From 3728f8e12f63b4f7d8aef8fc2aaf63d5c5a54a42 Mon Sep 17 00:00:00 2001 From: 3rd Iteration Date: Mon, 15 Sep 2025 15:16:18 -0400 Subject: [PATCH 1/3] Expand BIP85 to include ECC key types --- bip-0085.mediawiki | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/bip-0085.mediawiki b/bip-0085.mediawiki index 174ba816b2..a51a1c36e9 100644 --- a/bip-0085.mediawiki +++ b/bip-0085.mediawiki @@ -360,36 +360,58 @@ OUTPUT * DERIVED ENTROPY=f7cfe56f63dca2490f65fcbf9ee63dcd85d18f751b6b5e1c1b8733af6459c904a75e82b4a22efff9b9e69de2144b293aa8714319a054b6cb55826a8e51425209 * DERIVED PWD=_s`{TW89)i4` -===RSA=== +===GPG Keys=== -Application number: 828365' +Application number is dependant on the key type. -The derivation path format is: m/83696968'/828365'/{key_bits}'/{key_index}' +{| +!OpenGPG Key Type +!Application Number +|- +| RSA +| 828365' +|- +| ECC(Curve25519) +| 828366' +|- +| ECC(secp256k1) +| 828367' +|- +| ECC(NIST) +| 828368' +|- +| ECC(Brainpool) +| 828369' +|- +|} -The RSA key generator should use BIP85-DRNG as the input RNG function. +The RSA key generator should use BIP85-DRNG as the input RNG function. Likewise, any ECC key types over 256bit should use BIP85-DRNG. -===RSA GPG=== +====Primary Keys and Subkeys==== -Keys allocated for RSA-GPG purposes use the following scheme: +Keys allocated for GPG purposes use the following scheme: - - Main key m/83696968'/828365'/{key_bits}'/{key_index}' - - Sub keys: m/83696968'/828365'/{key_bits}'/{key_index}'/{sub_key}' + - Primary key m/83696968'/{key_type}'/{key_bits}'/{key_index}' + - Sub keys: m/83696968'/{key_type}'/{key_bits}'/{key_index}'/{sub_key}' - key_index is the parent key for CERTIFY capability - sub_key 0' is used as the ENCRYPTION key - sub_key 1' is used as the AUTHENTICATION key - sub_key 2' is usually used as SIGNATURE key -Note on timestamps: +Additional subkeys can be added to a primary key, including keys of a different key type, following the role pattern defined above, but the key_index MUST be incremented with each subkey. + +Note on timestamps: The resulting RSA key can be used to create a GPG key where the creation date MUST be fixed to unix Epoch timestamp 1231006505 (the Bitcoin genesis block time '2009-01-03 18:05:05' UTC) because the key fingerprint is affected by the creation date (Epoch timestamp 0 was not chosen because of legacy behavior in GNUPG implementations for older keys). Additionally, when importing sub-keys under a key in GNUPG, the system time must be frozen to the same timestamp before importing (e.g. by use of faketime). -Note on GPG key capabilities on smartcard/hardware devices: +Note on GPG key capabilities on smartcard/hardware devices: GPG capable smart-cards SHOULD be loaded as follows: The encryption slot SHOULD be loaded with the ENCRYPTION capable key; the authentication slot SHOULD be loaded with the AUTHENTICATION capable key. The signature capable slot SHOULD be loaded with the SIGNATURE capable key. However, depending on available slots on the smart-card, and preferred policy, the CERTIFY capable key MAY be flagged with CERTIFY and SIGNATURE capabilities and loaded into the SIGNATURE capable slot (for example where the smart-card has only three slots and the CERTIFY capability is required on the same card). In this case, the SIGNATURE capable sub-key would be disregarded because the CERTIFY capable key serves a dual purpose. + ===DICE=== Application number: 89101' From 56a8de8209722f30c66fe8a3f3668321cc016894 Mon Sep 17 00:00:00 2001 From: 3rd Iteration Date: Mon, 6 Oct 2025 14:28:24 -0400 Subject: [PATCH 2/3] Update bip-0085.mediawiki Co-authored-by: Jon Atack --- bip-0085.mediawiki | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bip-0085.mediawiki b/bip-0085.mediawiki index a51a1c36e9..5b2e343614 100644 --- a/bip-0085.mediawiki +++ b/bip-0085.mediawiki @@ -385,7 +385,7 @@ Application number is dependant on the key type. |- |} -The RSA key generator should use BIP85-DRNG as the input RNG function. Likewise, any ECC key types over 256bit should use BIP85-DRNG. +The RSA key generator should use BIP85-DRNG as the input RNG function. Likewise, any ECC key types over 256 bits should use BIP85-DRNG. ====Primary Keys and Subkeys==== From 31eea92063a7d6a1ea8054d8d9a29263ee218c2d Mon Sep 17 00:00:00 2001 From: 3rd Iteration Date: Mon, 6 Oct 2025 14:39:10 -0400 Subject: [PATCH 3/3] Update bip-0085.mediawiki Co-authored-by: Aneesh Karve --- bip-0085.mediawiki | 1 - 1 file changed, 1 deletion(-) diff --git a/bip-0085.mediawiki b/bip-0085.mediawiki index 5b2e343614..914d8a2c68 100644 --- a/bip-0085.mediawiki +++ b/bip-0085.mediawiki @@ -411,7 +411,6 @@ GPG capable smart-cards SHOULD be loaded as follows: The encryption slot SHOULD However, depending on available slots on the smart-card, and preferred policy, the CERTIFY capable key MAY be flagged with CERTIFY and SIGNATURE capabilities and loaded into the SIGNATURE capable slot (for example where the smart-card has only three slots and the CERTIFY capability is required on the same card). In this case, the SIGNATURE capable sub-key would be disregarded because the CERTIFY capable key serves a dual purpose. - ===DICE=== Application number: 89101'