A way to pass custom label (associated data) - for auditing / access control

[joonas-fi]

Use case: an organization has a centralized key management server ("KMS") that only has access to the decryption keys.

The organization backs up all servers' services' data using Age. All of the backup files could have labels saying com.myorg:backup:server:SERVER_ID:service:SERVICE_NAME (just an example using hierarchical Amazon AWS-style resource names).

When a user wants to access the backup, she needs to ask the KMS to decrypt the data (or at least to unwrap the file key).

For auditing, it would be nice if the KMS could have tamper-proof auditing of which user accessed which data. This labeling could provide this facility.

Also, the KMS could tie authorization to these labels (this user is allowed to access these servers). This is of course outside the scope of Age, but is something that the label feature would enable.

Most of the stanzas are already using AEAD constructions which support passing AD (unencrypted-but-authenticated) data, but Age currently doesn't support binding user-supplied label to the ciphertext.

This unencrypted label could appear on the last line of the header.

Is the spec already frozen? P.S. I could not find a mention saying if this v1 spec is living draft or frozen, so I don't know if it's suitable to propose possibly backwards-compat breaking enhancements and as an end-user I don't know if I can start using Age and have a promise that the encrypted files I make today will be supported in five years?