Re: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages
Daniel Huigens <d.huigens@protonmail.com> Wed, 24 May 2023 12:49 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197F7C14CE25 for <openpgp@ietfa.amsl.com>; Wed, 24 May 2023 05:49:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FFLLhDkG7_YR for <openpgp@ietfa.amsl.com>; Wed, 24 May 2023 05:48:59 -0700 (PDT)
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 060C4C151061 for <openpgp@ietf.org>; Wed, 24 May 2023 05:48:58 -0700 (PDT)
Date: Wed, 24 May 2023 12:48:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1684932536; x=1685191736; bh=we47yQBn2fXHvq8SbnLaZxoR5MgmF6jh2Ksy76Yf33o=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=Z2+Vqyhfuj1XX/SAw13Ko9yyWxaiDhySv7z0uUmmH2BR8qE61tZQ9OfpIjsUMITOx ICjlDMgKADMGH+HDsqYlx5cQpQFjIqFfCBSZoqCX2AmKFtnKvBX9MdylWLjjDkMMyo 32egmZXFsaQw0JpBMmqAtfVxHgaNC2k++x8gte1FqRHwl8pelgCKAEEBwuIxhqF4Aw gRSEnsZ3IoeI4pu2NstAtWUYgdchqXTWDHgQXKSMgE+ZXMuVnHXqUb0R6qkbPHuBrh JQzfO8M0i66n71wqvA7qT4HUkob6LPwaxNe8iGbbOxgwS7q5ohEJOpRiGn/aVNVkLC pejo1fZbuOpXw==
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: IETF OpenPGP WG <openpgp@ietf.org>
Message-ID: <10lxryxj8elajYkO0HXPSAt2VwI7PaOvQZV0Ao7gDE_27DkGWaOkiU7wK1WqqIvUmVyFG39RRYBmRXKxv7Nc4TJ3kidiIedvn0m-xtuwg54=@protonmail.com>
In-Reply-To: <87h6s2hezc.fsf@fifthhorseman.net>
References: <LaSdaOASqnixctT3XuZHNIeldK2IPqJvHbqo_qkFjdrMBOQ4SKhiWl_76xq2P6l2Wts9rJ6MTTRLfpj9sqyG4_F4etjNcgEt6pmmtuyfsBY=@protonmail.com> <87h6s2hezc.fsf@fifthhorseman.net>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/5eyf3SP0yzIaXJvqsdtSfRafl84>
Subject: Re: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 12:49:03 -0000
Hi dkg,
I agree with most of your points. Some additional data on our
implementations:
> # Replace "SaltedHash" with "Hash"
>
> We could stay within the invariant established by RFC4880 by replacing
> the Armor Header Name "SaltedHash" with "Hash" -- but by expanding the
> definition of what the contents of the field can be. This might itself
> cause some confusion in deployed legacy clients, but given that they may
> well encounter data signed with arbitrary, previously unknown hash
> names, they should be capable of ignoring unknown hash names, just
> like they should be capable of ignoring unknown signature versions,
> unknown public key algorithms, etc.
This is not the case at least for OpenPGP.js. This is because there was
a worry about messages like:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512, -- Hey Alice, I need you to wire $100k to 12345566.
Thank you!
-----BEGIN PGP SIGNATURE-----
[...]
Additionally, the current crypto refresh draft says that:
If neither a "Hash" nor a "SaltedHash" Armor Header is given, or the
message digest algorithms (and salts) used in the signatures do not
match the information in the headers, the signature MUST be
considered invalid.
The way we implement this is by parsing the hash algorithms in the Hash
header, and match them against the signature packets later. If the hash
algorithms in the header are unknown, the message fails to parse.
---
> I do think it's worth noting that there are *other* brittlenesses that
> might have an effect on this multisigned, cross-version use case too.
> For example, some implementations refuse to validate all signatures in a
> multi-signed message when they encounter *any* signature with an unknown
> version number, unknown public key algorithm, or unknown hash algorithm.
> (...)
> If fixing this one bit of brittleness in the CSF Armor Header doesn't
> actually help a significant number of deployed legacy implementations
> correctly validate the v4 sig in such a multi-signed message, i would
> personally probably be more willing to leave the spec as-is.
I've tried verifying your test message without the SaltedHash header,
and GopenPGP accepts it, but OpenPGP.js >=5.3 unfortunately doesn't.
This is because of a change we made to improve handling unparseable
packets that actually caused a regression here. We'll fix that, but it
does indeed make removing the SaltedHash header somewhat less useful.
(OpenPGP.js <5.3 does accept the message without the SaltedHash header.)
---
All in all, I don't have a strong preference, and I'm OK with all the
options. I might have a slight preference for removing the SaltedHash
header, also because it (technically speaking) constitutes a backwards-
incompatible chance with regards to the spec (as you said), not just
implementations; but perhaps it's not worth the churn to remove it now,
so I'm also fine with keeping the draft as-is.
Best,
Daniel
- [openpgp] Backwards compatibility vs streaming ve… Daniel Huigens
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Huigens
- Re: [openpgp] Backwards compatibility vs streamin… Justus Winter
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Vincent Breitmoser
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Paul Wouters
- Re: [openpgp] Backwards compatibility vs streamin… iang
- Re: [openpgp] Backwards compatibility vs streamin… vedaal
- Re: [openpgp] Backwards compatibility vs streamin… Justus Winter
- Re: [openpgp] Backwards compatibility vs streamin… Vincent Breitmoser
- Re: [openpgp] Backwards compatibility vs streamin… Paul Wouters
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Huigens
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor