Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
Andrew Gallagher <andrewg@andrewg.com> Wed, 01 March 2023 19:47 UTC
Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9E16C14CE30 for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 11:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vZ_Bp3UfGzlr for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 11:47:30 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A049C14CE28 for <openpgp@ietf.org>; Wed, 1 Mar 2023 11:47:28 -0800 (PST)
Received: from [192.168.1.140] (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 0CD4C5F4D2 for <openpgp@ietf.org>; Wed, 1 Mar 2023 19:47:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677700046; bh=1StLetvF/yxXHVGYLR7O9lxctjWew0YuKKGmyX9mQXQ=; h=Date:To:References:From:Subject:In-Reply-To:From; b=d4dKUBuqWN6OC2zT6mfZfN1T2uybrxAu9RYqEJx3/XnSNDRO64DHi9vDpifhtbaPE /EywfNVuoAhI/0HkcTKdB+uQSHHrK/Y+82UXhxVUENnmSswlBwOWzpvRNsyIhhbnl+ vclikI+pXPhFQB50xB3YoW3DP5BJTw4Xl+39gHtQxphBL/InIxOBQj1lDmUbdLbnWd 6J5qADixth2SkJLP3AGoZTU0qZTnXMtOAESWktWq6KcALeKFKX18XjblsTxQ/KzZHe Z/jxVT1bxO+FzepNNWabZvNxkEsD2qWmOFCP66AgnAG4loDrf3GZ2dIt5u/uS5t423 xHk6OKlmUhFOQ==
Message-ID: <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com>
Date: Wed, 01 Mar 2023 19:47:24 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan> <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com> <87lekgs64c.fsf@fifthhorseman.net>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87lekgs64c.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/2kdoAcMqHvW9OAKfAyuVQEnAn8E>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 19:47:35 -0000
On 01/03/2023 18:01, Daniel Kahn Gillmor wrote: > On Wed 2023-03-01 12:46:26 +0000, Andrew Gallagher wrote: >> The body of a signature packet contains the prefix octets, and the above >> only says to remove the unhashed subpacket area. So fixing up the prefix >> octets will invalidate 0x50 sigs. > > I think this is correct, but surely "do not tamper with the subject of a > signature if you want the signature to still validate" is true > *regardless* of whether the subject of the signature is itself an > OpenPGP signature or not. > > Why should the working group prohibit an implementation that wants to > fix a malformed certification that is *not* covered by a 0x50 signature > or embedded in a digest-dependent chain like a git repo? Because in a distributed system you don't know that a signature is not the subject of a countersignature or digest somewhere else. We can easily construct a case where a signature is stored on some central system (e.g. a keyserver), and also distributed to a third party (or parties) for countersignature. When a countersig comes back, what happens if the original sig has been fixed up in the meantime? Does the keyserver refuse to process the countersig (being invalid) or does it revert to the previous (malformed) version? What if one third party countersigs the malformed sig and another countersigs the fixed-up copy? This is a can of worms that should be nailed firmly shut IMO. A
- [openpgp] Should signatures be rejected if the em… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Daniel Huigens
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Stephen Farrell
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Schaub
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher