<?xml version='1.0' encoding='utf-8'?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ietf-calext-jscontact-cryptographic-key-01" indexInclude="false" ipr="trust200902" scripts="Common,Latin" sortRefs="true" submissionType="IETF" symRefs="true" tocDepth="3" tocInclude="true" version="3" xml:lang="en"><front>
<title abbrev="JSContact Cryptographic Key Extensions">JSContact Cryptographic Key Extensions</title>
<seriesInfo name="draft-ietf-calext-jscontact-cryptographic-key-01" value="draft-ietf-calext-jscontact-cryptographic-key" stream="IETF"/>
<author fullname="Phillip Hallam-Baker" initials="P. M." surname="Hallam-Baker"><organization>MPlace2.social</organization>
<address>
<email>phill@hallambaker.com</email>
</address>
</author>
<date day="3" month="July" year="2026"/>
<area/>
<workgroup/>
<keyword>Identity</keyword>
<keyword>JSON</keyword>
<keyword>Cryptography</keyword>
<abstract>
<t>Extensions to the JSContact data model for contact card data are defined to improve support for describing cryptographic credentials to be used with applications and services by specifying which credential is used for which online service. This allows a contact application to identify the specific credential to be used with an application without the need for the contact application to understand the syntax or semantics of the credential used.</t>
<t>An additional extension allows a contact to specify one of more mechanisms for obtaining updates to itself with optional verification under specified signature keys. The mechanisms used are outside the scope of this document. These features in combination provide a basis for establishing and maintaining peer-to-peer trust.</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="n-introduction"><t>This document defines extensions to the JSContact data model for contact card data <xref target="RFC9553"></xref> to provide improved support for describing cryptographic credentials to be used with applications and services and to provide support for authenticated updates to a contact card.</t>
<t>The key design considerations for these extensions are as follows:</t>
<ul>
<li>Maintain compatibility with the approach in the base specification.</li>
<li>Allow cryptographic credentials to be specified as JSON Web Key Sets <xref target="RFC7517"></xref>.</li>
<li>Provide more descriptive information for use of cryptographic credentials, in particular specifying which key is to be used with which information service.</li>
<li>Allow specification of groups of related email addresses and information services.</li>
<li>Enable automated updates to the contact card data with cryptographic authentication.</li>
</ul>
<t>In addition, specific guidance is provided on specifying credentials for use with S/MIME, OpenPGP, SSH and Code Signing.</t>
<section title="Link Keys to Services" anchor="n-link-keys-to-services"><t><xref target="RFC9553"></xref> allows a card to specify online services and cryptographic keys but does not provide a means of specifying which key is to be used for which purpose. This results in ambiguity with key formats used to support a wide range of applications, a key presented in OpenPGP encoding may be used to sign email, sign a repository commit, encrypt a file system or used for many other purposes. For example, a user can specify the separate OpenPGP keys they use for email and signing commits to their source code repository but does not allow the user to specify which key is to be used for which.</t>
<t>Best practices for use of cryptographic applications encourage the use of different keys for different cryptographic functions (encryption, signing, authentication), different application protocols and different uses. Without the ability to specify which key is to be used for which purpose, an attacker that has compromised a weakly protected key intended for low consequence purposes (e.g. signing development builds) for a high consequence purpose (e.g. signing production builds and authorizing financial transactions.)</t>
<t>The <tt>EmailAddress</tt> object and <tt>OnlineService</tt> object are extended to add a keys property which <bcp14>MAY</bcp14> be used to specify the key identifiers of the related keys.</t>
<t>For example, Alice has many OpenPGP keys but only one that she uses with her email address <tt>alice@example.com</tt>:</t>
<sourcecode>{
  "@type":"Card",
  ...
    ...
  "emails" : {
    "email1" : {
        "@type": "EmailAddress",
        "address": "alice@example.com",
        "cryptoKeyIds": {
          "emailKey1": "bundle",
          "emailKey3": "sign",
          "emailKey4": "encrypt"}}
    },
  "cryptoKeys" : {
    "emailKey1" : {
        "@type": "CryptoKey",
        "uri": "data:application/pgp-keys;base64,9jhpthtFpOVS0FWXsg
5rF3W2-vE.."}
    ...
    }
  }</sourcecode>
</section>
<section title="Enhanced specification of cryptographic credentials" anchor="n-enhanced-specification-of-cryptographic-credentials"><t>The <tt>Card</tt> object's <tt>cryptoKeys</tt><eref target="http://whatever">SP 800-57 Part 1 Revision 5</eref> property allows a card to specify cryptographic credentials as URIs but not their intended uses. A data URI containing an X.509v3 certificate might be intended for use with S/MIME, for code signing or some entirely unrelated purpose. Best design practice (see e.g.  section 5.2) encourages the use of common cryptographic infrastructures to support a wide range of applications but best use practices encourage limiting the use of particular cryptographic keys to a single application.</t>
<t>The use of the JSON Web Key (JWK) format provides a much richer format for describing cryptographic keys and their properties than a URI and a media type. </t>
<t>For example, Alice uses SSH to securely access resources in her network. In accordance with best security practices, she create a separate SSH keypair for each of the devices she uses as a client terminal. Accordingly, her contact has an onlineService entry that describes this use of the SSH protocol that specifies the keys to be used with SSH and a separate <tt>JsonWebKeySet</tt> entry for each key specifying the key parameters:</t>
<sourcecode>{
  "@type":"Card",
  ...
    ...
  "onlineServices" : {
    ...
    "ssh1" : {
        "@type": "OnlineService",
        "service": "ssh",
        "cryptoKeyIds": {
          "sshKey1": "sign",
          "sshKey2": "sign",
          "sshKey3": "sign"}}
    ...
    },
  "cryptoKeys" : {
    ...
    "sshKey1" : {
        "@type": "JsonWebKeySet",
        "jsonWebKeys": [{
            "kty": "OKP",
            "kid": "MBWQ-TY2X-SFBR-DWYL-LURE-GHD4-CCP3",
            "crv": "Ed25519",
            "x": "5tKZn7_cQYNz7SU65Vqm4JplTToA4kIIwyX_vWT76ZY"}
          ]}
    ...
    }
  }</sourcecode>
</section>
<section title="Groups" anchor="n-groups"><t>It is often convenient to organize related email addresses and online services used for a common purpose into groups.</t>
<t>For example, Alice might create a ServiceGroup bundling the set of cryptographic keys she uses for code development. This would allow her to create separate sets of keys for different clients she works with and to distinguish the set of keys used for development purposes from those she uses for production use.</t>
<sourcecode>{
  "@type":"Card",
  ...
  "updates" : {
    "group1" : {
        "@type": "ServiceGroup",
        "members": {
          "email1": true,
          "git1": true,
          "ssh1": true}}
    },
  "serviceGroups" : {
    "group1" : {
        "@type": "ServiceGroup",
        "members": {
          "email1": true,
          "git1": true,
          "ssh1": true}}
    }
  "emails" : {
    "email1" : {
        "@type": "EmailAddress",
        "address": "alice@example.com",
        "cryptoKeyIds": {
          "emailKey1": "bundle",
          "emailKey3": "sign",
          "emailKey4": "encrypt"}}
    },
  "onlineServices" : {
    "git1" : {
        "@type": "OnlineService",
        "service": "commit",
        "user": "alice.example.com",
        "cryptoKeyIds": {
          "gitKey1": "sign"}}
    "ssh1" : {
        "@type": "OnlineService",
        "service": "ssh",
        "cryptoKeyIds": {
          "sshKey1": "sign",
          "sshKey2": "sign",
          "sshKey3": "sign"}}
    ...
    },
    ...
  }</sourcecode>
</section>
<section title="Authentication" anchor="n-authentication"><t>The use of an authenticated exchange mechanism such as <xref target="RFC7515"></xref> or <xref target="draft-hallambaker-earl"></xref> allows a JSContact card to be used as an aggregate credential whose contents are used to automatically configure cryptographic applications that use the credentials contained therein.</t>
<t>Instead of having to configure every server that Alice might want to access using her SSH keys, Alice can add her keys to her JSContact card and run a script to create the necessary access control entries on each server.</t>
<t>The power of this approach is further increased if an authenticated contact update mechanism is used. In this case, updates can be propagated to the target devices automatically by either polling or through a push update mechanism.</t>
</section>
<section title="Authenticated Updates" anchor="n-authenticated-updates"><t>The authenticated locator mechanisms described above are intended to be used to establish a 'first contact' between the parties preserving the maximum possible degree of trust from the context.</t>
<t>Once the initial contact exchange has been achieved, the credentials exchanged in that first contact <bcp14>SHOULD</bcp14> be used to obtain and authenticate future updates.</t>
<t>Contact cards that support updates <bcp14>MUST</bcp14> include a <tt>uid</tt> property. Updates to contact cards <bcp14>MUST</bcp14> specify the same <tt>uid</tt> value.</t>
<t>The <tt>updates</tt> property provides an open framework for describing the update mechanisms supported. The mechanisms provided to update the contact <bcp14>MAY</bcp14> be different from the mechanism originally used to distribute it.</t>
<t>For example, Alice publishes her current contact card by means of a DNS TXT record containing an EARL <xref target="draft-hallambaker-earl"></xref> and a QR code encoding the same EARL on the business card she presents when meeting people in person. Applications <bcp14>MAY</bcp14> update the card by polling the URI specified in the updates entry and verifying the signature on the plaintext enveloped data returned.</t>
<sourcecode>{
  "@type":"Card",
  ...
    ...
  "cryptoKeys" : {
    ...
    "updateKey1" : {
        "@type": "JsonWebKeySet",
        "jsonWebKeys": [{
            "kty": "OKP",
            "kid": "MDMY-XH52-PLPK-H7DZ-WAXW-LDNS-5I7R",
            "crv": "Ed448",
            "x": "QKvMwR_qwWUJoWEeFMb6SlVxnA8MUa8p_diWxgORiVxjPwSqF
vgKvoCZBpRqMx5-u8u5d6g6auIA"}
          ]}
    }
  }</sourcecode>
<t>Since it is easier to update information on a Web site than in DNS or on a business card, it is likely that some users will prefer to use these mechanisms to distribute pro-forma contact information consisting of basic contact information and update information alone. Therefore, contact applications <bcp14>SHOULD</bcp14> attempt to update contact cards providing update information on receipt.</t>
<t>Retrieving a plaintext signed contact assertion via HTTPS provides a simple but limited update mechanism providing end-to-end integrity but not confidentiality. While the contact information is delivered over an encrypted transport, the contact card is stored unencrypted on the server which may not be acceptable in certain applications. Another limitation is that the relying party is required to poll the contact service for updates. A more sophisticated updates protocol might provide update notifications. Such considerations are outside the scope of this document and left for future work.</t>
<t>[Remark: Addition of a JOSE based encryption scheme would be straightforward. This would require extension of the envelope specification and to pass a decryption key to the parties the contact is passed to.]</t>
<t>A contact card <bcp14>MAY</bcp14> specify multiple update mechanisms providing a degree of resilience in the case that a publication service stops providing service. </t>
<t>For example, Alice might choose three independent contact directory services publishing her contact information on all three ensuring that the people she has shared her contact information with can remain in contact years or even decades after the initial contact exchange.</t>
</section>
</section>
<section title="Definitions" anchor="n-definitions"><t>This section presents the related specifications and standards, the terms that are used as terms of art within the documents and the terms used as requirements language.</t>
<section title="Requirements Language" anchor="n-requirements-language"><t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in RFC 2119 <xref target="RFC2119"></xref>.</t>
</section>
<section title="Defined Terms" anchor="n-defined-terms"><t>TBS</t>
</section>
<section title="Related Specifications" anchor="n-related-specifications"><dl>
<dt>JSContact: A JSON Representation of Contact Data <xref target="RFC9553"></xref>.</dt>
<dd>
<t>Describes the format used for contact data interchange.</t>
</dd>
<dt>JSON Web Key (JWK) <xref target="RFC7517"></xref>.</dt>
<dd>
<t>Describes publishing public keys in JSON format.</t>
</dd>
<dt>Encrypted Authenticated Resource Locator <xref target="draft-hallambaker-earl"></xref>.</dt>
<dd>
<t>Describes a URI form that provides means of retrieving, decrypting and authenticating an associated ciphertext.</t>
</dd>
</dl>
</section>
<section title="Implementation Status" anchor="n-implementation-status"><t>Reference code under the MIT Open-Source license has been developed to demonstrate all the features described in this document.</t>
</section>
</section>
<section title="Card Extensions" anchor="n-card-extensions"><t>The JSContact objects specified in <xref target="RFC9553"></xref> is extended as described in the following sections.</t>
<section title="Additional Card Properties" anchor="n--additional-card-properties-"><t>The following properties are added to the Card object specified in [RFC9553]. </t>
<section title="updates" anchor="n--updates-"><t>"updates": String[Update] (optional) Specifies mechanisms for obtaining updates to the card. </t>
<t>An Update object has all the properties of the Resource data type, with the following additional definitions: </t>
<t>"protocol": String (optional) The IANA update protocol identifier </t>
<t>"cryptoKeyIds": String[String] (optional) The identifiers of the set of cryptographic keys to be used to  authenticate the updated contact information and their use. </t>
<sourcecode>"updates": {
  "update1": {
    "@type": "Update",
    "uri": "https://contacts.example.com/",
    "cryptoKeyIds": {
      "updateKey1": "sign"}}}</sourcecode>
</section>
<section title="serviceGroups" anchor="n--servicegroups-"><t>"serviceGroups": String[ServiceGroup] (optional) Specifies groups of related email addresses and online services. </t>
<t>A ServiceGroup object has all the properties of the Resource data type, with the following additional definition: </t>
<t>"members": String[Boolean] (optional) The identifiers of the service group members. The boolean value corresponding to each MUST be true. </t>
<sourcecode>"serviceGroups": {
  "group1": {
    "@type": "ServiceGroup",
    "members": {
      "email1": true,
      "git1": true,
      "ssh1": true}}}</sourcecode>
</section>
</section>
<section title="Extension to the EmailAddress Object" anchor="n--extension-to-the-emailaddress-object-"><t>The EmailAddress object specified in [RFC9553] is extended to add the specified property. </t>
<section title="cryptoKeyIds" anchor="n--cryptokeyids-"><t>"cryptoKeyIds": String[String] (optional) The identifiers of the set of cryptographic keys to be used to  authenticate the updated contact information and their use. </t>
<sourcecode>"cryptoKeyIds": {
  "emailKey1": "bundle",
  "emailKey3": "sign",
  "emailKey4": "encrypt"}</sourcecode>
</section>
</section>
<section title="Extension to the OnlineService Object" anchor="n--extension-to-the-onlineservice-object-"><t>The OnlineService object specified in [RFC9553] is extended to add the specified property. </t>
<section title="cryptoKeyIds" anchor="n--cryptokeyids--0"><t>"cryptoKeyIds": String[String] (optional) The identifiers of the set of cryptographic keys to be used to  authenticate the updated contact information and their use. </t>
</section>
</section>
<section title="New Object JsonWebKeySet" anchor="n--new-object-jsonwebkeyset-"><t>The JsonWebKeySet object is added to the Card object with the following properties: </t>
<section title="jsonWebKeys" anchor="n--jsonwebkeys-"><t>"jsonWebKeys": JWK[] (optional) A Json Web Key Set. </t>
<t>The JWK object is defined in [TBS]. </t>
</section>
</section>
</section>
<section title="Application Profiles" anchor="n-application-profiles"><t>This section <em>will</em> provide guidance on how to encode cryptographic keys for specific applications. It is currently a placeholder so the relevant expert groups have an opportunity to advise the precise means by which the relevant information is presented.</t>
<section title="S/MIME" anchor="n-smime"><t>S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a consistent way to send and receive secure MIME data over SMTP and other messaging transports.</t>
<t>Certificates issued for use with S/MIME are commonly used for other purposes, for example TLS client authentication. For the purposes of this discussion, our focus is strictly limited to the use of the certificate for messaging.</t>
<t>If the messaging protocol is SMTP, the service is specified as an EmailAddress, otherwise the OnlineService structure is used with the appropriate service specifier.</t>
<t>Strawman proposal:</t>
<ul>
<li>Use a single JWK entry with an x5c to specify the encryption key cert, signature key cert and cert path.</li>
<li>Specify the JWK in the keys section of the corresponding EmailAddress or OnlineService with the key identifier of the corresponding JWK and the 'smime' use.</li>
</ul>
<sourcecode>{
  "@type":"Card",
  ...
    ...
  "cryptoKeys" : {
    ...
    "emailKey3" : {
        "@type": "CryptoKey",
        "uri": "data:application/pkix-cert;base64,VQSUcf253buwsfIgF
UyqNeQ1Ky4.."}
    "emailKey4" : {
        "@type": "CryptoKey",
        "uri": "data:application/pkix-cert;base64,du0OqLzpeCHLXXJD-
HUpt1nN36o.."}
    ...
    }
  }</sourcecode>
</section>
<section title="OpenPGP" anchor="n-openpgp"><t>OpenPGP provides encryption with public key or symmetric cryptographic algorithms, digital signatures, compression, and key management.</t>
<t>OpenPGP key management is commonly used for many purposes including signing repository commits. For the purposes of this section, our focus is strictly limited to the use of keys for messaging.</t>
<t>If the messaging protocol is SMTP, the service is specified as an EmailAddress, otherwise the OnlineService structure is used with the appropriate service specifier.</t>
<t>Strawman proposal:</t>
<ul>
<li>User specifies their OpenPGP primary key as an OnlineService with service type 'openpgp'. This is also the place any key server information would be placed.</li>
<li>The first key in the keys entry of the service is the key identifier of the primary key</li>
<li>The sub keys are the following keys</li>
<li>The corresponding key entries are of type JsonWebKey</li>
<li>The key data is specified as a binary data property</li>
<li>Other services specify the subkeys that they use.</li>
</ul>
<sourcecode>{
  "@type":"Card",
  ...
    ...
  "cryptoKeys" : {
    "emailKey1" : {
        "@type": "CryptoKey",
        "uri": "data:application/pgp-keys;base64,9jhpthtFpOVS0FWXsg
5rF3W2-vE.."}
    ...
    }
  }</sourcecode>
</section>
<section title="SSH" anchor="n-ssh"><t>The SSH protocol used for remote shell and file system access supports authentication by means of either passwords or public keys. The set of public keys authorized to allow access to a device is specified by means of:</t>
<ul>
<li>A raw public key</li>
<li>An SSH user certificate as specified in <xref target="draft-ietf-sshm-cert"></xref>.</li>
<li>A PKIX certificate as specified in <xref target="RFC6187"></xref>.</li>
</ul>
<t>While use of certificates offers clear management advantages and SSH certificates are widely supported in applications and libraries, most users only use raw keys. The JsonWebKey object provides the most convenient means of encoding a raw key.</t>
<t>For example, Alice defines separate raw public keys for each of her two user devices and has separately created an SSH user certificate for one of the keys:</t>
<sourcecode>{
  "@type":"Card",
  ...
    ...
  "onlineServices" : {
    ...
    "ssh1" : {
        "@type": "OnlineService",
        "service": "ssh",
        "cryptoKeyIds": {
          "sshKey1": "sign",
          "sshKey2": "sign",
          "sshKey3": "sign"}}
    ...
    },
  "cryptoKeys" : {
    ...
    "sshKey1" : {
        "@type": "JsonWebKeySet",
        "jsonWebKeys": [{
            "kty": "OKP",
            "kid": "MBWQ-TY2X-SFBR-DWYL-LURE-GHD4-CCP3",
            "crv": "Ed25519",
            "x": "5tKZn7_cQYNz7SU65Vqm4JplTToA4kIIwyX_vWT76ZY"}
          ]}
    "sshKey2" : {
        "@type": "JsonWebKeySet",
        "jsonWebKeys": [{
            "kty": "OKP",
            "kid": "MAAF-677S-5LR7-LZC5-QSZV-EDTW-LYVV",
            "crv": "Ed25519",
            "x": "uWTosF21Jr2cC_JBdM9woCvUHUBFyOA9kZ-ealN2b4Q"}
          ]}
    "sshKey3" : {
        "@type": "CryptoKey",
        "uri": "data:application/ssh-TBS;base64,G1gwyQEpuvag5WQysXs
WjY4qD64.."}
    ...
    }
  }</sourcecode>
<t>[Remark: The SSH certificate draft is nearing completion, comments have been submitted on how to bind SSH certificates in JOSE JWK and suggesting creation of a media type.]</t>
</section>
<section title="Code Signing" anchor="n-code-signing"><t>Code signing is an important security control both in development and production environments. Most modern executable code formats and many scripting languages support one or more code signing mechanisms. While most signature mechanisms support use of PKIX certificate credentials, OpenPGP keys and even raw keys are used and sometimes required.</t>
<t>It is highly desirable for code signing keys used to sign published releases of code be kept separate from those used to sign development builds. In addition, many software distribution channels require the use of credentials issued by the channel operator. Consequently, the number of code signing keys used by a developer may be very large.</t>
<t>This use is specified by means of an OnlineService with the service type 'code' with key entries for the set of authorized signing keys.</t>
<t>Alice has a single code signing key with a PKIX credential specified in her JsContact card:</t>
<sourcecode>{
  "@type":"Card",
  ...
    ...
  "onlineServices" : {
    ...
    "code1" : {
        "@type": "OnlineService",
        "service": "code",
        "cryptoKeyIds": {
          "codeSign1": "sign"}}
    "code2" : {
        "@type": "OnlineService",
        "service": "code",
        "cryptoKeyIds": {
          "codeSign1": "sign"}}
    },
  "cryptoKeys" : {
    ...
    "codeSign1" : {
        "@type": "CryptoKey",
        "uri": "data:application/pkix-cert;base64,GvDh6w1P9K3aRa_tH
TxEoF5ya3I.."}
    "codeSign2" : {
        "@type": "CryptoKey",
        "uri": "data:application/pkix-cert;base64,mMT2044jV8LOoWy4u
plhZkQvG1I.."}
    ...
    }
  }</sourcecode>
</section>
<section title="Commit Signing" anchor="n-commit-signing"><t>Most modern source code repository systems support application of signatures to commit operations. While OpenPGP key management is commonly used for this purpose, the popular git source code repository also supports use of raw keys.</t>
<t>This use is specified by means of an OnlineService with the service type 'commit' with key entries for the set of authorized signing keys.</t>
<sourcecode>{
  "@type":"Card",
  ...
    ...
  "onlineServices" : {
    "git1" : {
        "@type": "OnlineService",
        "service": "commit",
        "user": "alice.example.com",
        "cryptoKeyIds": {
          "gitKey1": "sign"}}
    ...
    },
  "cryptoKeys" : {
    ...
    "gitKey1" : {
        "@type": "CryptoKey",
        "uri": "data:application/pgp-keys;base64,EBIHlPDVEY2rshD2rO
_JQNamX0s.."}
    ...
    }
  }</sourcecode>
</section>
</section>
<section title="IANA Considerations" anchor="n-iana-considerations"><t>This document does not specify any actions for IANA yet but it will...[TBS]</t>
</section>
<section title="Acknowledgements" anchor="n-acknowledgements"><t>Many thanks to Robert Stepanek who helped refine the approach to extending the schema.</t>
</section>
<section title="Appendix A: Collected Example&lt;include=..\Examples\ JSContactComplete.md&gt;" anchor="n-appendix-a-collected-exampleincludeexamples-jscontactcompletemd"></section>
</middle>
<back>
<references title="Normative References"><reference anchor="RFC9553"><front>
<title>JSContact: A JSON Representation of Contact Data</title>
<author fullname="R. Stepanek" initials="R." surname="Stepanek"><address>
</address>
</author>
<author fullname="M. Loffredo" initials="M." surname="Loffredo"><address>
</address>
</author>
<date month="May" year="2024"/>
</front>
<seriesInfo name="RFC" value="9553"/>
<seriesInfo name="DOI" value="10.17487/RFC9553"/>
</reference>
<reference anchor="RFC7517"><front>
<title>JSON Web Key (JWK)</title>
<author fullname="M. Jones" initials="M." surname="Jones"><address>
</address>
</author>
<date month="May" year="2015"/>
</front>
<seriesInfo name="RFC" value="7517"/>
<seriesInfo name="DOI" value="10.17487/RFC7517"/>
</reference>
<reference anchor="RFC2119"><front>
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
<author fullname="S. Bradner" initials="S." surname="Bradner"><address>
</address>
</author>
<date month="March" year="1997"/>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC6187"><front>
<title>X.509v3 Certificates for Secure Shell Authentication</title>
<author fullname="K. Igoe" initials="K." surname="Igoe"><address>
</address>
</author>
<author fullname="D. Stebila" initials="D." surname="Stebila"><address>
</address>
</author>
<date month="March" year="2011"/>
</front>
<seriesInfo name="RFC" value="6187"/>
<seriesInfo name="DOI" value="10.17487/RFC6187"/>
</reference>
<reference anchor="draft-hallambaker-earl"><front>
<title>Encrypted Authenticated Resource Locator</title>
<author fullname="Phillip Hallam-Baker" initials="P." surname="Hallam-Baker"><organization>ThresholdSecrets.com</organization>
<address>
</address>
</author>
<date day="6" month="October" year="2025"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-hallambaker-earl-01"/>
</reference>
<reference anchor="draft-ietf-sshm-cert"><front>
<title>SSH Certificate Format</title>
<author fullname="Damien Miller" initials="D." surname="Miller"><organization>OpenSSH</organization>
<address>
</address>
</author>
<date day="14" month="June" year="2026"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-sshm-cert-01"/>
</reference>
</references>
<references title="Informative References"><reference anchor="RFC7515"><front>
<title>JSON Web Signature (JWS)</title>
<author fullname="M. Jones" initials="M." surname="Jones"><address>
</address>
</author>
<author fullname="J. Bradley" initials="J." surname="Bradley"><address>
</address>
</author>
<author fullname="N. Sakimura" initials="N." surname="Sakimura"><address>
</address>
</author>
<date month="May" year="2015"/>
</front>
<seriesInfo name="RFC" value="7515"/>
<seriesInfo name="DOI" value="10.17487/RFC7515"/>
</reference>
</references>
</back>
</rfc>
