Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 02 March 2023 14:09 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 928CAC152F1A for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 06:09:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="3ByCCwo1"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="aKN0e3JH"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQ_MOehlPEJK for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 06:09:15 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A562C152F17 for <openpgp@ietf.org>; Thu, 2 Mar 2023 06:09:15 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1677766150; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=xs1QlIZKt+4wd7YhIlhsoW6EztAjj9FWNReHSwS0fsI=; b=3ByCCwo1zGSZTF6NAGXo/B+Upc9BAEkwAPt3Zk70F3S7+aAZ/FxXWxe7bNw6Dbzv+7jU2 X1zkcL09KI54ULECA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1677766150; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=xs1QlIZKt+4wd7YhIlhsoW6EztAjj9FWNReHSwS0fsI=; b=aKN0e3JHg7v70lJtYJGEeunzMj0nG06SKlc4Cvf2NeL9Lylw760RaWXDYBh1n4ka8XnAd NNGpTo/xCBxYFuS/2clsdUF91My5IQCO9D0Sj3ID8t38aF64ga4np60W3ZDIuP1ryRWraBw ErA1y6TMXrIMBhLUyRPUWYS30QtvMYdrO8t9T1cQy7QPPJmskL58F3NoAA2HybsHIydAUt4 /bJPctZWCfLepcuYV6Lq0Of2nuS+qHicJFP2XGXhrW1aK1vxcEE99ISuv1CWGpYInhx0wRM +PUgI4yRv6RNqLSS+QuEsMDYUP7Tv2eT+GMX6AEQV6OoB2i/huBjFniVlwQg==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 8CB1BF9B3 for <openpgp@ietf.org>; Thu, 2 Mar 2023 09:09:10 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 4BC4621206; Thu, 2 Mar 2023 09:09:01 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <c8bc1904-dcaf-6ab9-1f16-85a0a2761c6f@andrewg.com>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan> <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com> <87lekgs64c.fsf@fifthhorseman.net> <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com> <87a60vbi7n.fsf@europ.lan> <5ba74a57-c039-5ab8-45bc-30ae681bc8c8@andrewg.com> <877cvzbet0.fsf@europ.lan> <c8bc1904-dcaf-6ab9-1f16-85a0a2761c6f@andrewg.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Thu, 02 Mar 2023 09:09:00 -0500
Message-ID: <87y1ofqm83.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/0_FA2Pjv3ZnczM2jCunGiMxY04A>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 14:09:19 -0000
On Thu 2023-03-02 13:36:57 +0000, Andrew Gallagher wrote: > It does not matter whether you think RFC4880 allowed lenient behaviour > or not. What matters is that enough other people thought that it did, so > there are now permanent facts on the ground that you are powerless to > undo. Neither of us LIKE this scenario. I'm just not prepared to punish > github users for a historical error that a) they had no hand in, b) has > no known security implications, and c) nobody, not even github > themselves, can now fix. To be fair, Github *can* fix their v4 signatures and their certificates going forward. It does not appear that they have done so. Surely there are invalid OpenPGP signatures (not just malformed due to a bad digest prefix) scattered throughout git repositories everywhere just because people make mistakes (or the keys that issued them are now revoked, etc) and modification-aware systems like git don't really let people undo things of this nature. Having some implementations that are strict about v4 signatures might provide some pressure on Github to correct their signatures (and their public key) going forward, and if the result is that those implementations can't (or won't) validate legacy signatures, that's just a larger pool of invalid signatures for those implementations. > I withdraw my proposal. Can we get a consensus read from the group about whether the proposal as it stands in !213 is acceptable? The proposal adds this single sentence to the crypto-refresh: When verifying a v6 signature, an implementation MUST reject the signature if these octets don't match the first two octets of the computed hash. I'm not asking for a consensus about whether this is *everything* you'd like to see (this conversation has made it clear to me that there are strongly-held opinions within the group about desired-yet-conflicting additional clarifications about v3 and v4 signatures). I'm asking whether you approve of this particular addition, as it stands. I don't think i've heard any objections from the group about mandating this strictness for v6 signature verifications. Please send a short note if you approve. If you don't approve, please let the list know; and if you could explain your objection, that would be great too. --dkg
- [openpgp] Should signatures be rejected if the em… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Daniel Huigens
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Stephen Farrell
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Schaub
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher