IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 02 March 2023 14:09 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 928CAC152F1A for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 06:09:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="3ByCCwo1"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="aKN0e3JH"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQ_MOehlPEJK for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 06:09:15 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A562C152F17 for <openpgp@ietf.org>; Thu, 2 Mar 2023 06:09:15 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1677766150; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=xs1QlIZKt+4wd7YhIlhsoW6EztAjj9FWNReHSwS0fsI=; b=3ByCCwo1zGSZTF6NAGXo/B+Upc9BAEkwAPt3Zk70F3S7+aAZ/FxXWxe7bNw6Dbzv+7jU2 X1zkcL09KI54ULECA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1677766150; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=xs1QlIZKt+4wd7YhIlhsoW6EztAjj9FWNReHSwS0fsI=; b=aKN0e3JHg7v70lJtYJGEeunzMj0nG06SKlc4Cvf2NeL9Lylw760RaWXDYBh1n4ka8XnAd NNGpTo/xCBxYFuS/2clsdUF91My5IQCO9D0Sj3ID8t38aF64ga4np60W3ZDIuP1ryRWraBw ErA1y6TMXrIMBhLUyRPUWYS30QtvMYdrO8t9T1cQy7QPPJmskL58F3NoAA2HybsHIydAUt4 /bJPctZWCfLepcuYV6Lq0Of2nuS+qHicJFP2XGXhrW1aK1vxcEE99ISuv1CWGpYInhx0wRM +PUgI4yRv6RNqLSS+QuEsMDYUP7Tv2eT+GMX6AEQV6OoB2i/huBjFniVlwQg==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 8CB1BF9B3 for <openpgp@ietf.org>; Thu, 2 Mar 2023 09:09:10 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 4BC4621206; Thu, 2 Mar 2023 09:09:01 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <c8bc1904-dcaf-6ab9-1f16-85a0a2761c6f@andrewg.com>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan> <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com> <87lekgs64c.fsf@fifthhorseman.net> <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com> <87a60vbi7n.fsf@europ.lan> <5ba74a57-c039-5ab8-45bc-30ae681bc8c8@andrewg.com> <877cvzbet0.fsf@europ.lan> <c8bc1904-dcaf-6ab9-1f16-85a0a2761c6f@andrewg.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Thu, 02 Mar 2023 09:09:00 -0500
Message-ID: <87y1ofqm83.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/0_FA2Pjv3ZnczM2jCunGiMxY04A>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 14:09:19 -0000

On Thu 2023-03-02 13:36:57 +0000, Andrew Gallagher wrote:
> It does not matter whether you think RFC4880 allowed lenient behaviour 
> or not. What matters is that enough other people thought that it did, so 
> there are now permanent facts on the ground that you are powerless to 
> undo. Neither of us LIKE this scenario. I'm just not prepared to punish 
> github users for a historical error that a) they had no hand in, b) has 
> no known security implications, and c) nobody, not even github 
> themselves, can now fix.

To be fair, Github *can* fix their v4 signatures and their certificates
going forward.  It does not appear that they have done so.

Surely there are invalid OpenPGP signatures (not just malformed due to a
bad digest prefix) scattered throughout git repositories everywhere just
because people make mistakes (or the keys that issued them are now
revoked, etc) and modification-aware systems like git don't really let
people undo things of this nature.

Having some implementations that are strict about v4 signatures might
provide some pressure on Github to correct their signatures (and their
public key) going forward, and if the result is that those
implementations can't (or won't) validate legacy signatures, that's just
a larger pool of invalid signatures for those implementations.

> I withdraw my proposal.

Can we get a consensus read from the group about whether the proposal as
it stands in !213 is acceptable?

The proposal adds this single sentence to the crypto-refresh:

    When verifying a v6 signature, an implementation MUST reject the
    signature if these octets don't match the first two octets of the
    computed hash.

I'm not asking for a consensus about whether this is *everything* you'd
like to see (this conversation has made it clear to me that there are
strongly-held opinions within the group about desired-yet-conflicting
additional clarifications about v3 and v4 signatures).

I'm asking whether you approve of this particular addition, as it
stands.  I don't think i've heard any objections from the group about
mandating this strictness for v6 signature verifications.

Please send a short note if you approve.  If you don't approve, please
let the list know; and if you could explain your objection, that would
be great too.

          --dkg

v2.23.0 | Report a Bug | By Email