-Draft will expire on July 11, 2020.
    2.46 +
    2.47 +Copyright Notice
    2.48 +
    2.49 +   Copyright (c) 2020 IETF Trust and the persons identified as the
    2.50 +   document authors.  All rights reserved.
    2.51 +
    2.52 +   This document is subject to BCP 78 and the IETF Trust's Legal
    2.53 +   Provisions Relating to IETF Documents
    2.54 +   (https://trustee.ietf.org/license-info) in effect on the date of
    2.55 +   publication of this document.  Please review these documents
    2.56 +
    2.57 +
    2.58 +
    2.59 +Marques & Hoeneisen       Expires July 11, 2020                 [Page 1]
    2.60 +
    2.61 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
    2.62 +
    2.63 +
    2.64 +   carefully, as they describe your rights and restrictions with respect
    2.65 +   to this document.  Code Components extracted from this document must
    2.66 +   include Simplified BSD License text as described in Section 4.e of
    2.67 +   the Trust Legal Provisions and are provided without warranty as
    2.68 +   described in the Simplified BSD License.
    2.69 +
    2.70 +Table of Contents
    2.71 +
    2.72 +   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
    2.73 +     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
    2.74 +     1.2.  Terms . . . . . . . . . . . . . . . . . . . . . . . . . .   3
    2.75 +   2.  Problem Statement . . . . . . . . . . . . . . . . . . . . . .   4
    2.76 +     2.1.  Use Cases . . . . . . . . . . . . . . . . . . . . . . . .   4
    2.77 +     2.2.  Existing Solutions  . . . . . . . . . . . . . . . . . . .   4
    2.78 +   3.  The pEp Handshake Proposal  . . . . . . . . . . . . . . . . .   5
    2.79 +     3.1.  Verification Process  . . . . . . . . . . . . . . . . . .   6
    2.80 +       3.1.1.  Short, Long and Full Trustword Mapping  . . . . . . .   6
    2.81 +       3.1.2.  Display Modes . . . . . . . . . . . . . . . . . . . .   7
    2.82 +   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
    2.83 +   5.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   9
    2.84 +   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
    2.85 +   7.  Implementation Status . . . . . . . . . . . . . . . . . . . .   9
    2.86 +     7.1.  Introduction  . . . . . . . . . . . . . . . . . . . . . .   9
    2.87 +     7.2.  Current software implementing pEp . . . . . . . . . . . .   9
    2.88 +   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  10
    2.89 +   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
    2.90 +     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
    2.91 +     9.2.  Informative References  . . . . . . . . . . . . . . . . .  11
    2.92 +   Appendix A.  Document Changelog . . . . . . . . . . . . . . . . .  12
    2.93 +   Appendix B.  Open Issues  . . . . . . . . . . . . . . . . . . . .  13
    2.94 +   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  13
    2.95 +
    2.96 +1.  Introduction
    2.97 +
    2.98 +   In interpersonal messaging end-to-end encryption means for public key
    2.99 +   distribution and verification of its authenticity are needed.
   2.100 +
   2.101 +   Examples for key distribution include:
   2.102 +
   2.103 +   o  Exchange public keys out-of-band before encrypted communication
   2.104 +
   2.105 +   o  Use of centralized public key stores (e.g., OpenPGP Key Servers)
   2.106 +
   2.107 +   o  Ship public keys in-band when communicating
   2.108 +
   2.109 +   To prevent man-in-the-middle (MITM) attacks, additionally the
   2.110 +   authenticity of a public key needs to be verified.  Methods to
   2.111 +   authenticate public keys of peers include, e.g., to verify digital
   2.112 +
   2.113 +
   2.114 +
   2.115 +Marques & Hoeneisen       Expires July 11, 2020                 [Page 2]
   2.116 +
   2.117 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.118 +
   2.119 +
   2.120 +   signatures of public keys (which may be signed in a hierarchical or
   2.121 +   flat manner, e.g., by a Web of Trust (WoT)), to compare the public
   2.122 +   key's fingerprints via a suitable independent channel, or to scan a
   2.123 +   QR mapping of the fingerprint (cf.  Section 2).
   2.124 +
   2.125 +   This document proposes a new method to verify the authenticity of
   2.126 +   public keys by a Handshake process that allows users to easily verify
   2.127 +   their communication channel.  Fingerprints of the involved peers are
   2.128 +   combined and mapped to (common) Trustwords [I-D.birk-pep-trustwords].
   2.129 +   The successful manual comparison of these Trustwords is used to
   2.130 +   consider the communication channel as trusted.
   2.131 +
   2.132 +   The proposed method is already implemented and used in applications
   2.133 +   of pretty Easy privacy (pEp) [I-D.birk-pep].  This document is
   2.134 +   targeted to applications based on the pEp framework and Opportunistic
   2.135 +   Security [RFC7435].  However, it may be also used in other
   2.136 +   applications as suitable.
   2.137 +
   2.138 +   Note: The pEp framework [I-D.birk-pep] proposes to automatize the use
   2.139 +   of end-to-end encryption for Internet users of email and other
   2.140 +   messaging applications and introduces methods to easily allow
   2.141 +   authentication.
   2.142 +
   2.143 +1.1.  Requirements Language
   2.144 +
   2.145 +   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   2.146 +   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   2.147 +   document are to be interpreted as described in [RFC2119].
   2.148 +
   2.149 +1.2.  Terms
   2.150 +
   2.151 +   The following terms are defined for the scope of this document:
   2.152 +
   2.153 +   o  Trustwords: A scalar-to-word representation of 16-bit numbers (0
   2.154 +      to 65535) to natural language words.  When doing a Handshake,
   2.155 +      peers are shown combined Trustwords of both public keys involved
   2.156 +      to ease the comparison.  [I-D.birk-pep-trustwords]
   2.157 +
   2.158 +   o  Trust On First Use (TOFU): cf. [RFC7435], which states: "In a
   2.159 +      protocol, TOFU calls for accepting and storing a public key or
   2.160 +      credential associated with an asserted identity, without
   2.161 +      authenticating that assertion.  Subsequent communication that is
   2.162 +      authenticated using the cached key or credential is secure against
   2.163 +      an MiTM attack, if such an attack did not succeed during the
   2.164 +      vulnerable initial communication."
   2.165 +
   2.166 +   o  Man-in-the-middle (MITM) attack: cf. [RFC4949], which states: "A
   2.167 +      form of active wiretapping attack in which the attacker intercepts
   2.168 +
   2.169 +
   2.170 +
   2.171 +Marques & Hoeneisen       Expires July 11, 2020                 [Page 3]
   2.172 +
   2.173 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.174 +
   2.175 +
   2.176 +      and selectively modifies communicated data to masquerade as one or
   2.177 +      more of the entities involved in a communication association."
   2.178 +
   2.179 +2.  Problem Statement
   2.180 +
   2.181 +   To secure a communication channel, in public key cryptography each
   2.182 +   involved peer needs a key pair.  Its public key needs to be shared to
   2.183 +   other peers by some means.  However, the key obtained by the receiver
   2.184 +   may have been substituted or tampered with to allow for re-encryption
   2.185 +   attacks.  To prevent such man-in-the-middle (MITM) attacks, an
   2.186 +   important step is to verify the authenticity of a public key
   2.187 +   obtained.
   2.188 +
   2.189 +2.1.  Use Cases
   2.190 +
   2.191 +   Such a verification process is useful in at least two scenarios:
   2.192 +
   2.193 +   o  Verify channels to peers, e.g., to make sure opportunistically
   2.194 +      exchanged keys for end-to-end encryption are authentic.
   2.195 +
   2.196 +   o  Verify channels between own devices (in multi-device contexts),
   2.197 +      e.g., for the purpose of importing and synchronizing keys among
   2.198 +      different devices belonging to the same user (cf.
   2.199 +      [I-D.pep-keysync]).  This scenario is comparable to Bluetooth
   2.200 +      pairing before starting data transfers.
   2.201 +
   2.202 +2.2.  Existing Solutions
   2.203 +
   2.204 +   Current methods to authenticate public keys of peers include:
   2.205 +
   2.206 +   o  Digitally signed public keys are verified by a chain of trust.
   2.207 +      Two trust models are common in today's implementations.
   2.208 +
   2.209 +      *  Signing is carried out hierarchically, e.g. in a Public Key
   2.210 +         Infrastructure (PKI) [RFC5280], in which case the verification
   2.211 +         is based on a chain of trust with a Trust Anchor (TA) at the
   2.212 +         root.
   2.213 +
   2.214 +      *  Signing of public keys is done in a flat manner (by a Web of
   2.215 +         Trust), e.g., key signing in OpenPGP [RFC4880], where users
   2.216 +         sign the public keys of other users.  Verification may be based
   2.217 +         on transitive trust.
   2.218 +
   2.219 +   o  Peers are expected to directly compare the public key's
   2.220 +      fingerprints by any suitable independent channel - e.g, by phone
   2.221 +      or with a face-to-face meeting.  This method is often used in
   2.222 +      OpenPGP [RFC4880] contexts.
   2.223 +
   2.224 +
   2.225 +
   2.226 +
   2.227 +Marques & Hoeneisen       Expires July 11, 2020                 [Page 4]
   2.228 +
   2.229 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.230 +
   2.231 +
   2.232 +   o  The public keys' fingerprints are mapped into a QR code, which is
   2.233 +      expected to be scanned between the peers when they happen to meet
   2.234 +      face-to-face.  This method is, e.g., used in the chat application
   2.235 +      Threema [threema].
   2.236 +
   2.237 +   o  The public keys' fingerprints are mapped into numerical codes
   2.238 +      which decimal digits only (so-called "safety numbers"), which
   2.239 +      makes the strings the humans need to compare easier in respect to
   2.240 +      hexacodes, but longer and thus nevertheless cumbersome.  This
   2.241 +      method is e.g. used in the chat application Signal [signal].
   2.242 +
   2.243 +   Some of the methods can even be used in conjunction with Trustwords
   2.244 +   [I-D.birk-pep-trustwords] or the PGP Word list [PGP.wl].
   2.245 +
   2.246 +   None of the existing solutions meets all requirements set up by pEp
   2.247 +   [I-D.birk-pep], e.g.:
   2.248 +
   2.249 +   o  Easy solution that can be handled easily by ordinary users
   2.250 +
   2.251 +   o  In case privacy and security contradict each other, privacy is
   2.252 +      always preferred over security (e.g., the Web of Trust contradicts
   2.253 +      privacy)
   2.254 +
   2.255 +   o  No central entities
   2.256 +
   2.257 +   Most of today's systems lack easy ways for users to authenticate
   2.258 +   their communication channel.  Some methods leak private data (e.g.,
   2.259 +   their social graph) or depend on central entities.  Thus, none of
   2.260 +   today's systems fulfills all of the pEp requirements (cf. above).
   2.261 +
   2.262 +3.  The pEp Handshake Proposal
   2.263 +
   2.264 +   In pretty Easy privacy (pEp), the proposed approach for peers to
   2.265 +   authenticate each other is to engage in the pEp Handshake.
   2.266 +
   2.267 +   In current pEp implementations (cf.  Section 7.2), the same kinds of
   2.268 +   keys as in OpenPGP are used.  Such keys include a fingerprint as
   2.269 +   cryptographic hash over the public key.  This fingerprint is normally
   2.270 +   represented in a hexadecimal form, consisting of ten 4-digit
   2.271 +   hexadecimal blocks, e.g.:
   2.272 +
   2.273 +      8E31 EF52 1D47 5183 3E9D EADC 0FFE E7A5 7E5B AD19
   2.274 +
   2.275 +   Each block may also be represented in decimal numbers from 0 to 65535
   2.276 +   or in other numerical forms, e.g.
   2.277 +
   2.278 +   o  Hexadecimal: 8E31
   2.279 +
   2.280 +
   2.281 +
   2.282 +
   2.283 +Marques & Hoeneisen       Expires July 11, 2020                 [Page 5]
   2.284 +
   2.285 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.286 +
   2.287 +
   2.288 +   o  Decimal: 36401
   2.289 +
   2.290 +   o  Binary: 1000111000110001
   2.291 +
   2.292 +3.1.  Verification Process
   2.293 +
   2.294 +   In the pEp Handshake the fingerprints of any two peers involved are
   2.295 +   combined and displayed in form of Trustwords
   2.296 +   [I-D.birk-pep-trustwords] for easy comparison by the involved
   2.297 +   parties.
   2.298 +
   2.299 +   The default verification process involves three steps:
   2.300 +
   2.301 +   1.  Combining fingerprints by XOR function
   2.302 +
   2.303 +       Any two peers' fingerprints are combined bit-by-bit using the
   2.304 +       Exclusive-OR (XOR) function resulting in the Combined Fingerprint
   2.305 +       (CFP).
   2.306 +
   2.307 +   2.  Mapping result to Trustwords:
   2.308 +
   2.309 +       The CFP is then mapped to 16-bit Trustwords (i.e., every 4-digit
   2.310 +       hexadecimal block is mapped to a given Trustword) resulting in
   2.311 +       the Trustword Mapping (TWM).
   2.312 +
   2.313 +   3.  Verify Trustwords over independent channel
   2.314 +
   2.315 +       The resulting Trustwords (TWM) are compared and verified over an
   2.316 +       independent channel, e.g., a phone line.  If this step was
   2.317 +       successful, the channel can be marked as authenticated.
   2.318 +
   2.319 +   Note: In prior implementations of pEp the fingerprints of any two
   2.320 +   peers were concatenated.  While this has the advantage that the own
   2.321 +   identity's Trustwords can be printed on a business card (like with
   2.322 +   fingerprints) or on contact sites or in signature texts of emails,
   2.323 +   this at the same time has the drawback that users might not carefully
   2.324 +   compare the words as they start to remember and recognize their
   2.325 +   Trustwords in the concatenated mapping.  The avoid this undesired
   2.326 +   training effect, Trustwords for any peer-to-peer combination shall
   2.327 +   (very likely) differ.
   2.328 +
   2.329 +3.1.1.  Short, Long and Full Trustword Mapping
   2.330 +
   2.331 +   The more an ordinary user needs to contribute to a process, the less
   2.332 +   likely a user will carry out all steps carefully.  In particular, it
   2.333 +   was observed that a simple (manual) comparison of OpenPGP
   2.334 +   fingerprints is rarely carried out to the full extent, i.e., mostly
   2.335 +   only parts of the fingerprint are compared, if at all.
   2.336 +
   2.337 +
   2.338 +
   2.339 +Marques & Hoeneisen       Expires July 11, 2020                 [Page 6]
   2.340 +
   2.341 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.342 +
   2.343 +
   2.344 +   For usability reasons and to create incentives for people to actually
   2.345 +   carry out a Handshake (while maintaining an certain level of
   2.346 +   entropy), pEp allows for different entropy levels, i.e.:
   2.347 +
   2.348 +   1.  Full Trustword Mapping (F-TWM) MUST represent the maximum entropy
   2.349 +       achievable by the mapping.  This means all Trustwords of a TWM
   2.350 +       MUST be displayed and compared.
   2.351 +
   2.352 +       E.g., the fingerprint
   2.353 +
   2.354 +          F482 E952 2F48 618B 01BC 31DC 5428 D7FA ACDC 3F13
   2.355 +
   2.356 +       is mapped to
   2.357 +
   2.358 +          dog house brother town fat bath school banana kite task
   2.359 +
   2.360 +   2.  Long Trustword Mapping (L-TWM) requires a number of Trustwords
   2.361 +       that MUST retain at least 128 bits of entropy.  Thus, L-TWM
   2.362 +       results into at least eight Trustwords to be compared by the
   2.363 +       user.
   2.364 +
   2.365 +       E.g., the fingerprint
   2.366 +
   2.367 +          F482 E952 2F48 618B 01BC 31DC 5428 D7FA ACDC [ 3F13 ]
   2.368 +
   2.369 +       is mapped to
   2.370 +
   2.371 +          dog house brother town fat bath school banana kite [ remaining
   2.372 +          Trustword(s) omitted ]
   2.373 +
   2.374 +   3.  Short Trustword Mapping (S-TWM) requires a number of Trustwords
   2.375 +       that MUST retain at least 64 bits of entropy.  Thus, S-TWM
   2.376 +       results into at least four Trustwords to be compared by the user.
   2.377 +
   2.378 +       E.g., the fingerprint
   2.379 +
   2.380 +          F482 E952 2F48 618B 01BC [ 31DC 5428 D7FA ACDC 3F13 ]
   2.381 +
   2.382 +       is mapped to
   2.383 +
   2.384 +          dog house brother town fat [ remaining Trustwords omitted ]
   2.385 +
   2.386 +3.1.2.  Display Modes
   2.387 +
   2.388 +   The pEp Handshake has three display modes for the verification
   2.389 +   process.  All of the following modes MUST be implemented:
   2.390 +
   2.391 +   1.  S-TWM mode (default)
   2.392 +
   2.393 +
   2.394 +
   2.395 +Marques & Hoeneisen       Expires July 11, 2020                 [Page 7]
   2.396 +
   2.397 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.398 +
   2.399 +
   2.400 +       By default the S-TWM SHOULD be displayed to the user for
   2.401 +       comparison and verification.  An easy way to switch to L-TWM mode
   2.402 +       MUST be implemented.  An easy way to switch to fingerprint mode
   2.403 +       (see below) SHOULD be implemented.  An easy way to switch to
   2.404 +       F-TWM mode MAY be implemented
   2.405 +
   2.406 +   2.  L-TWM mode
   2.407 +
   2.408 +       There are situations, where S-TWM is not sufficient (e.g.,
   2.409 +       communication parties that are more likely under attack), in
   2.410 +       which the L-TWM MAY be displayed to the user by default.  An easy
   2.411 +       way to switch to F-TWM mode MUST be implemented.  An easy way to
   2.412 +       switch to fingerprint mode (see below) SHOULD be implemented.  An
   2.413 +       easy way to switch to S-TWM mode MAY be implemented
   2.414 +
   2.415 +   3.  F-TWM mode
   2.416 +
   2.417 +       The full F-TWM MUST be implemented too, to address high risk
   2.418 +       secenarios.  An easy way to switch to fingerprint mode (see
   2.419 +       below) SHOULD be implemented.  Easy ways to switch to L-TWM or
   2.420 +       S-TWM mode MAY be implemented.
   2.421 +
   2.422 +   4.  Fingerprint mode (fallback)
   2.423 +
   2.424 +       To retain compatibility to existing OpenPGP users (that know
   2.425 +       nothing about Trustwords), the fingerprint mode, a fallback to
   2.426 +       compare the original fingerprints (usually in hexadecimal form)
   2.427 +       MAY be used.  An easy way to switch to a least one of the TWM
   2.428 +       modes MUST be implemented.
   2.429 +
   2.430 +   If the verification process was successful, the user confirms it,
   2.431 +   e.g. by setting a check mark.  Once the user has confirmed it, the
   2.432 +   Privacy Status [I-D.marques-pep-rating] for this channel MUST be
   2.433 +   updated accordingly.
   2.434 +
   2.435 +4.  Security Considerations
   2.436 +
   2.437 +   A (global) adversary can pre-generate all Trustwords any two users
   2.438 +   expect to compare and try to engage in MITM attacks which fit - it
   2.439 +   MUST NOT be assumed public keys and thus fingerprints to be something
   2.440 +   to stay secret, especially as in pEp public keys are aggressively
   2.441 +   distributed to all peers.  Also similar Trustwords can be generated,
   2.442 +   which spelled on the phone might sound very similar.
   2.443 +
   2.444 +
   2.445 +
   2.446 +
   2.447 +
   2.448 +
   2.449 +
   2.450 +
   2.451 +Marques & Hoeneisen       Expires July 11, 2020                 [Page 8]
   2.452 +
   2.453 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.454 +
   2.455 +
   2.456 +5.  Privacy Considerations
   2.457 +
   2.458 +   [[ TODO ]]
   2.459 +
   2.460 +6.  IANA Considerations
   2.461 +
   2.462 +   This document has no actions for IANA.
   2.463 +
   2.464 +7.  Implementation Status
   2.465 +
   2.466 +7.1.  Introduction
   2.467 +
   2.468 +   This section records the status of known implementations of the
   2.469 +   protocol defined by this specification at the time of posting of this
   2.470 +   Internet-Draft, and is based on a proposal described in [RFC7942].
   2.471 +   The description of implementations in this section is intended to
   2.472 +   assist the IETF in its decision processes in progressing drafts to
   2.473 +   RFCs.  Please note that the listing of any individual implementation
   2.474 +   here does not imply endorsement by the IETF.  Furthermore, no effort
   2.475 +   has been spent to verify the information presented here that was
   2.476 +   supplied by IETF contributors.  This is not intended as, and must not
   2.477 +   be construed to be, a catalog of available implementations or their
   2.478 +   features.  Readers are advised to note that other implementations may
   2.479 +   exist.
   2.480 +
   2.481 +   According to [RFC7942], "[...] this will allow reviewers and working
   2.482 +   groups to assign due consideration to documents that have the benefit
   2.483 +   of running code, which may serve as evidence of valuable
   2.484 +   experimentation and feedback that have made the implemented protocols
   2.485 +   more mature.  It is up to the individual working groups to use this
   2.486 +   information as they see fit."
   2.487 +
   2.488 +7.2.  Current software implementing pEp
   2.489 +
   2.490 +   The following software implementing the pEp protocols (to varying
   2.491 +   degrees) already exists:
   2.492 +
   2.493 +   o  pEp for Outlook as add-on for Microsoft Outlook, release
   2.494 +      [SRC.pepforoutlook]
   2.495 +
   2.496 +   o  pEp for Android (based on a fork of the K9 MUA), release
   2.497 +      [SRC.pepforandroid]
   2.498 +
   2.499 +   o  Enigmail/pEp as add-on for Mozilla Thunderbird, release
   2.500 +      [SRC.enigmailpep]
   2.501 +
   2.502 +   o  pEp for iOS (implemented in a new MUA), beta [SRC.pepforios]
   2.503 +
   2.504 +
   2.505 +
   2.506 +
   2.507 +Marques & Hoeneisen       Expires July 11, 2020                 [Page 9]
   2.508 +
   2.509 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.510 +
   2.511 +
   2.512 +   pEp for Android, iOS and Outlook are provided by pEp Security, a
   2.513 +   commercial entity specializing in end-user software implementing pEp
   2.514 +   while Enigmail/pEp is pursued as community project, supported by the
   2.515 +   pEp Foundation.
   2.516 +
   2.517 +   All software is available as Free Software and published also in
   2.518 +   source form.
   2.519 +
   2.520 +   Handshake is already implemented in all platforms listed above.
   2.521 +
   2.522 +8.  Acknowledgements
   2.523 +
   2.524 +   Special thanks to Volker Birk and Leon Schumacher who developed the
   2.525 +   original concept of the pEp Handshake.
   2.526 +
   2.527 +   This work was initially created by pEp Foundation, and then reviewed
   2.528 +   and extended with funding by the Internet Society's Beyond the Net
   2.529 +   Programme on standardizing pEp.  [ISOC.bnet]
   2.530 +
   2.531 +9.  References
   2.532 +
   2.533 +9.1.  Normative References
   2.534 +
   2.535 +   [I-D.birk-pep]
   2.536 +              Birk, V., Marques, H., and B. Hoeneisen, "pretty Easy
   2.537 +              privacy (pEp): Privacy by Default", draft-birk-pep-05
   2.538 +              (work in progress), November 2019.
   2.539 +
   2.540 +   [I-D.birk-pep-trustwords]
   2.541 +              Hoeneisen, B. and H. Marques, "IANA Registration of
   2.542 +              Trustword Lists: Guide, Template and IANA Considerations",
   2.543 +              draft-birk-pep-trustwords-04 (work in progress), July
   2.544 +              2019.
   2.545 +
   2.546 +   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
   2.547 +              Requirement Levels", BCP 14, RFC 2119,
   2.548 +              DOI 10.17487/RFC2119, March 1997,
   2.549 +              <https://www.rfc-editor.org/info/rfc2119>.
   2.550 +
   2.551 +   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
   2.552 +              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
   2.553 +              <https://www.rfc-editor.org/info/rfc4949>.
   2.554 +
   2.555 +   [RFC7435]  Dukhovni, V., "Opportunistic Security: Some Protection
   2.556 +              Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
   2.557 +              December 2014, <https://www.rfc-editor.org/info/rfc7435>.
   2.558 +
   2.559 +
   2.560 +
   2.561 +
   2.562 +
   2.563 +Marques & Hoeneisen       Expires July 11, 2020                [Page 10]
   2.564 +
   2.565 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.566 +
   2.567 +
   2.568 +9.2.  Informative References
   2.569 +
   2.570 +   [I-D.marques-pep-rating]
   2.571 +              Marques, H. and B. Hoeneisen, "pretty Easy privacy (pEp):
   2.572 +              Mapping of Privacy Rating", draft-marques-pep-rating-02
   2.573 +              (work in progress), July 2019.
   2.574 +
   2.575 +   [I-D.pep-keysync]
   2.576 +              Birk, V., Hoeneisen, B., and K. Bristol, "pretty Easy
   2.577 +              privacy (pEp): Key Synchronization Protocol (KeySync)",
   2.578 +              draft-pep-keysync-00 (work in progress), November 2019.
   2.579 +
   2.580 +   [ISOC.bnet]
   2.581 +              Simao, I., "Beyond the Net. 12 Innovative Projects
   2.582 +              Selected for Beyond the Net Funding. Implementing Privacy
   2.583 +              via Mass Encryption: Standardizing pretty Easy privacy's
   2.584 +              protocols", June 2017, <https://www.internetsociety.org/
   2.585 +              blog/2017/06/12-innovative-projects-selected-for-beyond-
   2.586 +              the-net-funding/>.
   2.587 +
   2.588 +   [PGP.wl]   "PGP word list", November 2017,
   2.589 +              <https://en.wikipedia.org/w/
   2.590 +              index.php?title=PGP_word_list&oldid=749481933>.
   2.591 +
   2.592 +   [RFC4880]  Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
   2.593 +              Thayer, "OpenPGP Message Format", RFC 4880,
   2.594 +              DOI 10.17487/RFC4880, November 2007,
   2.595 +              <https://www.rfc-editor.org/info/rfc4880>.
   2.596 +
   2.597 +   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
   2.598 +              Housley, R., and W. Polk, "Internet X.509 Public Key
   2.599 +              Infrastructure Certificate and Certificate Revocation List
   2.600 +              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
   2.601 +              <https://www.rfc-editor.org/info/rfc5280>.
   2.602 +
   2.603 +   [RFC7942]  Sheffer, Y. and A. Farrel, "Improving Awareness of Running
   2.604 +              Code: The Implementation Status Section", BCP 205,
   2.605 +              RFC 7942, DOI 10.17487/RFC7942, July 2016,
   2.606 +              <https://www.rfc-editor.org/info/rfc7942>.
   2.607 +
   2.608 +   [signal]   "Signal", n.d., <https://signal.org/>.
   2.609 +
   2.610 +   [SRC.enigmailpep]
   2.611 +              "Source code for Enigmail/pEp", July 2019,
   2.612 +              <https://enigmail.net/index.php/en/download/source-code>.
   2.613 +
   2.614 +
   2.615 +
   2.616 +
   2.617 +
   2.618 +
   2.619 +Marques & Hoeneisen       Expires July 11, 2020                [Page 11]
   2.620 +
   2.621 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.622 +
   2.623 +
   2.624 +   [SRC.pepforandroid]
   2.625 +              "Source code for pEp for Android", July 2019,
   2.626 +              <https://pep-security.lu/gitlab/android/pep>.
   2.627 +
   2.628 +   [SRC.pepforios]
   2.629 +              "Source code for pEp for iOS", July 2019,
   2.630 +              <https://pep-security.ch/dev/repos/pEp_for_iOS/>.
   2.631 +
   2.632 +   [SRC.pepforoutlook]
   2.633 +              "Source code for pEp for Outlook", July 2019,
   2.634 +              <https://pep-security.lu/dev/repos/pEp_for_Outlook/>.
   2.635 +
   2.636 +   [threema]  "Threema - Seriously secure messaging", n.d.,
   2.637 +              <https://threema.ch>.
   2.638 +
   2.639 +Appendix A.  Document Changelog
   2.640 +
   2.641 +   [[ RFC Editor: This section is to be removed before publication ]]
   2.642 +
   2.643 +   o  draft-marques-pep-handshake-04:
   2.644 +
   2.645 +      *  Updated Terms and References
   2.646 +
   2.647 +   o  draft-marques-pep-handshake-03:
   2.648 +
   2.649 +      *  Updated Terms and References
   2.650 +
   2.651 +   o  draft-marques-pep-handshake-02:
   2.652 +
   2.653 +      *  Update Sections "Display modes" and "Short, Long and Full
   2.654 +         Trustword Mapping"
   2.655 +
   2.656 +      *  Add Privacy and IANA Considerations sections
   2.657 +
   2.658 +      *  Minor editorial changes
   2.659 +
   2.660 +   o  draft-marques-pep-handshake-01:
   2.661 +
   2.662 +      *  Fix references
   2.663 +
   2.664 +      *  Rewrite Sections "Display modes" and "Short, Long and Full
   2.665 +         Trustword Mapping"
   2.666 +
   2.667 +      *  Add reason why not to concatenate and map fingerprints instead
   2.668 +
   2.669 +      *  Minor editorial changes
   2.670 +
   2.671 +   o  draft-marques-pep-handshake-00:
   2.672 +
   2.673 +
   2.674 +
   2.675 +Marques & Hoeneisen       Expires July 11, 2020                [Page 12]
   2.676 +
   2.677 +Internet-Draft     pretty Easy privacy (pEp) Handshake      January 2020
   2.678 +
   2.679 +
   2.680 +      *  Initial version
   2.681 +
   2.682 +Appendix B.  Open Issues
   2.683 +
   2.684 +   [[ RFC Editor: This section should be empty and is to be removed
   2.685 +   before publication ]]
   2.686 +
   2.687 +   o  Add description for further processes to change the trust level,
   2.688 +      e.g., to remove trust or even mistrust a peer and alike.
   2.689 +
   2.690 +Authors' Addresses
   2.691 +
   2.692 +   Hernani Marques
   2.693 +   pEp Foundation
   2.694 +   Oberer Graben 4
   2.695 +   CH-8400 Winterthur
   2.696 +   Switzerland
   2.697 +
   2.698 +   Email: hernani.marques@pep.foundation
   2.699 +   URI:   https://pep.foundation/
   2.700 +
   2.701 +
   2.702 +   Bernie Hoeneisen
   2.703 +   pEp Foundation
   2.704 +   Oberer Graben 4
   2.705 +   CH-8400 Winterthur
   2.706 +   Switzerland
   2.707 +
   2.708 +   Email: bernie.hoeneisen@pep.foundation
   2.709 +   URI:   https://pep.foundation/
   2.710 +
   2.711 +
   2.712 +
   2.713 +
   2.714 +
   2.715 +
   2.716 +
   2.717 +
   2.718 +
   2.719 +
   2.720 +
   2.721 +
   2.722 +
   2.723 +
   2.724 +
   2.725 +
   2.726 +
   2.727 +
   2.728 +
   2.729 +
   2.730 +
   2.731 +Marques & Hoeneisen       Expires July 11, 2020                [Page 13]
     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/pep-handshake/archive/draft-marques-pep-handshake-04.xml	Wed Jan 08 18:29:08 2020 +0100
     3.3 @@ -0,0 +1,983 @@
     3.4 +<?xml version="1.0" encoding="utf-8"?>
     3.5 +  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
     3.6 +  <!-- generated by https://github.com/cabo/kramdown-rfc2629 version  -->
     3.7 +
     3.8 +<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
     3.9 +]>
    3.10 +
    3.11 +<?rfc toc="yes"?>
    3.12 +<?rfc sortrefs="yes"?>
    3.13 +<?rfc symrefs="yes"?>
    3.14 +<?rfc comments="yes"?>
    3.15 +
    3.16 +<rfc docName="draft-marques-pep-handshake-04" category="std">
    3.17 +
    3.18 +  <front>
    3.19 +    <title abbrev="pretty Easy privacy (pEp) Handshake">pretty Easy privacy (pEp): Contact and Channel Authentication through Handshake</title>
    3.20 +
    3.21 +    <author initials="H." surname="Marques" fullname="Hernani Marques">
    3.22 +      <organization>pEp Foundation</organization>
    3.23 +      <address>
    3.24 +        <postal>
    3.25 +          <street>Oberer Graben 4</street>
    3.26 +          <city>CH-8400 Winterthur</city>
    3.27 +          <country>Switzerland</country>
    3.28 +        </postal>
    3.29 +        <email>hernani.marques@pep.foundation</email>
    3.30 +        <uri>https://pep.foundation/</uri>
    3.31 +      </address>
    3.32 +    </author>
    3.33 +    <author initials="B." surname="Hoeneisen" fullname="Bernie Hoeneisen">
    3.34 +      <organization>pEp Foundation</organization>
    3.35 +      <address>
    3.36 +        <postal>
    3.37 +          <street>Oberer Graben 4</street>
    3.38 +          <city>CH-8400 Winterthur</city>
    3.39 +          <country>Switzerland</country>
    3.40 +        </postal>
    3.41 +        <email>bernie.hoeneisen@pep.foundation</email>
    3.42 +        <uri>https://pep.foundation/</uri>
    3.43 +      </address>
    3.44 +    </author>
    3.45 +
    3.46 +    <date year="2020" month="January" day="08"/>
    3.47 +
    3.48 +    
    3.49 +    
    3.50 +    
    3.51 +
    3.52 +    <abstract>
    3.53 +
    3.54 +
    3.55 +<t>In interpersonal messaging end-to-end encryption means for public key
    3.56 +distribution and verification of its authenticity are needed; the latter
    3.57 +to prevent man-in-the-middle (MITM) attacks.</t>
    3.58 +
    3.59 +<t>This document proposes a new method to easily verify a public key is
    3.60 +authentic by a Handshake process that allows users to easily
    3.61 +authenticate their communication channel. The new method is targeted to
    3.62 +Opportunistic Security scenarios and is already implemented in several
    3.63 +applications of pretty Easy privacy (pEp).</t>
    3.64 +
    3.65 +
    3.66 +
    3.67 +    </abstract>
    3.68 +
    3.69 +
    3.70 +  </front>
    3.71 +
    3.72 +  <middle>
    3.73 +
    3.74 +
    3.75 +<section anchor="introduction" title="Introduction">
    3.76 +
    3.77 +<t>In interpersonal messaging end-to-end encryption means for public key
    3.78 +distribution and verification of its authenticity are needed.</t>
    3.79 +
    3.80 +<t>Examples for key distribution include:</t>
    3.81 +
    3.82 +<t><list style="symbols">
    3.83 +  <t>Exchange public keys out-of-band before encrypted communication</t>
    3.84 +  <t>Use of centralized public key stores (e.g., OpenPGP Key Servers)</t>
    3.85 +  <t>Ship public keys in-band when communicating</t>
    3.86 +</list></t>
    3.87 +
    3.88 +<t>To prevent man-in-the-middle (MITM) attacks, additionally the
    3.89 +authenticity of a public key needs to be verified. Methods to
    3.90 +authenticate public keys of peers include, e.g., to verify digital
    3.91 +signatures of public keys (which may be signed in a hierarchical or
    3.92 +flat manner, e.g., by a Web of Trust (WoT)), to compare the public
    3.93 +key’s fingerprints via a suitable independent channel, or to scan a QR
    3.94 +mapping of the fingerprint (cf. <xref target="problem-statement"/>).</t>
    3.95 +
    3.96 +<t>This document proposes a new method to verify the authenticity of
    3.97 +public keys by a Handshake process that allows users to easily verify
    3.98 +their communication channel. Fingerprints of the involved peers are
    3.99 +combined and mapped to (common) Trustwords
   3.100 +<xref target="I-D.birk-pep-trustwords"/>. The successful manual comparison of
   3.101 +these Trustwords is used to consider the communication channel as
   3.102 +trusted.</t>
   3.103 +
   3.104 +<t>The proposed method is already implemented and used in applications of
   3.105 +pretty Easy privacy (pEp) <xref target="I-D.birk-pep"/>. This document is targeted
   3.106 +to applications based on the pEp framework and Opportunistic Security
   3.107 +<xref target="RFC7435"/>. However, it may be also used in other applications as
   3.108 +suitable.</t>
   3.109 +
   3.110 +<t>Note: The pEp framework <xref target="I-D.birk-pep"/> proposes to automatize the
   3.111 +use of end-to-end encryption for Internet users of email and other
   3.112 +messaging applications and introduces methods to easily allow
   3.113 +authentication.</t>
   3.114 +
   3.115 +<section anchor="requirements-language" title="Requirements Language">
   3.116 +
   3.117 +<t>The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”,
   3.118 +“SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this
   3.119 +document are to be interpreted as described in <xref target="RFC2119"/>.</t>
   3.120 +
   3.121 +</section>
   3.122 +<section anchor="terms" title="Terms">
   3.123 +
   3.124 +<t>The following terms are defined for the scope of this document:</t>
   3.125 +
   3.126 +<!-- {::include ../shared/text-blocks/handshake.mkd} -->
   3.127 +<t><list style="symbols">
   3.128 +  <t>Trustwords: A scalar-to-word representation of 16-bit numbers (0 to
   3.129 +65535) to natural language words. When doing a Handshake, peers are
   3.130 +shown combined Trustwords of both public keys involved to ease the
   3.131 +comparison. <xref target="I-D.birk-pep-trustwords"/></t>
   3.132 +</list></t>
   3.133 +
   3.134 +<!--
   3.135 +
   3.136 +[KRB] If my suggestions above are kept [[pEp Handshake]], there is no
   3.137 +need to have the second sentence about the Handshake, as it's already
   3.138 +been related in the Handshake definition.
   3.139 +
   3.140 +-->
   3.141 +
   3.142 +<t><list style="symbols">
   3.143 +  <t>Trust On First Use (TOFU): cf. <xref target="RFC7435"/>, which states: “In a
   3.144 +protocol, TOFU calls for accepting and storing a public key or
   3.145 +credential associated with an asserted identity, without
   3.146 +authenticating that assertion. Subsequent communication that is
   3.147 +authenticated using the cached key or credential is secure against
   3.148 +an MiTM attack, if such an attack did not succeed during the
   3.149 +vulnerable initial communication.”</t>
   3.150 +</list></t>
   3.151 +
   3.152 +<!-- TODO: Make clear that we use TOFU without T. -->
   3.153 +
   3.154 +<t><list style="symbols">
   3.155 +  <t>Man-in-the-middle (MITM) attack: cf. <xref target="RFC4949"/>, which states: “A
   3.156 +form of active wiretapping attack in which the attacker intercepts
   3.157 +and selectively modifies communicated data to masquerade as one or
   3.158 +more of the entities involved in a communication association.”</t>
   3.159 +</list></t>
   3.160 +
   3.161 +</section>
   3.162 +</section>
   3.163 +<section anchor="problem-statement" title="Problem Statement">
   3.164 +
   3.165 +<t>To secure a communication channel, in public key cryptography each
   3.166 +involved peer needs a key pair. Its public key needs to be shared to
   3.167 +other peers by some means. However, the key obtained by the receiver
   3.168 +may have been substituted or tampered with to allow for re-encryption
   3.169 +attacks. To prevent such man-in-the-middle (MITM) attacks, an
   3.170 +important step is to verify the authenticity of a public key obtained.</t>
   3.171 +
   3.172 +<section anchor="use-cases" title="Use Cases">
   3.173 +
   3.174 +<t>Such a verification process is useful in at least two scenarios:</t>
   3.175 +
   3.176 +<t><list style="symbols">
   3.177 +  <t>Verify channels to peers, e.g., to make sure opportunistically
   3.178 +exchanged keys for end-to-end encryption are authentic.</t>
   3.179 +  <t>Verify channels between own devices (in multi-device contexts),
   3.180 +e.g., for the purpose of importing and synchronizing keys among
   3.181 +different devices belonging to the same user
   3.182 +(cf. <xref target="I-D.pep-keysync"/>). This scenario is comparable to
   3.183 +Bluetooth pairing before starting data transfers.</t>
   3.184 +</list></t>
   3.185 +
   3.186 +</section>
   3.187 +<section anchor="existing-solutions" title="Existing Solutions">
   3.188 +
   3.189 +<t>Current methods to authenticate public keys of peers include:</t>
   3.190 +
   3.191 +<t><list style="symbols">
   3.192 +  <t>Digitally signed public keys are verified by a chain of trust. Two
   3.193 +trust models are common in today’s implementations.  <list style="symbols">
   3.194 +      <t>Signing is carried out hierarchically, e.g. in a Public Key
   3.195 +Infrastructure (PKI) <xref target="RFC5280"/>, in which case
   3.196 +the verification is based on a chain of trust with a Trust Anchor
   3.197 +(TA) at the root.</t>
   3.198 +      <t>Signing of public keys is done in a flat manner (by a Web of
   3.199 +Trust), e.g., key signing in OpenPGP <xref target="RFC4880"/>, where users sign
   3.200 +the public keys of other users. Verification may be based on
   3.201 +transitive trust.</t>
   3.202 +    </list></t>
   3.203 +  <t>Peers are expected to directly compare the public key’s fingerprints
   3.204 +by any suitable independent channel – e.g, by phone or with a
   3.205 +face-to-face meeting. This method is often used in OpenPGP
   3.206 +<xref target="RFC4880"/> contexts.</t>
   3.207 +  <t>The public keys’ fingerprints are mapped into a QR code, which is
   3.208 +expected to be scanned between the peers when they happen to meet
   3.209 +face-to-face. This method is, e.g., used in the chat application
   3.210 +Threema <xref target="threema"/>.</t>
   3.211 +  <t>The public keys’ fingerprints are mapped into numerical codes which
   3.212 +decimal digits only (so-called “safety numbers”), which makes the strings 
   3.213 +the humans need to compare easier in respect to hexacodes, but longer and 
   3.214 +thus nevertheless cumbersome. This method is e.g. used in the
   3.215 +chat application Signal <xref target="signal"/>.</t>
   3.216 +</list></t>
   3.217 +
   3.218 +<t>Some of the methods can even be used in conjunction with Trustwords
   3.219 +<xref target="I-D.birk-pep-trustwords"/> or the PGP Word list <xref target="PGP.wl"/>.</t>
   3.220 +
   3.221 +<t>None of the existing solutions meets all requirements set up by pEp
   3.222 +<xref target="I-D.birk-pep"/>, e.g.:</t>
   3.223 +
   3.224 +<t><list style="symbols">
   3.225 +  <t>Easy solution that can be handled easily by ordinary users</t>
   3.226 +  <t>In case privacy and security contradict each other, privacy is
   3.227 +always preferred over security (e.g., the Web of Trust contradicts
   3.228 +privacy)</t>
   3.229 +  <t>No central entities</t>
   3.230 +</list></t>
   3.231 +
   3.232 +<t>Most of today’s systems lack easy ways for users to authenticate their
   3.233 +communication channel. Some methods leak private data (e.g., their
   3.234 +social graph) or depend on central entities. Thus, none of today’s
   3.235 +systems fulfills all of the pEp requirements (cf. above).</t>
   3.236 +
   3.237 +</section>
   3.238 +</section>
   3.239 +<section anchor="the-pep-handshake-proposal" title="The pEp Handshake Proposal">
   3.240 +
   3.241 +<t>In pretty Easy privacy (pEp), the proposed approach for peers to
   3.242 +authenticate each other is to engage in the pEp Handshake.</t>
   3.243 +
   3.244 +<t>In current pEp implementations (cf. <xref target="current-software-implementing-pep"/>), the same kinds
   3.245 +of keys as in OpenPGP are used. Such keys include a fingerprint as
   3.246 +cryptographic hash over the public key. This fingerprint is normally
   3.247 +represented in a hexadecimal form, consisting of ten 4-digit
   3.248 +hexadecimal blocks, e.g.:</t>
   3.249 +
   3.250 +<t><list style='empty'>
   3.251 +  <t>8E31 EF52 1D47 5183 3E9D EADC 0FFE E7A5 7E5B AD19</t>
   3.252 +</list></t>
   3.253 +
   3.254 +<t>Each block may also be represented in decimal numbers from 0 to 65535
   3.255 +or in other numerical forms, e.g.</t>
   3.256 +
   3.257 +<t><list style="symbols">
   3.258 +  <t>Hexadecimal: 8E31</t>
   3.259 +  <t>Decimal: 36401</t>
   3.260 +  <t>Binary: 1000111000110001</t>
   3.261 +</list></t>
   3.262 +
   3.263 +<section anchor="verification-process" title="Verification Process">
   3.264 +
   3.265 +<t>In the pEp Handshake the fingerprints of any two peers involved are
   3.266 +combined and displayed in form of Trustwords <xref target="I-D.birk-pep-trustwords"/> for 
   3.267 +easy comparison by the involved parties.</t>
   3.268 +
   3.269 +<t>The default verification process involves three steps:</t>
   3.270 +
   3.271 +<t><list style="numbers">
   3.272 +  <t>Combining fingerprints by XOR function  <vspace blankLines='1'/>
   3.273 +Any two peers’ fingerprints are combined bit-by-bit using the
   3.274 +Exclusive-OR (XOR) function resulting in the Combined Fingerprint
   3.275 +(CFP).</t>
   3.276 +  <t>Mapping result to Trustwords:  <vspace blankLines='1'/>
   3.277 +The CFP is then mapped to 16-bit Trustwords (i.e., every 4-digit
   3.278 +hexadecimal block is mapped to a given Trustword) resulting in the
   3.279 +Trustword Mapping (TWM).</t>
   3.280 +  <t>Verify Trustwords over independent channel  <vspace blankLines='1'/>
   3.281 +The resulting Trustwords (TWM) are compared and verified over an
   3.282 +independent channel, e.g., a phone line. If this step was
   3.283 +successful, the channel can be marked as authenticated.</t>
   3.284 +</list></t>
   3.285 +
   3.286 +<t>Note: In prior implementations of pEp the fingerprints of any two peers were
   3.287 +concatenated. While this has the advantage that the own identity’s Trustwords
   3.288 +can be printed on a business card (like with fingerprints) or on contact sites
   3.289 +or in signature texts of emails, this at the same time has the drawback that
   3.290 +users might not carefully compare the words as they start to remember and
   3.291 +recognize their Trustwords in the concatenated mapping. The avoid this
   3.292 +undesired training effect, Trustwords for any peer-to-peer combination
   3.293 +shall (very likely) differ.</t>
   3.294 +
   3.295 +<section anchor="short-long-and-full-trustword-mapping" title="Short, Long and Full Trustword Mapping">
   3.296 +
   3.297 +<t>The more an ordinary user needs to contribute to a process, the less
   3.298 +likely a user will carry out all steps carefully. In particular, it
   3.299 +was observed that a simple (manual) comparison of OpenPGP fingerprints
   3.300 +is rarely carried out to the full extent, i.e., mostly only parts of
   3.301 +the fingerprint are compared, if at all.</t>
   3.302 +
   3.303 +<t>For usability reasons and to create incentives for people to actually
   3.304 +carry out a Handshake (while maintaining an certain level of entropy),
   3.305 +pEp allows for different entropy levels, i.e.:</t>
   3.306 +
   3.307 +<t><list style="numbers">
   3.308 +  <t>Full Trustword Mapping (F-TWM) MUST represent the maximum entropy
   3.309 +achievable by the mapping. This means all Trustwords of a TWM MUST
   3.310 +be displayed and compared.  <vspace blankLines='1'/>
   3.311 +E.g., the fingerprint  <list style='empty'>
   3.312 +      <t>F482 E952 2F48 618B 01BC 31DC 5428 D7FA ACDC 3F13</t>
   3.313 +    </list>
   3.314 +is mapped to  <list style='empty'>
   3.315 +      <t>dog house brother town fat bath school banana kite task</t>
   3.316 +    </list></t>
   3.317 +  <t>Long Trustword Mapping (L-TWM) requires a number of Trustwords that
   3.318 +MUST retain at least 128 bits of entropy. Thus, L-TWM results into
   3.319 +at least eight Trustwords to be compared by the user.  <vspace blankLines='1'/>
   3.320 +E.g., the fingerprint  <list style='empty'>
   3.321 +      <t>F482 E952 2F48 618B 01BC 31DC 5428 D7FA ACDC [ 3F13 ]</t>
   3.322 +    </list>
   3.323 +is mapped to  <list style='empty'>
   3.324 +      <t>dog house brother town fat bath school banana kite [ remaining Trustword(s) omitted ]</t>
   3.325 +    </list></t>
   3.326 +  <t>Short Trustword Mapping (S-TWM) requires a number of Trustwords
   3.327 +that MUST retain at least 64 bits of entropy.  Thus, S-TWM results
   3.328 +into at least four Trustwords to be compared by the user.  <vspace blankLines='1'/>
   3.329 +E.g., the fingerprint  <list style='empty'>
   3.330 +      <t>F482 E952 2F48 618B 01BC [ 31DC 5428 D7FA ACDC 3F13 ]</t>
   3.331 +    </list>
   3.332 +is mapped to  <list style='empty'>
   3.333 +      <t>dog house brother town fat [ remaining Trustwords omitted ]</t>
   3.334 +    </list></t>
   3.335 +</list></t>
   3.336 +
   3.337 +</section>
   3.338 +<section anchor="display-modes" title="Display Modes">
   3.339 +
   3.340 +<t>The pEp Handshake has three display modes for the verification
   3.341 +process. All of the following modes MUST be implemented:</t>
   3.342 +
   3.343 +<t><list style="numbers">
   3.344 +  <t>S-TWM mode (default)  <vspace blankLines='1'/>
   3.345 +By default the S-TWM SHOULD be displayed to the user for comparison
   3.346 +and verification. An easy way to switch to L-TWM mode MUST be
   3.347 +implemented. An easy way to switch to fingerprint mode (see below)
   3.348 +SHOULD be implemented. An easy way to switch to F-TWM mode MAY be
   3.349 +implemented</t>
   3.350 +  <t>L-TWM mode  <vspace blankLines='1'/>
   3.351 +There are situations, where S-TWM is not sufficient (e.g.,
   3.352 +communication parties that are more likely under attack), in which
   3.353 +the L-TWM MAY be displayed to the user by default. An easy way to
   3.354 +switch to F-TWM mode MUST be implemented. An easy way to switch to
   3.355 +fingerprint mode (see below) SHOULD be implemented. An easy way to
   3.356 +switch to S-TWM mode MAY be implemented</t>
   3.357 +  <t>F-TWM mode  <vspace blankLines='1'/>
   3.358 +The full F-TWM MUST be implemented too, to address high risk
   3.359 +secenarios.  An easy way to switch to fingerprint mode (see below)
   3.360 +SHOULD be implemented. Easy ways to switch to L-TWM or S-TWM mode
   3.361 +MAY be implemented.</t>
   3.362 +  <t>Fingerprint mode (fallback)  <vspace blankLines='1'/>
   3.363 +To retain compatibility to existing OpenPGP users (that know
   3.364 +nothing about Trustwords), the fingerprint mode, a fallback to
   3.365 +compare the original fingerprints (usually in hexadecimal form) MAY
   3.366 +be used.  An easy way to switch to a least one of the TWM modes
   3.367 +MUST be implemented.</t>
   3.368 +</list></t>
   3.369 +
   3.370 +<t>If the verification process was successful, the user confirms it,
   3.371 +e.g. by setting a check mark. Once the user has confirmed it, the
   3.372 +Privacy Status <xref target="I-D.marques-pep-rating"/> for this channel MUST be
   3.373 +updated accordingly.</t>
   3.374 +
   3.375 +</section>
   3.376 +</section>
   3.377 +</section>
   3.378 +<section anchor="security-considerations" title="Security Considerations">
   3.379 +
   3.380 +<t>A (global) adversary can pre-generate all Trustwords any two users
   3.381 +expect to compare and try to engage in MITM attacks which fit – it
   3.382 +MUST NOT be assumed public keys and thus fingerprints to be something
   3.383 +to stay secret, especially as in pEp public keys are aggressively
   3.384 +distributed to all peers. Also similar Trustwords can be generated,
   3.385 +which spelled on the phone might sound very similar.</t>
   3.386 +
   3.387 +</section>
   3.388 +<section anchor="privacy-considerations" title="Privacy Considerations">
   3.389 +
   3.390 +<t>[[ TODO ]]</t>
   3.391 +
   3.392 +</section>
   3.393 +<section anchor="iana-considerations" title="IANA Considerations">
   3.394 +
   3.395 +<t>This document has no actions for IANA.</t>
   3.396 +
   3.397 +</section>
   3.398 +<section anchor="implementation-status" title="Implementation Status">
   3.399 +
   3.400 +<section anchor="introduction-1" title="Introduction">
   3.401 +
   3.402 +<t>This section records the status of known implementations of the
   3.403 +protocol defined by this specification at the time of posting of this
   3.404 +Internet-Draft, and is based on a proposal described in <xref target="RFC7942"/>.
   3.405 +The description of implementations in this section is intended to
   3.406 +assist the IETF in its decision processes in progressing drafts to
   3.407 +RFCs. Please note that the listing of any individual implementation
   3.408 +here does not imply endorsement by the IETF. Furthermore, no effort
   3.409 +has been spent to verify the information presented here that was
   3.410 +supplied by IETF contributors.  This is not intended as, and must not
   3.411 +be construed to be, a catalog of available implementations or their
   3.412 +features. Readers are advised to note that other implementations may
   3.413 +exist.</t>
   3.414 +
   3.415 +<t>According to <xref target="RFC7942"/>, “[…] this will allow reviewers and
   3.416 +working groups to assign due consideration to documents that have the
   3.417 +benefit of running code, which may serve as evidence of valuable
   3.418 +experimentation and feedback that have made the implemented protocols
   3.419 +more mature. It is up to the individual working groups to use this
   3.420 +information as they see fit.”</t>
   3.421 +
   3.422 +</section>
   3.423 +<section anchor="current-software-implementing-pep" title="Current software implementing pEp">
   3.424 +
   3.425 +<t>The following software implementing the pEp protocols (to varying
   3.426 +degrees) already exists:</t>
   3.427 +
   3.428 +<t><list style="symbols">
   3.429 +  <t>pEp for Outlook as add-on for Microsoft Outlook, release <xref target="SRC.pepforoutlook"/></t>
   3.430 +  <t>pEp for Android (based on a fork of the K9 MUA), release <xref target="SRC.pepforandroid"/></t>
   3.431 +  <t>Enigmail/pEp as add-on for Mozilla Thunderbird, release <xref target="SRC.enigmailpep"/></t>
   3.432 +  <t>pEp for iOS (implemented in a new MUA), beta <xref target="SRC.pepforios"/></t>
   3.433 +</list></t>
   3.434 +
   3.435 +<t>pEp for Android, iOS and Outlook are provided by pEp Security, a commercial
   3.436 +entity specializing in end-user software implementing pEp while Enigmail/pEp
   3.437 +is pursued as community project, supported by the pEp Foundation.</t>
   3.438 +
   3.439 +<t>All software is available as Free Software and published also in source form.</t>
   3.440 +
   3.441 +<t>Handshake is already implemented in all platforms listed above.</t>
   3.442 +
   3.443 +<!-- In pEp for Outlook also keys from other devices can be imported by the
   3.444 +Handshake method. -->
   3.445 +
   3.446 +</section>
   3.447 +</section>
   3.448 +<section anchor="acknowledgements" title="Acknowledgements">
   3.449 +
   3.450 +<!-- The authors would like to thank the following people who have provided
   3.451 +feedback or significant contributions to the development of this
   3.452 +document: \[\[ TODO \]\] -->
   3.453 +
   3.454 +<t>Special thanks to Volker Birk and Leon Schumacher who developed the
   3.455 +original concept of the pEp Handshake.</t>
   3.456 +
   3.457 +<t>This work was initially created by pEp Foundation, and then reviewed
   3.458 +and extended with funding by the Internet Society’s Beyond the Net
   3.459 +Programme on standardizing pEp. <xref target="ISOC.bnet"/></t>
   3.460 +
   3.461 +</section>
   3.462 +
   3.463 +
   3.464 +  </middle>
   3.465 +
   3.466 +  <back>
   3.467 +
   3.468 +    <references title='Normative References'>
   3.469 +
   3.470 +
   3.471 +
   3.472 +
   3.473 +
   3.474 +<reference anchor="I-D.birk-pep-trustwords">
   3.475 +<front>
   3.476 +<title>IANA Registration of Trustword Lists: Guide, Template and IANA Considerations</title>
   3.477 +
   3.478 +<author initials='B' surname='Hoeneisen' fullname='Bernie Hoeneisen'>
   3.479 +    <organization />
   3.480 +</author>
   3.481 +
   3.482 +<author initials='H' surname='Marques' fullname='Hernani Marques'>
   3.483 +    <organization />
   3.484 +</author>
   3.485 +
   3.486 +<date month='July' day='8' year='2019' />
   3.487 +
   3.488 +<abstract><t>This document specifies the IANA Registration Guidelines for Trustwords, describes corresponding registration procedures, and provides a guideline for creating Trustword list specifications.  Trustwords are common words in a natural language (e.g., English), which hexadecimal strings are mapped to.  Such a mapping makes verification processes like fingerprint comparisons more practical, and less prone to misunderstandings.</t></abstract>
   3.489 +
   3.490 +</front>
   3.491 +
   3.492 +<seriesInfo name='Internet-Draft' value='draft-birk-pep-trustwords-04' />
   3.493 +<format type='TXT'
   3.494 +        target='http://www.ietf.org/internet-drafts/draft-birk-pep-trustwords-04.txt' />
   3.495 +</reference>
   3.496 +
   3.497 +
   3.498 +
   3.499 +<reference  anchor="RFC4949" target='https://www.rfc-editor.org/info/rfc4949'>
   3.500 +<front>
   3.501 +<title>Internet Security Glossary, Version 2</title>
   3.502 +<author initials='R.' surname='Shirey' fullname='R. Shirey'><organization /></author>
   3.503 +<date year='2007' month='August' />
   3.504 +<abstract><t>This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed.  This memo provides information for the Internet community.</t></abstract>
   3.505 +</front>
   3.506 +<seriesInfo name='FYI' value='36'/>
   3.507 +<seriesInfo name='RFC' value='4949'/>
   3.508 +<seriesInfo name='DOI' value='10.17487/RFC4949'/>
   3.509 +</reference>
   3.510 +
   3.511 +
   3.512 +
   3.513 +<reference  anchor="RFC7435" target='https://www.rfc-editor.org/info/rfc7435'>
   3.514 +<front>
   3.515 +<title>Opportunistic Security: Some Protection Most of the Time</title>
   3.516 +<author initials='V.' surname='Dukhovni' fullname='V. Dukhovni'><organization /></author>
   3.517 +<date year='2014' month='December' />
   3.518 +<abstract><t>This document defines the concept &quot;Opportunistic Security&quot; in the context of communications protocols.  Protocol designs based on Opportunistic Security use encryption even when authentication is not available, and use authentication when possible, thereby removing barriers to the widespread use of encryption on the Internet.</t></abstract>
   3.519 +</front>
   3.520 +<seriesInfo name='RFC' value='7435'/>
   3.521 +<seriesInfo name='DOI' value='10.17487/RFC7435'/>
   3.522 +</reference>
   3.523 +
   3.524 +
   3.525 +
   3.526 +<reference anchor="I-D.birk-pep">
   3.527 +<front>
   3.528 +<title>pretty Easy privacy (pEp): Privacy by Default</title>
   3.529 +
   3.530 +<author initials='V' surname='Birk' fullname='Volker Birk'>
   3.531 +    <organization />
   3.532 +</author>
   3.533 +
   3.534 +<author initials='H' surname='Marques' fullname='Hernani Marques'>
   3.535 +    <organization />
   3.536 +</author>
   3.537 +
   3.538 +<author initials='B' surname='Hoeneisen' fullname='Bernie Hoeneisen'>
   3.539 +    <organization />
   3.540 +</author>
   3.541 +
   3.542 +<date month='November' day='4' year='2019' />
   3.543 +
   3.544 +<abstract><t>The pretty Easy privacy (pEp) model and protocols describe a set of conventions for the automation of operations traditionally seen as barriers to the use and deployment of secure, privacy-preserving end- to-end interpersonal messaging.  These include, but are not limited to, key management, key discovery, and private key handling (including peer-to-peer synchronization of private keys and other user data across devices).  Human Rights-enabling principles like Data Minimization, End-to-End and Interoperability are explicit design goals.  For the goal of usable privacy, pEp introduces means to verify communication between peers and proposes a trust-rating system to denote secure types of communications and signal the privacy level available on a per-user and per-message level. Significantly, the pEp protocols build on already available security formats and message transports (e.g., PGP/MIME with email), and are written with the intent to be interoperable with already widely- deployed systems in order to ease adoption and implementation.  This document outlines the general design choices and principles of pEp.</t></abstract>
   3.545 +
   3.546 +</front>
   3.547 +
   3.548 +<seriesInfo name='Internet-Draft' value='draft-birk-pep-05' />
   3.549 +<format type='TXT'
   3.550 +        target='http://www.ietf.org/internet-drafts/draft-birk-pep-05.txt' />
   3.551 +</reference>
   3.552 +
   3.553 +
   3.554 +
   3.555 +<reference  anchor="RFC2119" target='https://www.rfc-editor.org/info/rfc2119'>
   3.556 +<front>
   3.557 +<title>Key words for use in RFCs to Indicate Requirement Levels</title>
   3.558 +<author initials='S.' surname='Bradner' fullname='S. Bradner'><organization /></author>
   3.559 +<date year='1997' month='March' />
   3.560 +<abstract><t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract>
   3.561 +</front>
   3.562 +<seriesInfo name='BCP' value='14'/>
   3.563 +<seriesInfo name='RFC' value='2119'/>
   3.564 +<seriesInfo name='DOI' value='10.17487/RFC2119'/>
   3.565 +</reference>
   3.566 +
   3.567 +
   3.568 +
   3.569 +
   3.570 +    </references>
   3.571 +
   3.572 +    <references title='Informative References'>
   3.573 +
   3.574 +
   3.575 +
   3.576 +
   3.577 +
   3.578 +<reference  anchor="RFC4880" target='https://www.rfc-editor.org/info/rfc4880'>
   3.579 +<front>
   3.580 +<title>OpenPGP Message Format</title>
   3.581 +<author initials='J.' surname='Callas' fullname='J. Callas'><organization /></author>
   3.582 +<author initials='L.' surname='Donnerhacke' fullname='L. Donnerhacke'><organization /></author>
   3.583 +<author initials='H.' surname='Finney' fullname='H. Finney'><organization /></author>
   3.584 +<author initials='D.' surname='Shaw' fullname='D. Shaw'><organization /></author>
   3.585 +<author initials='R.' surname='Thayer' fullname='R. Thayer'><organization /></author>
   3.586 +<date year='2007' month='November' />
   3.587 +<abstract><t>This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format.  It is not a step-by-step cookbook for writing an application.  It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network.  It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws.</t><t>OpenPGP software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage.  These services include confidentiality, key management, authentication, and digital signatures.  This document specifies the message formats used in OpenPGP.  [STANDARDS-TRACK]</t></abstract>
   3.588 +</front>
   3.589 +<seriesInfo name='RFC' value='4880'/>
   3.590 +<seriesInfo name='DOI' value='10.17487/RFC4880'/>
   3.591 +</reference>
   3.592 +
   3.593 +
   3.594 +
   3.595 +<reference  anchor="RFC5280" target='https://www.rfc-editor.org/info/rfc5280'>
   3.596 +<front>
   3.597 +<title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
   3.598 +<author initials='D.' surname='Cooper' fullname='D. Cooper'><organization /></author>
   3.599 +<author initials='S.' surname='Santesson' fullname='S. Santesson'><organization /></author>
   3.600 +<author initials='S.' surname='Farrell' fullname='S. Farrell'><organization /></author>
   3.601 +<author initials='S.' surname='Boeyen' fullname='S. Boeyen'><organization /></author>
   3.602 +<author initials='R.' surname='Housley' fullname='R. Housley'><organization /></author>
   3.603 +<author initials='W.' surname='Polk' fullname='W. Polk'><organization /></author>
   3.604 +<date year='2008' month='May' />
   3.605 +<abstract><t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet.  An overview of this approach and model is provided as an introduction.  The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms.  Standard certificate extensions are described and two Internet-specific extensions are defined.  A set of required certificate extensions is specified.  The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions.  An algorithm for X.509 certification path validation is described.  An ASN.1 module and examples are provided in the appendices.  [STANDARDS-TRACK]</t></abstract>
   3.606 +</front>
   3.607 +<seriesInfo name='RFC' value='5280'/>
   3.608 +<seriesInfo name='DOI' value='10.17487/RFC5280'/>
   3.609 +</reference>
   3.610 +
   3.611 +
   3.612 +
   3.613 +<reference anchor="I-D.marques-pep-rating">
   3.614 +<front>
   3.615 +<title>pretty Easy privacy (pEp): Mapping of Privacy Rating</title>
   3.616 +
   3.617 +<author initials='H' surname='Marques' fullname='Hernani Marques'>
   3.618 +    <organization />
   3.619 +</author>
   3.620 +
   3.621 +<author initials='B' surname='Hoeneisen' fullname='Bernie Hoeneisen'>
   3.622 +    <organization />
   3.623 +</author>
   3.624 +
   3.625 +<date month='July' day='7' year='2019' />
   3.626 +
   3.627 +<abstract><t>In many Opportunistic Security scenarios end-to-end encryption is automatized for Internet users.  In addition, it is often required to provide the users with easy means to carry out authentication.  Depending on several factors, each communication channel to different peers may have a different Privacy Status, e.g., unencrypted, encrypted and encrypted as well as authenticated.  Even each message from/to a single peer may have a different Privacy Status.  To display the actual Privacy Status to the user, this document defines a Privacy Rating scheme and its mapping to a traffic-light semantics.  A Privacy Status is defined on a per-message basis as well as on a per-identity basis.  The traffic-light semantics (as color rating) allows for a clear and easily understandable presentation to the user in order to optimize the User Experience (UX).  This rating system is most beneficial to Opportunistic Security scenarios and is already implemented in several applications of pretty Easy privacy (pEp).</t></abstract>
   3.628 +
   3.629 +</front>
   3.630 +
   3.631 +<seriesInfo name='Internet-Draft' value='draft-marques-pep-rating-02' />
   3.632 +<format type='TXT'
   3.633 +        target='http://www.ietf.org/internet-drafts/draft-marques-pep-rating-02.txt' />
   3.634 +</reference>
   3.635 +
   3.636 +
   3.637 +
   3.638 +<reference anchor="I-D.pep-keysync">
   3.639 +<front>
   3.640 +<title>pretty Easy privacy (pEp): Key Synchronization Protocol (KeySync)</title>
   3.641 +
   3.642 +<author initials='V' surname='Birk' fullname='Volker Birk'>
   3.643 +    <organization />
   3.644 +</author>
   3.645 +
   3.646 +<author initials='B' surname='Hoeneisen' fullname='Bernie Hoeneisen'>
   3.647 +    <organization />
   3.648 +</author>
   3.649 +
   3.650 +<author initials='K' surname='Bristol' fullname='Kelly Bristol'>
   3.651 +    <organization />
   3.652 +</author>
   3.653 +
   3.654 +<date month='November' day='4' year='2019' />
   3.655 +
   3.656 +<abstract><t>This document describes the pEp KeySync protocol, which is designed to perform secure peer-to-peer synchronization of private keys across devices belonging to the same user.  Modern users of messaging systems typically have multiple devices for communicating, and attempting to use encryption on all of these devices often leads to situations where messages cannot be decrypted on a given device due to missing private key data.  Current approaches to resolve key synchronicity issues are cumbersome and potentially unsecure.  The pEp KeySync protocol is designed to facilitate this personal key synchronization in a user-friendly manner.</t></abstract>
   3.657 +
   3.658 +</front>
   3.659 +
   3.660 +<seriesInfo name='Internet-Draft' value='draft-pep-keysync-00' />
   3.661 +<format type='TXT'
   3.662 +        target='http://www.ietf.org/internet-drafts/draft-pep-keysync-00.txt' />
   3.663 +</reference>
   3.664 +
   3.665 +
   3.666 +<reference anchor="signal" target="https://signal.org/">
   3.667 +  <front>
   3.668 +    <title>Signal</title>
   3.669 +    <author >
   3.670 +      <organization></organization>
   3.671 +    </author>
   3.672 +    <date year="n.d."/>
   3.673 +  </front>
   3.674 +</reference>
   3.675 +<reference anchor="threema" target="https://threema.ch">
   3.676 +  <front>
   3.677 +    <title>Threema - Seriously secure messaging</title>
   3.678 +    <author >
   3.679 +      <organization></organization>
   3.680 +    </author>
   3.681 +    <date year="n.d."/>
   3.682 +  </front>
   3.683 +</reference>
   3.684 +<reference anchor="PGP.wl" target="https://en.wikipedia.org/w/index.php?title=PGP_word_list&amp;oldid=749481933">
   3.685 +  <front>
   3.686 +    <title>PGP word list</title>
   3.687 +    <author >
   3.688 +      <organization></organization>
   3.689 +    </author>
   3.690 +    <date year="2017" month="November"/>
   3.691 +  </front>
   3.692 +</reference>
   3.693 +<reference anchor="ISOC.bnet" target="https://www.internetsociety.org/blog/2017/06/12-innovative-projects-selected-for-beyond-the-net-funding/">
   3.694 +  <front>
   3.695 +    <title>Beyond the Net. 12 Innovative Projects Selected for Beyond the Net Funding. Implementing Privacy via Mass Encryption: Standardizing pretty Easy privacy’s protocols</title>
   3.696 +    <author initials="I." surname="Simao" fullname="Ilda Simao">
   3.697 +      <organization></organization>
   3.698 +    </author>
   3.699 +    <date year="2017" month="June"/>
   3.700 +  </front>
   3.701 +</reference>
   3.702 +
   3.703 +
   3.704 +
   3.705 +
   3.706 +<reference  anchor="RFC7942" target='https://www.rfc-editor.org/info/rfc7942'>
   3.707 +<front>
   3.708 +<title>Improving Awareness of Running Code: The Implementation Status Section</title>
   3.709 +<author initials='Y.' surname='Sheffer' fullname='Y. Sheffer'><organization /></author>
   3.710 +<author initials='A.' surname='Farrel' fullname='A. Farrel'><organization /></author>
   3.711 +<date year='2016' month='July' />
   3.712 +<abstract><t>This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section.  This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.</t><t>This process is not mandatory.  Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications.  This document obsoletes RFC 6982, advancing it to a Best Current Practice.</t></abstract>
   3.713 +</front>
   3.714 +<seriesInfo name='BCP' value='205'/>
   3.715 +<seriesInfo name='RFC' value='7942'/>
   3.716 +<seriesInfo name='DOI' value='10.17487/RFC7942'/>
   3.717 +</reference>
   3.718 +
   3.719 +
   3.720 +<reference anchor="SRC.pepforandroid" target="https://pep-security.lu/gitlab/android/pep">
   3.721 +  <front>
   3.722 +    <title>Source code for pEp for Android</title>
   3.723 +    <author >
   3.724 +      <organization></organization>
   3.725 +    </author>
   3.726 +    <date year="2019" month="July"/>
   3.727 +  </front>
   3.728 +</reference>
   3.729 +<reference anchor="SRC.pepforios" target="https://pep-security.ch/dev/repos/pEp_for_iOS/">
   3.730 +  <front>
   3.731 +    <title>Source code for pEp for iOS</title>
   3.732 +    <author >
   3.733 +      <organization></organization>
   3.734 +    </author>
   3.735 +    <date year="2019" month="July"/>
   3.736 +  </front>
   3.737 +</reference>
   3.738 +<reference anchor="SRC.pepforoutlook" target="https://pep-security.lu/dev/repos/pEp_for_Outlook/">
   3.739 +  <front>
   3.740 +    <title>Source code for pEp for Outlook</title>
   3.741 +    <author >
   3.742 +      <organization></organization>
   3.743 +    </author>
   3.744 +    <date year="2019" month="July"/>
   3.745 +  </front>
   3.746 +</reference>
   3.747 +<reference anchor="SRC.enigmailpep" target="https://enigmail.net/index.php/en/download/source-code">
   3.748 +  <front>
   3.749 +    <title>Source code for Enigmail/pEp</title>
   3.750 +    <author >
   3.751 +      <organization></organization>
   3.752 +    </author>
   3.753 +    <date year="2019" month="July"/>
   3.754 +  </front>
   3.755 +</reference>
   3.756 +
   3.757 +
   3.758 +    </references>
   3.759 +
   3.760 +
   3.761 +<!--
   3.762 +# Excerpts from the pEp Reference Implementation
   3.763 +
   3.764 +This section provides excerpts of the running code from the pEp
   3.765 +reference implementation pEp engine (C99 programming language).
   3.766 +\[\[ TODO: Maybe rewrite sentence a bit \]\]
   3.767 +
   3.768 +\[\[ TODO \]\]
   3.769 +-->
   3.770 +
   3.771 +<section anchor="document-changelog" title="Document Changelog">
   3.772 +
   3.773 +<t>[[ RFC Editor: This section is to be removed before publication ]]</t>
   3.774 +
   3.775 +<t><list style="symbols">
   3.776 +  <t>draft-marques-pep-handshake-04:
   3.777 +  <list style="symbols">
   3.778 +      <t>Updated Terms and References</t>
   3.779 +    </list></t>
   3.780 +  <t>draft-marques-pep-handshake-03:
   3.781 +  <list style="symbols">
   3.782 +      <t>Updated Terms and References</t>
   3.783 +    </list></t>
   3.784 +  <t>draft-marques-pep-handshake-02:
   3.785 +  <list style="symbols">
   3.786 +      <t>Update Sections “Display modes” and “Short, Long and 
   3.787 +Full Trustword Mapping”</t>
   3.788 +      <t>Add Privacy and IANA Considerations sections</t>
   3.789 +      <t>Minor editorial changes</t>
   3.790 +    </list></t>
   3.791 +  <t>draft-marques-pep-handshake-01:
   3.792 +  <list style="symbols">
   3.793 +      <t>Fix references</t>
   3.794 +      <t>Rewrite Sections “Display modes” and “Short, Long and 
   3.795 +Full Trustword Mapping”</t>
   3.796 +      <t>Add reason why not to concatenate and map fingerprints instead</t>
   3.797 +      <t>Minor editorial changes</t>
   3.798 +    </list></t>
   3.799 +  <t>draft-marques-pep-handshake-00:
   3.800 +  <list style="symbols">
   3.801 +      <t>Initial version</t>
   3.802 +    </list></t>
   3.803 +</list></t>
   3.804 +
   3.805 +</section>
   3.806 +<section anchor="open-issues" title="Open Issues">
   3.807 +
   3.808 +<t>[[ RFC Editor: This section should be empty and is to be removed
   3.809 +     before publication ]]</t>
   3.810 +
   3.811 +<t><list style="symbols">
   3.812 +  <t>Add description for further processes to change the trust level,
   3.813 +e.g., to remove trust or even mistrust a peer and alike.</t>
   3.814 +</list></t>
   3.815 +
   3.816 +</section>
   3.817 +
   3.818 +
   3.819 +  </back>
   3.820 +
   3.821 +<!-- ##markdown-source:
   3.822 +H4sIAC8RFl4AA81c/3LcxpH+H08xoavOS9fuktQPS2IuuaMoMmJZFBWRji9l
   3.823 +u1yzwCwX4S6wwQBcrVWuute417snue/rnsECS1JWcsnVVSoWCWB6erp7ur/u
   3.824 +6eFoNErSMsuL60PT1NPR8ySp83ruDs3OsnJ1vTYn1q/Nsspvbbo2g+XJcvfQ
   3.825 +HJdFbdPa2CIzxzNbFG5ujpp65oo6T22dl4WpZ1XZXM9M8hof+Zm9cTuJnUwq
   3.826 +d3toHqRs2o+TrEwLuwAfWWWn9Whhq782zo+WbjmaxY9G+08STOeuy2p9aHyd
   3.827 +JYmv8fInOy8LDF07nyzzQ/N9XaZD48uqrtzU46f1Qn9Iy8UCPPsfk8SC/bI6
   3.828 +TBJjRvi/MXnhD83rsTnXmeWZcvTaVYUt8t6bsoIAsQRzWjZFJiKQ5x5TuvrQ
   3.829 +XExc5Srzh8pOXGGeyLs0r8H28evR8yf7++a7vKhdVc+aSl+CTs1lXa7y+mdX
   3.830 +zbEueeEWNp8fmpkyMQ6C+XcIZjztz91UWPusrpf+cG+v/35va50vx+Z16QqX
   3.831 +e1d0VvoSk+Ru69X/+VInwsV4Frn429dalNUCP9+6Q3x8Nno1nuTVjdhSXTW+
   3.832 +XpVV5vnq/enxkxdPXhwmXxj55enjR4/C82dPHj/dHg1rSfJi2iVOCs+f74cf
   3.833 +nz7ijxtiB+0vzx49fa6/kGDXunXRyd0XFSbBNr13ULsl4kA+vHFrvy5SPvL5
   3.834 +dWGFqjG1ra6ppygtfTeGWvf0ve7/S3ksT74wkCQePdo/eD7a/xrPsLsdGL2f
   3.835 +YHg5Tmddelf61IzMpavysvHztfEubSpnFs57e43FPTDbuz+8G68e4N4V41V+
   3.836 +ky9dlltZw2ovLzL3YbycLf9Npv4dhv9EFf80z339L3ax/G05z/Lsd8+g6+cH
   3.837 +Lx4/7rKJjw0/NvxYXrTcPBsdHHDfnF1eHI8nBbi4l6PVajUWA8cXvkxzV6+F
   3.838 +scm8vN4jmb39r/cOHo3yoihvxXBGy6r8i0trP/Jujn9dNoJRjSZuXRbZCG51
   3.839 +BFKjKQwaMuopaeelfAN9OPPW1WNz8MictXTNu0AXIle6BnRNf4w5Vbpjc7ZY
   3.840 +zh39IX7DUPXLt7mFo/PenBRptV5yQ8E26GVtleU/89N73Pl//+d/efxcwvGW
   3.841 +c78jLEcPa8zGwZzNMwtLW9gyPBZvdDbuPOuIX4yBm+fFk0eyDy7fH9PS07Jy
   3.842 +ui/uKGPLFWTudi98qAI8xlBEhqZKHfxQ5iSkITjAhRV4lEeRaFArp+L4Bq6A
   3.843 +teq3NrNL6NrvKtmu6T5LWg4hdnxclXl2v81wu8pmgJ8cz5u9a3BnJ3thDF/3
   3.844 +tmaHXyqUPPHfI/28L7YX24zkpf8MJtKZCKtyy9LvYYKfMPKn/OJy73MYwXe/
   3.845 +wkTZ1POyvPk8adxl5EKHfxYz4dsHGXJFfk2fKw79fhejH4yxCzfOBY/3snJV
   3.846 +zEub7akFjTj3p1g6CZS4jnv4SUajkbETBFKAqyQ5K4z4kSXMq4Qv3vhJ4+gX
   3.847 +yhH+wY9xX+K9LbyuvZnM89QgAiQZ/FiVTxr5ghZ7C/c7jTANFp3DP9gI3iBx
   3.848 +Y7ElCucyl/1WnMTc1uAiqUvu9Ft8Zha2gPsSz7TIs2zuzOD87Op81+BLm974
   3.849 +cZJczXJvAOIa7h66AqjPYSJQXoFRuAJ4oNI463MEAuEJM3cYN7lPWrbMhC9b
   3.850 +dEh6KYQB9ixQ6HxerrxpPOS0obkZDBlzHXkleK8p4tpTRa5jhCbXZQuMqwk4
   3.851 +sphcLJdAjhjmychlsEvjU1dYbiYRKsbYeeVstt74DAzPC8Q4LA6B1C6X8zCz
   3.852 +F0fyEAiG8MQQVLL45Qu49LoqsyYVuPP/wC7A4skHy3UqWaqrRy8v0nmTwSkn
   3.853 +X5mTDxT0tetMDgE09aicjiaceOKm9MKBYUitpyaS+NY7cgSJY2vM85/xTcdQ
   3.854 +fI3hHl55fD0emoulKxjEv8EbII1b8c2gcTnLlz0WYMAy/Qor7E4JGJJcfb6t
   3.855 +DxECspycwg7XNLSkJzXw3TNrSlDMdOKCyCFPcy6mx+d9u+3JDEbjaONBukOj
   3.856 +KwatsH+yHIEDtiaQrm4oFQ7q0BisZnk6w6LWnJ/fqZVaM8thplWK17Coskqm
   3.857 +2PZcfOGqOJFswu/chESvCJzN4LvyandXWIAEl7QQegydMcGMX8JAIFEYawWb
   3.858 +9QInrPEN2JxAlPSm0FdGQYftOMTkpOdTS7b++D5ZYOvQuDEriXfomUE6HZuP
   3.859 +H+EOQG0xQvZXy9b75Zfdz/dBQXikvaW5pCu6v90FBcrJJ53PaVc8YYl5cVvO
   3.860 +b2nlom+IFUn6YpJTWTRZSkScEwQAqmWxq/qQRCb5+PGBFOeXX9TX+SYl69Nm
   3.861 +TgU30LcqL/ey88kvNtyGIr0blpapmgufZ8jvyOe9SzLWJzKn+AnOFySfdRzs
   3.862 +fc6SK5NpaI99b5k8XDLor1aX2FV7x5szhPUITyynk2qFU7xQAZZizTfCzP2e
   3.863 +H/IN+SAne12u6OCHcJdxV9m5L9uFlCBd9WeFfOIGgIDelrVkR9sMbK9rY79c
   3.864 +RVOXTDp/lv2WNOof7/f+dNBnIR8JFspviUNklcJhsokhfV4Z20L0wdSL1k1F
   3.865 +ExfL7/osDGME+wJw+L37a5NXol5v3iAGNPbaqUnQE6pt7Zx/e3m1M9R/zdsL
   3.866 ++fn9yR+/PXt/8oo/X74+evOm/UG/SPDLxbdvwnv+tBl5fHF+fvL2lQ4+P/oz
   3.867 +/uEqdi7eXZ1dvD16s0O11LCRpLUR8VvikTWwVhL7LazI+RRBTVX58eNvoPhH
   3.868 +BwcvoPgkrPHKVQuva5qWlAVFWPOhUM3cVHYtlUAj82m5dLrNO0bKQsK//gYx
   3.869 +/+PhYXDuZjzeg6OpXLZXuw/1CNkjgs1em+iPFzfZL2Y0+j1C22anHpojOs65
   3.870 +rWgIkscCOCMOdFOYg69HE1hr0SwmNIbBPqOOMV8/ffr46S7lILEDXmEeVKaa
   3.871 +GpvvGCmzUoxk4wmHHS9ljJ8BE5vWW3WcCGaewNa2YnBwdGpQas2m447G5hPe
   3.872 +TIWWJN9/8/7lj+ZsahYAA831tfPBeCclkmCq4cYta/P999xhLd8//jjkdHgL
   3.873 +TRRlwsBMPmb2VqMYUhDmyZSdJIMg19TyprN2GElef9k6tGTiIKPKIXiq0fQ+
   3.874 +V3PIwx6h8qL2zEWBSFDhB2KdwdXF6be7h0ajW+tthkajt4Q56HoHSNBCXDHR
   3.875 +HhqOM9D/XHGZhZ9fSjrPHUCcpLrrwJGSNbgUZsbta+m8WbMQ7lc5tMUg7OE0
   3.876 +ZDnyUb0eyisIIzGmu/Np+RINZQAXaS6biYcXkPjeCxbyYe77FBwDgJJBcLHp
   3.877 +DA+UyS6LUFcoHNlrmxdSpgGb5/nVeQBl8MZTRjllXx4BG2XQcq3BD3Szpgoz
   3.878 +YfhtMwfOCZAkl1l67I53wga9unh1cWjOqct07myl61g5OlaVfhCNuRqboODz
   3.879 +TyPIjppZfLxHzUfgkFVGwZKpVHZW8Kt1wEVhgTA2HSdARp4h8ohDoxWIqMWc
   3.880 +WQoCDTjvRZkRf/rOYikZW1tuhIX10FxlWRXB9i2cGsuCYD0AFbEHEmg3smDJ
   3.881 +vqqjSQU5SkbzThEbK0mK2ARzR7XeDyyGJN4xXYlw5XVll7M1vEc6S3q4KSBt
   3.882 +K98ubV6NzRni0ANQXH0tPaFGbPVpwHy+XDjNoDrBvg4hrJzUVvzcRPFj5VIH
   3.883 +0SKcAgqIIxF/4LELIKiG0mUgQOrkqrjDGM4ZOGTHVm60Cd1JTKdNJx8Rs/6M
   3.884 +pKRIgK0AXyzH1G4pQOhTYHfLL4SVhVhOr3QMB41Qdyn7qp8uRjCsQJHAknZQ
   3.885 +G2wRuDT46026LDnhn5SLoFhhTATeSWkW3GOe5lB2YRiTLBihC0llpnGEorsf
   3.886 +/dD7twsd3zf3xNUrKolxK3O3OXHOAOwvmnmdj/QJYS/DsN8dcnLhMYb0ZVMR
   3.887 +l0nKLBJv/e26SGdVWWiVVPi0wOqscmPbSYmxbmecuHlZCP7C2iX6AAgKXMPn
   3.888 +Ic3ZKuwzyVGwG4VL+WvsFFcmYf3lvHF1KYEXe4AThHwb7kV51f1ewcLBE2s3
   3.889 +0PfJB0obLy/LuaT0UPxxUwnLHRD42bmqaP2Vpqcs/Gvi2R1BRcV8WHMtaCgX
   3.890 +wCIxH0tdcT3yCz0XdcdBmgFJrC0zy4yzX7Xlioz5Sg40uCLKyFYVp6Gf7ua9
   3.891 +87UaoHqxd8rdN24ttbqzAuDcY/qUmbUZvPvmbFfdNo956LZbD5xip2gdcOb6
   3.892 +GyXvJB3bKwwBNwCCIxhPqQdkg6sj7mz1MFDl1oK2UnzBlYXTNXSyeDPo5O9C
   3.893 +VybajXtOSilRRkVbR9HA9FxXuBK8pEkEv20XuaV79aHy3Vg3XBRAyJGiEJQA
   3.894 +bS+XuKaqprG8i6ASe32phxcwuAxxL61hQXfLDeZuuQHUueZi/cmKA+I0RSD1
   3.895 +jeVM41zQBQOvTR39Cv+F6btazkpk223S2XIKiNjmfEF0GNwRXutCZHVXfZl9
   3.896 +2a+ScGEhx8fvpZRBpIocoYEAp65cGMFSriZr/ZlIRoQoFS78ypAEooW4V6xk
   3.897 +a3Xbq4qGEZcloEzw3SZDBIl4sPfxYzj4k+zob10ishGYSSrAC1mXrpOe0qX5
   3.898 +Ak+ltEUUAt0PfDnibsXYHW+nDuErJDM7u1FCDB9eHWlNr+dNopY6axashka0
   3.899 +H+2I6azAJYRgT7lKKuA+WGEHtgFXQQ/NZB6+XYg1JHPLk2xgKkS/VJkAYLhj
   3.900 +IOJVOoIk6N4SZThxhRz1RFbEeEn0EcBW9LssjBELUOmRJIzrL00hBWI13c+r
   3.901 +B5kQw7jRv4unnuBAT1yFg7eyIQLci1HBx6ggdsTsZw65dbJ9z1rDUnbUyTLZ
   3.902 +rmWoZWl1mBWdSE7RNNeHpTHVpYpDoWHCNCDLEefW6lg4GgkQfW1bElKAGyr0
   3.903 +3HBArzl0SXSoTmnYfqvJx3xl1zyq5JEfIRkyxmpDItSUufZe3XND2kv+JRSl
   3.904 +zPy2jGXqFhwnyXmJMZRhCFB+DUS28EiwgdsdJSBcEFG0JcS7xxfJAxXES0Wo
   3.905 +ahxAXDfKEIZJZN+sASQEic+NgOZdal+9IcPRNtu04QaWX0QDUOaTyDxQ3jRn
   3.906 +pknlBwNhgt2zA0EukofLucYXbaFrkxO/k7qWncvBxoN1PlVCW0nEvqlKKlVO
   3.907 +NZzKrF863+g8QF9XXLOYkW/KfS0TY5k8DQCHr7YwRIRg4ZORh8dfwW+M8s6h
   3.908 +uRp3YFXw2w3CjU8gHIU4vhtYrUbSjEkyOA31EC3+2F6V2/qkk+vAn86sn6ml
   3.909 +9sNfcDvdsVLbqBYCm9tSUFvzh3+LDpYJ5lDLu7rHqVI28IzE9Sbdb7UY1e7i
   3.910 +35vnJ48PzMnp00fm4NWTZ+bpwfPH5vHJi1fm5OjVsdk/PT0xJ8+OnppnJ09f
   3.911 +mqNXBy+MSZITKkhICSqQsunEmS0u45yxXDWtyoVhyUoLVklZbcqsmyDC1QQG
   3.912 +uStfb5g/FGYFjsYHj79+si9PXop7OTQH+/v7Bwf6X/5HIHEPxrzThEfM5o41
   3.913 +bR9TCCQiCmEiFGFxyFTv1Paz3C/ndq2Lj1l/p4z2KW/OzZCIP+kU9ENqusmN
   3.914 +CfudD7X5zE0tEp0H0jkd47XfR9JI5m8HY3MsLNNMeuvEXP9x8R6uoQhnlUB3
   3.915 +R92F34MC2tVP8no0WUttsq0CkcDJB2wKzz4ZkB6A/m47AYM10zSFrFzmcaTW
   3.916 +OVchkcHx6Tu6oAN29GndRMfSkq66XWD8mpLBAHEcBE+bA5dQPO0oZJCPHfwr
   3.917 +gcC63S2gcWfDkNqGkDXXOYN4S2n3zmKSiNGlkBvZHlx9dx5WElLZbpH1VkDM
   3.918 +HYybxFVt5ugugSSjMpZSCNmcCMegaAWs33tipxHGBvQ8h/zHLMdKjVtqDysr
   3.919 +bZKbg6dhRJMCwEPEX9jqRuvuvZpge0gi8SHnht9yzqEv59e33crJditItxDa
   3.920 +5rtZzlSZrMKtamEku7Wgfe0Uj/ARiwOx/IkA3kFXgXeZMeZ1E9qvIEILxQ3m
   3.921 ++Y1TVNblTsJvKdBNmmmRAQErqDtrD3CNpAztgY0fKqeBK4kxdb5wLetZZVcT
   3.922 +ogpyniiYWOTXs1pqn2CHxZmt9EltQAmstSxAA2UIp8ulKSB0pCVSw59jJ0X3
   3.923 +cDBkBh2pmnBkq8eN9rbMMz1xaWA4PpdCW2XVf7jpFGh72KUopWvojTpjciLV
   3.924 +PHUTmnTAywJzDGTHUbjz9W4oqUj14gtzidQZNN+UoRRzikXf3UrqAaWeCSX2
   3.925 +0OWmNihQj30NTndt8I1qwIT9iXKAVzJwBUwkBYa1lBfIqPjNjfDHYsj0wmkz
   3.926 +t3J0mKxYYZ149itkoYgOI6CZm4Ge0e72D2lbGNHLd2EaFaahgjsljlBR4uSA
   3.927 +8NARRKNOawFgio8lqyJHPhz/9uFHxy9IZV0PvCHqUwGsdpLPCZYrRJ54ZkjB
   3.928 +4feacYfAMr8NrSJLVy7nKsq0bgSWdITViaHsVJjTJ4CFYCqWILXibxD8rZvr
   3.929 +mWcNTLjeHSb0AOEcnhNtSmzhEx3jdekaxe43CzM4HYlDlBPJFo5oDmY/5Itm
   3.930 +EWnSqQHF5O5Wigsh1HasX5JA5pu2O5N6JoNJZA5SgQvZRH5KMEp8zLcSBttU
   3.931 +pKsccey/N6dPnj8yJy8AwB7hR/P1wfOXZv/g5bF5fAAA9vTJo+fm1bPTI3N0
   3.932 +jF8fnx48lnHdgBQIZeW1mZU8zZhUCqpq+r4pdD6x8GA+nZUlApot8D/gW24L
   3.933 +629EnLLd7hHnGxVnSAykAUPA3BayEZcFJoLYRc9tDfkAK5jkwRWq8GOCIuRD
   3.934 +YPNSTRC1xJFO3F93HoGZbaQLSuPm/SfI+ofvRdzmhx//gRIH0YrxoOjF8QFD
   3.935 +yiKv6YA5HTQifvA+lVx+lkoSqe6BkXtV8vWTuxoJKrnsqkRhA3d8HDktm+pz
   3.936 +NfL3q4Oif8D6/z513C923xM6o88r3cjmnKWj0ALTyw80WhNShz0v9WzfHil0
   3.937 +wXgSAs7YHG3y7E2rgQ4U/Uxct51GPZwqgh+ZQYD6u7LQl+sW+pOgfhdaKXq+
   3.938 +KAQPiW3kbxOFZJdtNQ6Cy6KtaEgbF3BPKodcbzasBHZFAxuOPzG2q3ZdjHdO
   3.939 +zkxWu6SyYfzz6J12eDn6811W1J21H0X0XGk3AZBao8gzVsRVfJJr84RuCnHk
   3.940 +DBlae0nkkku3dhNysBDpqwBCApAgSKrCSd7u5lQhCaV2ZUvZfkBPk1a52zIQ
   3.941 +FH6vGO5a0MPyI5VPqeTz9NHn5XJbJXf00eG2TWcE0+iLe1YAuqUcJtosq4jH
   3.942 +Z4gFBsYr3eDexTPJsfmHm95JW9W7ZxNgG22WKyHvzoo1wTu9M/kUQIIAX3fx
   3.943 +VRm9smzLOg9QjNWuWKuNQFGTgYGY3E1Rrjge5joTZCWtLRuXtnvX2y7k+MGa
   3.944 +yEBQYDeRKCvkvixh95KwQeMF59GQtwtOu1x5gD9aC3tYETYEj049OorQt7Dh
   3.945 +jhAZ0M+mdw/iYomDwHs7LZU9BNw/zdnGldfDRMr3bAZwtR7vInV1Ureqbsbm
   3.946 +gt1B7UA69zCYRZxaaCbxPg0bHppYxbl7vSsUcSTJi9lx9JbNMpPkyqap5CrX
   3.947 +SCWkptr2pB+H5kwbTmyPzOB6Xk6YPCCnhfqZ3jBhBaQdXTu2vNRuG5rGjFmL
   3.948 +7HrI1D0pEXhfrfsVVXYfxOaDcAIzzWuerCG5iZ190hzpfbPYPvqV20jNVqtw
   3.949 +ONUqWdlmskZjqK1cGoPND40c0+RiWVpYZYzdPlG219fc+NLusml5DxUYrFvK
   3.950 +AgytvmS+lSMf68oiJPdRVNkwCa05SyfHT7F1VOoemmd73jYykpoGguPQ8aIG
   3.951 +sK2jH74HrGBbEeADAQTb/Y/eHt35rt/VSiMrJIeSAoj0eGKUTnXWv7WkJic1
   3.952 +zP5FAu0dcLGSlgYULq0BNFLWrQupfNytt9CmY99Z2+UowI00qZl2q4VihdQp
   3.953 +WKkpN/Vl1gRib+roFW/6DuN1is4x+TKcEGy3Y4arYDym0lIm3y7b+wtbTIeu
   3.954 +z3bBueQKLGUJ+oNh8uyLnJ6dXJ3yc4JbeivfcRhOTa0q1a7YPkG25fgB/MCW
   3.955 +3s2lkxGutVM/mm+K6txfeZHlt3nG1us+m4nAiax0CiX4cs3OlrLy8lHExmSR
   3.956 ++SvPHiuCB57TsJYCvJ/QOLTvaCl5a6/rp72wKmuKhXaZVnvZpD2Zx5KqUBFG
   3.957 +WwQpuVs0rw1op5Wh9aq7BQ/I8CYRSF+wYyKeUTN+wCjsvFRJ3FrsDzmV3zaw
   3.958 +KpxXTZ3eYxib9w6RI3QEwJnloR99I+Zw1LNFaWHXiYRCbI2j6Dg5sGM+Q7Pz
   3.959 +w/fj8fiHH9VCpISjPVmVu83dSuYtsoSN2Rx+XZXNUk/pPEt1Jmtc2xkf+hvL
   3.960 +drMGmBf7SiGXwtE5QgJVU0gy0T3bX4iPq26l6w7TZ9J8io9v7byhtMQnV/lm
   3.961 +g1PqU+eytvCncy3YuScq7yCi9lJmIpBzIeJlZ5z0bi0jjOwY6N1FN14LpknX
   3.962 +ltr6oSNuqNnpB4cTe4bieZnpnpfJ2fBW6/T9H8YjlpZ74BhYNcIZI0PmsBkd
   3.963 +st94q0AUrp1mW7cApbicZaPQF3+ep1XJKeP7IXt3Zf9+/HjntuIvv3QIhsuW
   3.964 +ZtBxVFM27gds8s0LBO6j3fsJhoudQrB7KXCbvfJnmKJlUs2cYJJX2Ta9zu3F
   3.965 +Hnv5xaUZbF1F04svytUEsLHHEmAwO6q3ljcUQnIZIgqwkmNY2mUWzvdbADIM
   3.966 +rZuuYmBOtFxuQpzWNjiwwUY9QUoPGoXR2l/vumTO1s3KN3pAENKpmqfEcsd5
   3.967 +aOi0SulTDj6y/zcKuP9Zi23n9B3/A4qnTMcv41uuWLCEZw+yHE2yLK/3OWn0
   3.968 +ILfJ5x++/ScYY25rOY+UKEByPA8fh47is+KujXI67WvkYac6ttgoGCCJthq2
   3.969 +i+0wo50AofsYaOAoZRAHWrnWM/nYyRw6QEsei5TNPJP0U/e/LW62ygyhbLua
   3.970 +hf74aAFJ63fAv3SPMewX9SZiiBcOXiVjBbZcSiCL4b+9A2H6SEj5v1TbUZ6E
   3.971 +zp/KOfuaX+bhks4bR4iTsq0npZzIYphHSukuadMSHlHwIkCnWaHbASBRTe7e
   3.972 +rARQSh84S+lSyG6NfWNSw4BcpeNf4kSW8InU2LPY3xvu7beRO17FudS/DfCl
   3.973 +37qQj1SBB/0LoqXC+P5V+5OlNILGv0DAHcu7otRAuA3B3s0UILoO1hNX+r69
   3.974 +1N6Hh1swMCjWs8NWqQRpdUNVj3Ly4HV5Thuuyg+OX7xQ1ISFkUy8W7I73iBg
   3.975 +NtavpQNgVbHMubl5wUJjwMdbeDla+auIjI+lLxgII3yKKG9OshzI5dBcbeG/
   3.976 +OjQcLMpb195D1RRCV6BTfvUrf4TmUNoxvw3p2ZVe/oFCW5H7X6Xx+B9A41GX
   3.977 +Bn2y7r2dV90a445ehto+IJM+zPuPQ3akJP6VOcqyNonhkHuylChbLwPO84Jt
   3.978 +2SJ7uVEhmvn1dRzoOk7zD5u/xKAU3wfD+KesTY+v4D/Wgmv16C8eacZrl/0U
   3.979 +lZdP4PX/V6vd19WehWsnzNJlV8KmWbkxZ0iYnf81Y/YzceGwZrdY1uuYRPUM
   3.980 +XP/ExiesnFLoJlGMSVNNMTrpDwWjF7olq5N+ODla27TG6+lxGft5GRukYXHB
   3.981 +BJwPrN7QkD+gwbAD7/s/yUQ95opKAAA=
   3.982 +
   3.983 +-->
   3.984 +
   3.985 +</rfc>
   3.986 +