27090 – openpgp4fpr is a scheme used for sharing PGP key fingerprints. Also posted a message, here: http://lists.w3.org/Archives/Public/public-whatwg-archive/2014Oct/0148.html

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 27090 - openpgp4fpr is a scheme used for sharing PGP key fingerprints. Also posted a message, here: http://lists.w3.org/Archives/Public/public-whatwg-archive/2014Oct/0148.html

Summary: openpgp4fpr is a scheme used for sharing PGP key fingerprints. Also posted a ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WHATWG
Classification:	Unclassified
Component:	HTML (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	Unsorted
Assignee:	Ian 'Hixie' Hickson
QA Contact:	contributor

URL:	https://html.spec.whatwg.org/#whiteli...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-10-17 02:22 UTC by contributor
Modified:	2015-01-08 18:54 UTC (History)
CC List:	3 users (show)

See Also:

Attachments

Description contributor 2014-10-17 02:22:56 UTC

Specification: https://html.spec.whatwg.org/multipage/webappapis.html
Multipage: https://html.spec.whatwg.org/multipage/#whitelisted-scheme
Complete: https://html.spec.whatwg.org/#whitelisted-scheme
Referrer: 

Comment:
openpgp4fpr is a scheme used for sharing PGP key fingerprints. Also posted a
message, here:
http://lists.w3.org/Archives/Public/public-whatwg-archive/2014Oct/0148.html

Posted from: 50.157.207.187
User agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/37.0.2062.120 Chrome/37.0.2062.120 Safari/537.36

Comment 1 Ian 'Hixie' Hickson 2014-11-26 21:31:07 UTC

What does going to such a URL do? Is it something where you'd be ok if random evil Web pages kept sending you there?

Comment 2 effigies 2015-01-06 02:44:36 UTC

It will depend entirely on the handler, just like any URL, presumably. The full protocol is:

openpgp4fpr:<40 Hex digits>

A handler would (most likely) attempt to look up an OpenPGP key, either from the user's keyring or from a keyserver. As far as I know the only existing examples of handlers are for Android, as the protocol is used to pass key fingerprints through QR codes, and Android allows the registration of arbitrary handles.

A proof of concept handler can be installed in Firefox at: https://openpgp4.info/

If a random evil web page kept sending you there, you would simply keep opening that page.

Comment 3 Ian 'Hixie' Hickson 2015-01-06 22:52:10 UTC

Well, I can't think of an attack scenario here, so, sure. Added.

Comment 4 contributor 2015-01-06 22:52:53 UTC

Checked in as WHATWG revision r8872.
Check-in comment: Add openpgp4fpr: scheme to whitelist for registration
https://html5.org/tools/web-apps-tracker?from=8871&to=8872

Comment 5 effigies 2015-01-06 23:05:26 UTC

Was it intentional to remove nntp?

Comment 6 Ian 'Hixie' Hickson 2015-01-08 18:39:04 UTC

Woah, no, what the heck. Fixed. Thanks for catching that!

Comment 7 Ian 'Hixie' Hickson 2015-01-08 18:54:27 UTC

Checked in as WHATWG revision r8878.
Check-in comment: Put back nntp to the scheme whitelist, since it was removed completely accidentally.
https://html5.org/tools/web-apps-tracker?from=8877&to=8878