Re: [openpgp] changing the trailer for hashed data in v5 OpenPGP signatures
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 26 November 2022 02:42 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5EF0C14CE4B for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 18:42:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.304
X-Spam-Level:
X-Spam-Status: No, score=-6.304 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=DTK2R42i; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=iDtzKP1t
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HqfLmpD_eMPF for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 18:42:54 -0800 (PST)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DE70C14CE26 for <openpgp@ietf.org>; Fri, 25 Nov 2022 18:42:54 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1669430573; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=TTgx5KED9F61+yU4ztWEt34hX+cKl7gIOVjTxuDU7uA=; b=DTK2R42i3xrPkHcVEYk2TiB1cyTB5TiV+LnmlmqejqEAbbc97U7RJCzSRiIMHAhHGtX3k /AowOARF4LqDTs7AA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1669430573; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=TTgx5KED9F61+yU4ztWEt34hX+cKl7gIOVjTxuDU7uA=; b=iDtzKP1tjWPVMTwAnt9ZvHvrv+k8KXceEzOUTwRe6c1WirMfK5CnaDjJlZ1PG67Tlz96Q XVDRHLh4c39I56CwezU9VEHZsB7dM5XAbSx5gNv/yH5vHPUtcqg+TgCzTES6rzFd5Ud849d e0eAQ+Rq9k5Dc9BV/yjIyloJT7XTxor2O3QmrDPir74Sq7ut1xjCwmr+uLpMOjLY/XaSEkx 78AUF1U0e0rD/Rpac2EnsnI51mUenHrt70nmwYGJ9vE1OKfWlkjwCekUt6SqfmIhT7h6UXw sQkRhY2cweQ60tOuwrc6m6QqrPh8vOz3w4AY0hOZtJri+2uMEhOwT6cNTpyg==
Received: from fifthhorseman.net (unknown [202.77.124.55]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id E0DD6F9AE; Fri, 25 Nov 2022 21:42:51 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 3FF4C2061A; Fri, 25 Nov 2022 13:49:19 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
In-Reply-To: <MNQn3cNgS1ZKPPB6k00kb3-B0nh_fLD0a0yTm5lDCpgcY_HgcjkXEO8pdv-qCuwBU36Ft3azYlY1itNIB37edn6d95K5JuqycYMSsDHsubs=@protonmail.com>
References: <87r0xzzokm.fsf@fifthhorseman.net> <MNQn3cNgS1ZKPPB6k00kb3-B0nh_fLD0a0yTm5lDCpgcY_HgcjkXEO8pdv-qCuwBU36Ft3azYlY1itNIB37edn6d95K5JuqycYMSsDHsubs=@protonmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 25 Nov 2022 13:49:16 -0500
Message-ID: <87y1ryuaxf.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/7TmEt3MFGKO9ufDKrEMnYWZ4ECk>
Subject: Re: [openpgp] changing the trailer for hashed data in v5 OpenPGP signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Nov 2022 02:42:58 -0000
On Tue 2022-11-22 18:33:05 +0000, Daniel Huigens wrote:
> Yeah, I think your analysis is correct. And I also prefer just leaving
> the length at 4 octets rather than the workaround of splitting up the
> length into 2 x 4 octets.
I'll try to make an MR proposing this change, but if someone else
decides to beat me to it i wouldn't object.
> I do think that, for robustness and to prevent similar issues in the
> future, it may make sense to hash the signature version at the
> beginning, in addition to the end. That way, in v7(?), we would be free
> to change the trailer without such considerations, if we wanted.
> (We'd have to make sure that you can always tell from the one-pass
> signature packet or armor headers which version it is, though.)
> But, maybe it's a bit late for that change / not worth it, we can also
> leave it.
We have an existing invariant, which is that the version-differentiator
octets are at a fixed offset from the end. (assuming we adopt one of
the two fixes under discussion).
The versions described in the crypto-refresh are the first version that
explicitly binds key versions to signature versions. v4 keys have
historically made v3 signatures, even though i'm unaware of any good
reason to permit that. That means that there's a risk of cross-version
signature stream aliasing without careful adjustments, as observed by
Demi Marie Obenour.
I think as long as we can establish in this release that v5 keys MUST
only generate v5 sigs, and v4 keys MUST NOT generate v5 sigs, that
prepares us to relax a little bit less about signature aliasing for
future versions, where we could move fixed-position distinguishing
fields to the front of the hashed sequence. But i am not sure we want
to try to establish this change now.
(i do think that when we've stabilized these new-version signatures and
keys, we'll want to use the interop test suite to ensure that
implementations don't accept v5 sigs from v4 keys, or v4 sigs from v5
keys, to ensure that those versions are well-isolated)
--dkg
- [openpgp] changing the trailer for hashed data in… Daniel Kahn Gillmor
- Re: [openpgp] changing the trailer for hashed dat… Daniel Huigens
- Re: [openpgp] changing the trailer for hashed dat… Daniel Kahn Gillmor