Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
Justus Winter <justus@sequoia-pgp.org> Thu, 02 March 2023 10:58 UTC
Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54E40C15154D for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 02:58:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.692
X-Spam-Level:
X-Spam-Status: No, score=-1.692 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0d32w95HuIH for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 02:58:23 -0800 (PST)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2A27C151541 for <openpgp@ietf.org>; Thu, 2 Mar 2023 02:58:22 -0800 (PST)
Received: (qmail 31024 invoked by uid 500); 2 Mar 2023 10:58:20 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, openpgp@ietf.org
In-Reply-To: <5ba74a57-c039-5ab8-45bc-30ae681bc8c8@andrewg.com>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan> <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com> <87lekgs64c.fsf@fifthhorseman.net> <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com> <87a60vbi7n.fsf@europ.lan> <5ba74a57-c039-5ab8-45bc-30ae681bc8c8@andrewg.com>
Date: Thu, 02 Mar 2023 11:58:19 +0100
Message-ID: <877cvzbet0.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: /
X-Rspamd-Report: R_MISSING_CHARSET(0.5) MIME_GOOD(-0.2) SIGNED_PGP(-2) SUBJECT_ENDS_QUESTION(1) BAYES_HAM(-0.299977)
X-Rspamd-Score: -0.999977
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Thu, 02 Mar 2023 11:58:20 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from; bh=k5aQreUKxykpEnbWKve6cFS6fv2jHDInqWI05Za60Cc=; b=EnwRpcO25Oii7oLbsFkdkDhU05ujeioB7xB+WbMani/7MdYJJwgJwGqeNxhYhxRlUnUC2xfNMQ TEboIxeBgXHGJoa/IfaN54O4/A/9VtB/nSVM8JXHHJ3xQGG929fkt9ijzLGFai6w0VJfaSigiQre n5bRQNUCJjGPNfD/R9PBepcK1BsWcJK+xA9r4MMO/9Dp59n4eeRMuV2sixzM9RpAjP3+W3Pne9GT t/lbnL3OqNnILc5HOapEUB3T1g7tffB3X1ADA2j4eyLcidXp+84ghPdGPW7JS3lQmZPBMj/fh/wt MBaOSn/Ha3TPA4tSsA9jvK5aZ3+YWfIMQS36LEre8SKdw3Pf/WROoNw4fBQ7IDCekND8afnnoUjs Kl4kGyweMGcW6j+A+PCwtNTSThk/fmQYzPL/hTcAxxy+aL9s5fMr/r2n5PTCfJwPJnq54qf+VEWo VpAJmfp7r9GDVurYkQRKYoLPyJB1F2w9fKcJZsCTKAl4m5BQNGfBxbtUQX86sxVG3flu5kYOQZi5 HhhHLM2PQVELRhFLRguOf0afU+2VUex1AM7LnvK7LV6GMMvLX//gI5RiG+cEkzH3aOKsjGtTh29z 3SHqWD79UpRvYFk4pFyyooCP4BHIWKl4gAZslvWlYvd0tdBW9hi2Ev7Ebt1hsRUQHdWPRYi3MSHK 4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/CfH0Iby8m5aKAX7YFoZq4gobs0c>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 10:58:27 -0000
Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org> writes: > On 02/03/2023 09:44, Justus Winter wrote: >> I don't think either warrants a clarification for v4 (let alone v3) >> signatures. > > I was erring on the side of caution. However, in the interests of moving > this along, I withdraw the last sentence of my proposed text. > > It now reads: > > ``` > RFC4880 did not specify that implementations must reject v3 or v4 > signatures with incorrect prefix octets, and this allowed a significant > number of apparently valid but malformed signatures to accumulate in the > wild. > An implementation MAY accept v3 or v4 signatures where these octets > don't match the computed hash but the signature is otherwise valid. > ``` RFC4880 failed to specify a lot of things. I fear that if we enumerate all of them, and retroactively sanction lenient behavior, that a) we're going to be here until the end of time, and b) weaken the already weak requirements that RFC4880 failed to nail down. I understand that this is precisely your point: if the spec would sanction lenient behavior in this case, then that may convince Proton to support lenient behavior in GopenPGP, and that would enable Hockeypuck to serve these signatures. I assume that with "a significant number of apparently valid but malformed signatures" you don't mean artifacts produced by openpgp.php, which I don't believe to be in widespread use. Instead, I think you refer to the malformed signatures produced by Github. If so, are you going to propose a similar paragraph for the malformed MPIs? Both cases are contingent on reading RFC4880 as allowing lenient behavior, which to this day I fundamentally disagree with. I prefer not to add this paragraph. Best, Justus
- [openpgp] Should signatures be rejected if the em… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Daniel Huigens
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Stephen Farrell
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Schaub
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher