| Internet-Draft | Autocrypt v2 Certificates and TSKs | January 2026 |
| Gillmor, et al. | Expires 1 August 2026 | [Page] |
This document describes the "Autocrypt v2 Certificate", a standard structure for an OpenPGP certificate for Internet messaging (such as email) that offers a defense against both store-now-decrypt-later attacks from quantum computer and future key exfiltration attacks. It is also structured to support reasonable in-band transmission, using established mechanisms like the Autocrypt header field. This document also describes the structure, use, and maintenance of the OpenPGP Transferable Secret Key that corresponds with the Autocrypt v2 Certificate.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://autocrypt2.codeberg.page/autocrypt-v2-cert/. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-autocrypt-openpgp-v2-cert/.¶
Discussion of this document takes place on the OpenPGP Working Group mailing list (mailto:openpgp@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/openpgp/. Subscribe at https://www.ietf.org/mailman/listinfo/openpgp/.¶
Source for this draft and an issue tracker can be found at https://codeberg.org/autocrypt2/autocrypt-v2-cert/.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 1 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
An OpenPGP certificate can be structured in a bewildering variety of ways. The "Autocrypt v2 Certificate" is a modern OpenPGP structure that aims toward robustness, cryptographic resilience, and straightforward deployment in the Internet messaging context.¶
An OpenPGP implementation that produces and can handle certificates and secret keys structured in this way can provide the user with reasonable protection against a variety of plausible attacks, while slotting cleanly into existing mechanisms for end-to-end cryptographically protected email and other messaging systems.¶
This mechanism also enables an archiving messenger to support robust deletion of a received message in a way that the deleted message will not be recoverable, even by an adversary who can capture messages in transit, and later compromises the user's message archive and secret keys.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
"OpenPGP certificate" or just "certificate" refers to an OpenPGP Transferable Public Key (see Section 10.1 of [RFC9580]). This specification distinguishes between outgoing certificates as distributed by the keyholder, with a fixed structure and size, and incoming certificates as received and stored by a peer. This specification does not prescribe any particular mechanism for how certificates are transferred between parties.¶
"Transferable Secret Key" or just "TSK" refers to an OpenPGP Transferable Secret Key (see Section 10.2 of [RFC9580]).¶
"Component key" refers to a single cryptographic object found within an OpenPGP certificate. A certificate's primary key is a "component key", and any subkey in the certificate is also a "component key".¶
"Keyholder" is the party that has legitimate access to the secret key material corresponding to the component keys in a certificate. The keyholder can sign messages that can be verified with the certificate, decrypt messages that were encrypted to the certificate, and update the certificate itself over time.¶
"User Messaging Agent" or UMA refers to a program used to compose, send, receive, and render messages. This term is similar to "Mail User Agent" (MUA), but the variation in naming emphasizes that Autocrypt v2 certificates do not prescribe a specific transport mechanism nor do they prescribe a particular message content format. A Keyholder may have one or more UMAs that share access to the same secret key material, messaging inbox, and other account details.¶
"Peer" means a party who communicates with the keyholder via messages, as well as potentially with other peers. The peer does not have access to the keyholder's asymmetric secret key material, but typically has access to a copy of each message exchanged between the peer and keyholder.¶
"Reliable Deletion" refers to the property that enables a keyholder to render a message unrecoverable after deletion, even if an attacker has archived all messages in transit and subsequently obtains the keyholder's secret key material and message archive. Reliable deletion therefore requires the destruction of both secret key material and message cleartext. This property is commonly referred to as "Forward Secrecy"; however, this specification uses the term "Reliable Deletion" to emphasize the keyholder's ability to permanently delete messages.¶
A certificate following this specification has the following goals:¶
Post-quantum confidentiality. It should defend against a store-now-decrypt-later attack from a cryptographically relevant quantum computer.¶
Size matters. When network conditions are constrained by limited bandwidth, high latency, or intermittent connectivity, there often is a heightened need for encryption with reliably deletable messages. To preserve availability under such conditions, the size of cryptographic material should be minimized and it should be possible to include transmission of a few dozen certificates in a single message without impairing common messaging infrastructure.¶
Computational resources matter. It should be possible to promptly encrypt a single message to up to a few dozen of these certificates with low-powered devices. The same hardware should be able to quickly and cheaply verify a signature from one of these certificates. And with access to the corresponding secret keys, it should be inexpensive to decrypt a message encrypted to one, or to sign a message with one.¶
Reliable deletion. The keyholder should be able to robustly and permanently delete an encrypted message received some time in the past, rendering it unrecoverable even to a powerful attacker in the future (see Section 5.1).¶
No network synchronization needed. The keyholder should be able to encrypt and decrypt messages with local key material only, without requiring network synchronization between their own devices or with peers. To the extent that a keyholder has multiple UMAs of their own, each UMA should be able to operate independently with no ongoing network synchronization between them beyond the initial configuration.¶
Backward compatibility. It must be possible for a keyholder with an Autocrypt v1 key to sign a message that is encrypted to an Autocrypt v2 certificate, and vice versa. It must also be possible to encrypt a message to a mixed group of Autocrypt v1 and v2 certificates (though such a message may not meet the "Reliable deletion" goal).¶
Drop-in OpenPGP replacement for existing peers. The keyholder might need to update their OpenPGP implementation, UMA(s), and regular workflow to use the secret key material to meet these goals successfully. But a peer whose UMA supports Autocrypt v1.1 already only needs to update their OpenPGP implementation in order to interoperate.¶
This specification does not attempt to accommodate all possible scenarios that might occur with OpenPGP, email, or other messaging systems. The following concerns are explicitly not in-scope for this specification:¶
No support for legacy OpenPGP clients. The keyholder needs to use an up-to-date OpenPGP implementation, and expects their peers to do the same. There is no attempt at backward compatibility for a peer with a legacy OpenPGP implementation.¶
No in-cert human-readable identifiers. There is no attempt to store a “real name" or other human-readable identity information in the certificate. If human-readable identity information is to be associated with the certificate, it is expected to be supplied elsewhere, such as with a local petname system, or some external cryptographic bindings.¶
No in-cert transport-layer addressing.
There is no attempt to bind transport-layer routing information (e.g., email addresses) to the certificate.
Information about how to get an encrypted message to the keyholder is presumed
to be transmitted via some other channel, such as the Autocrypt header field.¶
No defense against quantum impersonation. While the certificate is designed to defend against store-now-decrypt-later attacks, it does not defend against an adversary with a cryptographically relevant quantum computer that breaks the signing key and updates the certificate in order to compromise future messages encrypted to the certificate. Such an attacker must expose themselves to the peer at least (putting the attacker at risk due to visibility), and these attacks cannot take place retroactively.¶
No transitioning from old certs. There is no specific support for transitioning older or alternative OpenPGP certificate formats to the structure defined in this specification. Such a migration path may be defined in future specifications, but this document is limited to new adopters going forward.¶
No certificate discovery and no refresh. This specification does not define a mechanism to request a refreshed certificate from a peer. Reliable message deletion depends on timely updates of each correspondent's certificate, but imposing a particular mechanism is unlikely to accommodate the constraints of diverse messaging implementations. That said, this specification does not preclude the use of discovery or refresh mechanisms.¶
No coordinated deletion of messages. This specification addresses unilateral deletability, protecting against a future attacker who compromises the keyholder's UMA or secret key storage. Messages are typically stored in multiple locations, across peers, devices, and UMAs. Guaranteeing deletion of all copies of a message, including through negotiated “disappearing messages” mechanisms, is outside the scope of this draft.¶
No post-compromise security. Some messaging schemes attempt to defend against an attacker who has compromised the user's secret key material at some point in the past, typically by regularly mixing new entropy into the secret key material and coordinating those updates across the user's shared devices. This specification does not defend against such an attacker. In the case of past key compromise, the user may need to move to an entirely new certificate.¶
An Autocrypt v2 certificate is composed of a specific sequence of version 6 OpenPGP packets. The precise requirements for these packets including algorithm IDs, key flags, and binding signatures are detailed in Section 2.2.¶
The expiring encryption subkey is rotated on a regular schedule.
The window of subkey validity (from creation and binding to expiration) is known as max_rd.
When the current subkey has only min_rd time left until expiration,
the keyholder adds a new rotating subkey.
A rotating subkey N+1 is created exactly at min_rd away
from the end of the validity window of rotating subkey N.
By convention, max_rd is 10 days (864000 seconds), and min_rd is 5 days (43200 seconds).
See Section 3.2 for the formal definition and concrete guidance about min_rd and max_rd.¶
In order for the keyholder to use the same TSK across multiple UMAs without explicit network coordination,
the values of min_rd and max_rd MUST be known to the keyholder's UMAs.
See Section 4.1.3 for more information.¶
This arrangement means the validity window of each subsequent rotating subkey overlaps with the validity window of the prior rotating subkey. See Appendix B.1 for more discussion about temporal layout of subkey validity windows.¶
An outbound certificate consists of the following six packets:¶
A. "Primary" Public Key Packet (packet type ID 6), version 6, public key algorithm Ed25519 (algorithm ID 27), creation time T¶
B. Direct Key Signature (packet type ID 2), version 6, signature type 0x1f, hashed subpackets include:¶
C. "Fallback" Public Subkey Packet (packet type 14), version 6, public key algorithm ML-KEM-768+X25519 (algorithm ID 35) (see Section 4.2 of [I-D.ietf-openpgp-pqc-14]), creation time T¶
D. Subkey binding signature (packet type ID 2), version 6, signature type 0x18, hashed subpackets include:¶
E. "Rotating" Public Subkey Packet (packet type 14), version 6, public key algorithm ML-KEM-768+X25519 (algorithm ID 35) (see Section 4.2 of [I-D.ietf-openpgp-pqc-14]), creation time T or later¶
F. Subkey binding signature (packet type ID 2), version 6, signature type 0x18, hashed subpackets:¶
An outbound certificate is 2938 octets in binary form.¶
A certificate for a peer should be merged into the locally cached certificate which may thus contain multiple rotating subkeys and grow accordingly.¶
OpenPGP has two different packet framing formats: the "OpenPGP format" (Section 4.2.1 of [RFC9580]) and the "Legacy format" (Section 4.2.2 of [RFC9580]). Autocrypt v2 certificates and TSKs use only the OpenPGP format.¶
This is particularly relevant for the deterministic ratcheting step described in Section 4.1.1 because that step needs a canonical octet-string representation of several OpenPGP packets.¶
Peers interacting with an Autocrypt v2 certificate do not need to identify it as an Autocrypt v2 certificate at all. They simply need to apply common OpenPGP semantics to the certificate.¶
However, all UMAs operated by the keyholder need to identify an Autocrypt v2 Transferable Secret Key (TSK) in order to perform aligned key ratcheting Section 4.1.1 and achieve reliable deletion for the keyholder.¶
A Transferable Secret Key (TSK) is identified as an Autocrypt v2 TSK if its internal structure corresponds to the packets defined in Section 2.2. The keyholder's UMA must recognize this structure to perform the aligned key ratcheting necessary for reliable deletion.¶
The subkey rotation cadence is derived from the Key Expiration Time subpacket (Section 5.2.3.13 of [RFC9580]) found in Packet F of Section 2.2.¶
By definition, the value of the Key Expiration Time subpacket
(which is measured as an integer number of seconds) is max_rd.
The default value for max_rd is 864000 seconds.
max_rd represents the maximum possible time that
the peer can send a reliably deletable message to the keyholder,
starting from when the peer retrieves a fresh copy of the keyholder's certificate.¶
min_rd is derived from max_rd.
By convention, min_rd is half of max_rd.
In particular, when max_rd is the default value of 864000 seconds,
min_rd is 432000 seconds.
min_rd represents the minimum possible time
that the peer will be able to send a reliably deletable message to the keyholder,
starting from when the peer retrieves a fresh copy of the keyholder's certificate.¶
Anyone designing a similar system with a different ratcheting cadence
where min_rd that is anything other than half of max_rd
MUST explicitly coordinate min_rd somehow with all other UMAs
and MUST set max_rd to something other than 864000.¶
An Autocrypt v2 certificate evolves over time, as new rotating encryption subkeys are added to it. It also sees older rotating encryption subkeys expire and potentially be removed. This requires reasonable behavior by the keyholder and their peers.¶
The keyholder must update the certificate regularly by ratcheting its secret key material forward to a new subkey. Since the ratchet is deterministic, based on time and the old key material, and the ratcheting schedule is standardized, each UMA that the keyholder uses will ratchet forward in the same way, without needing any additional network coordination.¶
Each successive encryption-capable subkey is derived deterministically from the subkey before it.¶
This section describes how to derive the secret key material and a deterministic subkey binding signature for the new encryption-capable subkey based on the following values:¶
secret_key, the Transferable Secret Key to be ratcheted.¶
start, the creation timestamp for the new subkey, represented as a number of seconds
elapsed since 1970-01-01T00:00:00Z, as a big-endian, 32-bit unsigned integer.¶
Note that both start, and the non-secret parts of secret_key
(that is, secret_key with get_public() applied to all its Secret Key packets)
are publicly visible.¶
The ratchet function relies on several deterministic subfunctions:¶
get_primary_key(TSK) -> K
takes a Transferable Secret Key and
returns the Secret Key packet of its primary key.¶
get_last_rotating_subkey(TSK) -> (K, sbs)
takes a Transferable Secret Key and
returns the Secret Subkey packet and corresponding Subkey Binding Signature packet of
it latest-expiring subkey that is marked with "encrypt to comms"¶
extract_secret_key_material(K) -> M retrieves 96 octets of secret key material M from
an OpenPGP ML-KEM-768+X25519 secret key packet K.
The octets of M are structured exactly as they are on the wire.
(32 octets of X25519 key material + a 64 octet seed of ML-KEM-768).¶
get_public(K) -> P takes an OpenPGP Secret Key (or Subkey) packet and produces
the corresponding OpenPGP Public Key (or Subkey) packet in OpenPGP format.¶
make_secret_subkey(M,T) -> K takes 96 octets of secret key material M and
OpenPGP timestamp T and produces a ML-KEM-768+X25519 secret subkey packet
with creation time T.¶
normalize_x25519_scalar(M) -> M
takes 96 octets of OpenPGP ML-KEM-768+X25519 secret key material, and
normalizes the first 32 octets, which are an X25519 secret key.
The full 96 octets are returned after normalization.
Normalization clears the three least-significant bits of the first octet,
clears the most-significant bit of the 32nd octet, and
sets the second-most-significant bit of the 32nd octet,
as described in decodeScalar25519 in Section 5 of [RFC7748].¶
get_hashed_subpackets(S) -> subpackets
takes a Signature packet and returns the ordered list of hashed subpackets
from that Signature.¶
get_expiration_duration(S) -> secs
takes a Signature packet with a hashed Key Expiration subpacket and
returns the contents of the hashed Key Expiration subpacket,
represented as four octets, interpretable as a big-endian unsigned integer number of seconds.¶
replace_creation_time(subpackets, T) -> subpackets
takes an ordered list of OpenPGP signature subpackets sps and
returns the same list but with
the value of the Signature Creation Time subpacket replaced by T.¶
bind_subkey(P,K,T,sps,salt) -> S
takes primary Ed25519 secret key P, public subkey K,
timestamp T,
an ordered list of OpenPGP signature subpackets subp,
and a 16-octet salt, and
produces an OpenPGP v6 Subkey Binding Signature S using an Ed25519 signature.
Ed25519 signatures are deterministic as described in Section 8.2 of [RFC8032].¶
The next secret subkey and subkey binding signature are derived via [HKDF] using SHA2-512,
with the following construction,
where || represents concatenation:¶
AC2_Ratchet(secret_key
start)
-> (next_secret_subkey, subkey_binding_sig):
primary_key = get_primary_key(secret_key)
(base_subkey, oldsbs) = get_last_rotating_subkey(secret_key)
max_rd = get_expiration_duration(oldsbs)
salt = start || get_public(base_key)
info = "Autocrypt_v2_ratchet" || get_public(primary_key) || max_rd
IKM = extract_secret_key_material(base_key)
IKM = normalize_x25519_scalar(IKM)
L = 160
ks = HKDF_SHA2_512(salt, info, IKM, L)
bssalt = SHA2_512(ks[0:64])[0:16]
new_secret = normalize_x25519_scalar(ks[64:160])
new_subkey = make_secret_subkey(new_secret, start)
subp = replace_creation_time(get_hashed_subpackets(oldsbs), start)
binding_sig = bind_subkey(primary_key,
get_public(new_subkey),
subp, bssalt)
return (new_subkey, binding_sig)
¶
The "Autocrypt_v2_ratchet" string is 20 octets as represented in US-ASCII.¶
000 41 75 74 6f 63 72 79 70 |Autocryp| 008 74 5f 76 32 5f 72 61 74 |t_v2_rat| 010 63 68 65 74 |chet| 014¶
Note that a UMA without access to the secret key material of the primary key
can still use parts of AC2_Ratchet to derive the new secret key subkey
without producing the subkey binding signature.
Such a UMA would be able to decrypt incoming new messages.¶
The core of the algorithm above can be visualized as follows:¶
This section describes a straightforward algorithm for a keyholder's UMA to decide when to create a new encryption-capable subkey. A UMA can execute this algorithm at any time, and SHOULD execute it in at least two specific cases:¶
When preparing to extract an OpenPGP certificate for publication or transmission to a peer, and¶
When receiving an encrypted message that is encrypted to a key that the implementation does not know about.¶
Note that this algorithm is specifically about new subkey creation. Please see Section 4.1.4 for recommendations about subkey destruction.¶
Knowing when to produce a new secret subkey requires knowledge of four distinct values. All timestamps referenced here are values computed in the OpenPGP standard, that is, as an integer number of seconds elapsed since 1970-01-01T00:00:00Z.¶
Two values are taken from the Autocrypt v2 TSK:¶
base_start, the creation timestamp of the most recent rotating subkey.¶
max_rd, the number of seconds that the rotating subkey will expire.¶
One value is derived from the above:¶
min_rd is typically half of max_rd (see Section 3.2)¶
And a final value is taken from general consensus:¶
now, the current "wall-clock" timestamp.¶
Add new rotating subkeys with the following routine:¶
If now < base_start, abort.
(something is probably wrong with the system clock or the secret key material)¶
Let next_start be base_start + max_rd - min_rd.¶
If now < next_start, terminate successfully (no need to ratchet).¶
Generate new secret subkey next_key, using key material deterministically derived from
the certificate's primary key, the most recent rotating secret subkey, max_rd, and next_start.
Bind next_key as an encryption-capable subkey,
using a deterministic subkey binding signature packet.
next_key's creation timestamp (and the subkey binding signature) is next_start.
See Section 4.1.1 for how to deterministically derive the new secret key and subkey binding signature.¶
Restart this process, using the new subkey.¶
Note that the recursive nature of the above scheduler may end up generating multiple secret subkeys if the device has been offline for a long time.¶
While this specification defines a 10-day validity window with a 50% overlap as the standard convention, a system could be designed with a different rotation window or a different overlap algorithm. Such a system MUST guarantee that all the keyholder's own UMAs follow an identical adjusted rotation schedules and key destruction logic in order to maintain synchronization.¶
A peer receiving an incoming certificate produced under a custom schedule does not need to be aware of the keyholder's specific rotation logic. Because these certificates adhere to standard OpenPGP structures, the peer will properly handle them by merging the new subkeys into their local cache using standard OpenPGP semantics (see Section 4.2). As long as the primary key remains constant, the peer's UMA will simply see a sequence of valid encryption subkeys and can continue to encrypt messages following the logic described in Section 4.3.¶
To achieve reliable deletion, a keyholder SHOULD destroy the secret key material for a rotating encryption subkey as soon as it is no longer required for decryption. Because message delivery is not instantaneous, a subkey should be retained for a grace period beyond its validity window. This delay accounts for the maximum expected transit time of the underlying transport mechanism. For example, a 10-day delay (864000 seconds) is reasonable for Internet mail.¶
The destruction process is tied to the successful retrieval and processing of messages. A UMA SHOULD follow this routine:¶
Track Transport Endpoints: For every transport endpoint associated with a certificate,
the UMA maintains a last_checked timestamp and an expected maximum delivery delay.¶
Determine the Safety Horizon: The UMA calculates an oldest_update timestamp,
which is the minimum value of (last_checked - delay) across all associated transport endpoints.