IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Andrew Gallagher <andrewg@andrewg.com> Wed, 01 March 2023 19:47 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9E16C14CE30 for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 11:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vZ_Bp3UfGzlr for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 11:47:30 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A049C14CE28 for <openpgp@ietf.org>; Wed, 1 Mar 2023 11:47:28 -0800 (PST)
Received: from [192.168.1.140] (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 0CD4C5F4D2 for <openpgp@ietf.org>; Wed, 1 Mar 2023 19:47:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677700046; bh=1StLetvF/yxXHVGYLR7O9lxctjWew0YuKKGmyX9mQXQ=; h=Date:To:References:From:Subject:In-Reply-To:From; b=d4dKUBuqWN6OC2zT6mfZfN1T2uybrxAu9RYqEJx3/XnSNDRO64DHi9vDpifhtbaPE /EywfNVuoAhI/0HkcTKdB+uQSHHrK/Y+82UXhxVUENnmSswlBwOWzpvRNsyIhhbnl+ vclikI+pXPhFQB50xB3YoW3DP5BJTw4Xl+39gHtQxphBL/InIxOBQj1lDmUbdLbnWd 6J5qADixth2SkJLP3AGoZTU0qZTnXMtOAESWktWq6KcALeKFKX18XjblsTxQ/KzZHe Z/jxVT1bxO+FzepNNWabZvNxkEsD2qWmOFCP66AgnAG4loDrf3GZ2dIt5u/uS5t423 xHk6OKlmUhFOQ==
Message-ID: <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com>
Date: Wed, 01 Mar 2023 19:47:24 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan> <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com> <87lekgs64c.fsf@fifthhorseman.net>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87lekgs64c.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/2kdoAcMqHvW9OAKfAyuVQEnAn8E>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 19:47:35 -0000

On 01/03/2023 18:01, Daniel Kahn Gillmor wrote:
> On Wed 2023-03-01 12:46:26 +0000, Andrew Gallagher wrote:
>> The body of a signature packet contains the prefix octets, and the above
>> only says to remove the unhashed subpacket area. So fixing up the prefix
>> octets will invalidate 0x50 sigs.
> 
> I think this is correct, but surely "do not tamper with the subject of a
> signature if you want the signature to still validate" is true
> *regardless* of whether the subject of the signature is itself an
> OpenPGP signature or not.
> 
> Why should the working group prohibit an implementation that wants to
> fix a malformed certification that is *not* covered by a 0x50 signature
> or embedded in a digest-dependent chain like a git repo?

Because in a distributed system you don't know that a signature is not 
the subject of a countersignature or digest somewhere else. We can 
easily construct a case where a signature is stored on some central 
system (e.g. a keyserver), and also distributed to a third party (or 
parties) for countersignature. When a countersig comes back, what 
happens if the original sig has been fixed up in the meantime? Does the 
keyserver refuse to process the countersig (being invalid) or does it 
revert to the previous (malformed) version? What if one third party 
countersigs the malformed sig and another countersigs the fixed-up copy?

This is a can of worms that should be nailed firmly shut IMO.

A

v2.23.0 | Report a Bug | By Email