IETF Logo Mail Archive

Re: [openpgp] Algorithm-specific data: problems with Simple Octet Strings, and possible alternatives

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 26 March 2021 21:22 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA9F3A1070 for <openpgp@ietfa.amsl.com>; Fri, 26 Mar 2021 14:22:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=pi36c43T; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=LjKzySr7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qo5NOLKroiAN for <openpgp@ietfa.amsl.com>; Fri, 26 Mar 2021 14:22:11 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62B603A106E for <openpgp@ietf.org>; Fri, 26 Mar 2021 14:22:11 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1616793726; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=kB+g6yuqoKiLxdcGPc5k4Q1OhI5C+5rQp8crkk3f528=; b=pi36c43TKb/cL8JzRHPTafG4lYg9dHt2Ula7HcKmDJiBDMAvwEbGNlMdf42XzvuYaj3Fb wUbSt9sr3Ww1FhvAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1616793726; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=kB+g6yuqoKiLxdcGPc5k4Q1OhI5C+5rQp8crkk3f528=; b=LjKzySr788bhEm4KqzJSG0Rfq3ogFXMY7qSB5dTowWEj2UiApdjBpNItVEgq82/AbqEnz iwmdGoAsRGGbpFhD6PvxnYJWcK+BXcghmFo5t/lik5qfIW+KkejW/IZ/y6Hax0AaKYNDUDX n75xYIV5rCns/SSQauMf5SpiUa5utq6JoIt7wlW2mUa4o+2tqsc1ufCwwCKPrXb2mDCZlGY AQv34IVHsLbtFyCmIHpq6c5kGepggrLgFrxh9rf32q9pgSoOXuC8hHyV900ooqy9biXTDSL HYmqu3E62IBRZBKdyLyUv1Y8Gq+gAvrX66H4VeXPfuq64DsBJchuvOp8K96A==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 6EB5AF9A6; Fri, 26 Mar 2021 17:22:06 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 78D69203A9; Fri, 26 Mar 2021 13:43:28 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: NIIBE Yutaka <gniibe@fsij.org>
Cc: openpgp@ietf.org
In-Reply-To: <87im5ebfgf.fsf@iwagami.gniibe.org>
References: <87eeg42gti.fsf@fifthhorseman.net> <87im5ebfgf.fsf@iwagami.gniibe.org>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 26 Mar 2021 13:43:27 -0400
Message-ID: <877dlt6cao.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/CHt3so2oQ00kO4BN4bABhd3y2pA>
Subject: Re: [openpgp] Algorithm-specific data: problems with Simple Octet Strings, and possible alternatives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 21:22:17 -0000

Thanks for responding, gniibe--

On Fri 2021-03-26 15:24:00 +0900, NIIBE Yutaka wrote:
> In the implementation of SOS in GnuPG 2.3-beta, it is mixture of two;
> One case is with bit-count and another case is with 8*octet-count.
> Former is used when there is no problem of leading-zero removal.  Latter
> is used to ensure no removal of leading zeros.

I think you're saying that GnuPG 2.3-beta will select between these two
choices based on the algorithm in use -- whether that's a first-order
algorithm as selected from the public-key algorithms registry, or a
distinct curve OID within a EdDSA/ECDSA/ECDH pubkey selection.

Is that right?  which choices are made in what cases?

> My (not-so-strong) proposal is to introduce SOS data type, and apply it
> for ECC (pubkey or ephemeral key, signature, and secret), so that we can
> explicitly require no removal of leading zeros to allow fixed-size data.

If we have fixed-sized data for all three of these elements for a
particular algorithm (which i expect to be the case with new elliptic
curves) then why do we need a prefix length indicator at all?

> Implementations will have to handle new representation with leading
> zeros (when interpreted as an MPI).

Are you saying that there are certificates, private keys, or signatures
in the wild that provide MPIs for existing, specified algorithms, which
have leading zero bytes, or have the MPI length specified in such a way
that it counts leading zero bits?  If so, which implementations are
producing them?

> Actually, many already do when reading data.

How do they cope with multiple representations and fingerprints of the
same key material?  I've opened
https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/45
to try to gather data on how different implementations would cope with
encountering something like this in the wild (but i haven't written any
test yet, i'm hoping other folks will step up and write those tests, but
if you have code that is producing these things already, please point ot
it)

>     Minimum impact to the specification and implementations.
>
>     Compatibility, possibly encouraging better interoperability for
>     existing corner-cases (of Ed25519 and ECDH with Curve25519).

My worry is that we actually get *worse* interoperability with existing
corner cases, if we have two distinct ways to represent exactly the same
public key, and two distinct fingerprints for the same public key
material + date.

>     Flexibility, for new curves, no extra definition will be needed.

But if the octet strings for each new curve are going to use a "native"
format for that curve, then we need a definition per curve anyway.  Why
isn't it easier to just include the size in the curve-specific
definition, and not put it directly on the wire at all?

> But, I know that describing existing data of Ed25519 as weird MPI
> representation acculately ... would be difficult in a specification.

I think our current draft actually *underspecifies* a lot of what is
currently expected of an implementation.  I'm hoping we can improve
that, even if it's difficult.

> So, I don't insist much for applying SOS idea in the specification.  For
> some implementers, it would work as a technical guidance for
> interoperability to interpret existing OpenPGP data with Ed25519.

i'd love to see some concrete guidance for implementers, and some of
that could be in the spec (even if just in an "implementation guidance"
section).  But I'm worried about the impact of recommending handling of
these variant forms.

> Well, nevertheless, I believe that it's good to introduce a new distinct
> data type (if not SOS) for opaque octet string, if possible.  It will be
> useful to be friendly to not-yet-standardized things.

If we have not-yet-standardized things that ultimately do need a new
abstraction, I agree we should consider a common abstraction.  But if
this abstraction isn't going to work directly for any existing piece,
and if the main new things that we contemplate don't need any
abstraction at all (they can just be well-documented fixed-length
fields), then i'm not convinced that this particular abstraction is
useful.  Why do we need such an abstraction?

        --dkg

v2.23.0 | Report a Bug | By Email