[openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages
Daniel Huigens <d.huigens@protonmail.com> Fri, 19 May 2023 14:42 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DF1DC15108F for <openpgp@ietfa.amsl.com>; Fri, 19 May 2023 07:42:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0nCHZ0XqjQJK for <openpgp@ietfa.amsl.com>; Fri, 19 May 2023 07:42:39 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE221C14CF12 for <openpgp@ietf.org>; Fri, 19 May 2023 07:42:39 -0700 (PDT)
Date: Fri, 19 May 2023 14:42:29 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1684507357; x=1684766557; bh=fEbTmKm57G7J7gf0rO2DHyfu1uYXWbFRMPNwbmqYZjA=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=vFMrV+aHb3VGkHGh3zCyKE5BiDvryS3tbaVUXjO/qCsYQPXTfzPTs6nRbCL5o2/te qOtSkNf8M28UIX2l+Hv7eMp3T19uA9vEn/E3aqQkY8lNJTt8Xwq8zj1Cyl6SGme6+W bPl/0y2WbfkiWFcr6GwNPcRTW88CC2l9S13/a41I4wIjhJXlSJ2Baeo/x6qqWBAmWz Bshzms4/Mj4q/Ln8tfRWwenK8InWDaK1Rf1Iz/kkeevRFhiSIKnxrAz4QDWbEQLqDj UiMw/XcaRiJMHSwhp8NFc0AALUb2HhUbanj9NheQgKo59pz3queEL0un6WyyfQ4eYp ZEJ4geGeH238Q==
To: IETF OpenPGP WG <openpgp@ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <LaSdaOASqnixctT3XuZHNIeldK2IPqJvHbqo_qkFjdrMBOQ4SKhiWl_76xq2P6l2Wts9rJ6MTTRLfpj9sqyG4_F4etjNcgEt6pmmtuyfsBY=@protonmail.com>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/4USiQor2xDYfbMyPboTim-hHW1s>
Subject: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 14:42:44 -0000
Hi all, (The following question came up in [!309], but I thought it might be worth bringing to the list.) In OpenPGP.js and GopenPGP, cleartext signed messages with header names other than "Hash" are rejected. The reason is to prevent messages like: -----BEGIN PGP SIGNED MESSAGE----- Reminder: I need you to wire $100k to 12345566 as soon as possible. Thank you! -----BEGIN PGP SIGNATURE----- [...] from being able to trick a user into thinking the entire message was signed. These checks were introduced after security audits by [Cure53] and [SEC Consult] pointed out the issue in OpenPGP.js and Go's x/crypto respectively, with the latter even getting a [CVE] assigned to it. V6 cleartext signed messages introduce a "SaltedHash" header, since v6 signatures include a salt at the start of the hashing context; so it's necessary to know the salt in advance if you want to verify the message in one pass (without buffering the cleartext). But, this means that cleartext signed messages that are signed using both a v4 and a v6 signature won't be backwards compatible, at least for OpenPGP.js and GopenPGP. I don't think this is a huge showstopper because clearsigned messages are anyway not the preferred way of signing messages, and we can update OpenPGP.js and GopenPGP relatively easily to also allow the "SaltedHash" header. That being said, I'm also not sure streaming verification of clearsigned messages (without buffering) is super important, since they're likely to be small? So maybe it would be better to drop the header, or drop it for mixed messages (with both v4 and v6 signatures)? In any case, I don't have a super strong opinion about this, but I'm curious to hear what the WG thinks. I can make a MR if there seems to be consensus on this one way or another. And, apologies for bringing this up so late! Best, Daniel [!309]: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/309#note_1396560093 [Cure53]: https://github.com/openpgpjs/openpgpjs/wiki/Cure53-security-audit [SEC Consult]: https://seclists.org/fulldisclosure/2019/May/16 [CVE]: https://nvd.nist.gov/vuln/detail/CVE-2019-11841
- [openpgp] Backwards compatibility vs streaming ve… Daniel Huigens
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Huigens
- Re: [openpgp] Backwards compatibility vs streamin… Justus Winter
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Vincent Breitmoser
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Paul Wouters
- Re: [openpgp] Backwards compatibility vs streamin… iang
- Re: [openpgp] Backwards compatibility vs streamin… vedaal
- Re: [openpgp] Backwards compatibility vs streamin… Justus Winter
- Re: [openpgp] Backwards compatibility vs streamin… Vincent Breitmoser
- Re: [openpgp] Backwards compatibility vs streamin… Paul Wouters
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Huigens
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor