IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Justus Winter <justus@sequoia-pgp.org> Thu, 02 March 2023 10:58 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54E40C15154D for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 02:58:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.692
X-Spam-Level:
X-Spam-Status: No, score=-1.692 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0d32w95HuIH for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 02:58:23 -0800 (PST)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2A27C151541 for <openpgp@ietf.org>; Thu, 2 Mar 2023 02:58:22 -0800 (PST)
Received: (qmail 31024 invoked by uid 500); 2 Mar 2023 10:58:20 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, openpgp@ietf.org
In-Reply-To: <5ba74a57-c039-5ab8-45bc-30ae681bc8c8@andrewg.com>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan> <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com> <87lekgs64c.fsf@fifthhorseman.net> <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com> <87a60vbi7n.fsf@europ.lan> <5ba74a57-c039-5ab8-45bc-30ae681bc8c8@andrewg.com>
Date: Thu, 02 Mar 2023 11:58:19 +0100
Message-ID: <877cvzbet0.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: /
X-Rspamd-Report: R_MISSING_CHARSET(0.5) MIME_GOOD(-0.2) SIGNED_PGP(-2) SUBJECT_ENDS_QUESTION(1) BAYES_HAM(-0.299977)
X-Rspamd-Score: -0.999977
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Thu, 02 Mar 2023 11:58:20 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from; bh=k5aQreUKxykpEnbWKve6cFS6fv2jHDInqWI05Za60Cc=; b=EnwRpcO25Oii7oLbsFkdkDhU05ujeioB7xB+WbMani/7MdYJJwgJwGqeNxhYhxRlUnUC2xfNMQ TEboIxeBgXHGJoa/IfaN54O4/A/9VtB/nSVM8JXHHJ3xQGG929fkt9ijzLGFai6w0VJfaSigiQre n5bRQNUCJjGPNfD/R9PBepcK1BsWcJK+xA9r4MMO/9Dp59n4eeRMuV2sixzM9RpAjP3+W3Pne9GT t/lbnL3OqNnILc5HOapEUB3T1g7tffB3X1ADA2j4eyLcidXp+84ghPdGPW7JS3lQmZPBMj/fh/wt MBaOSn/Ha3TPA4tSsA9jvK5aZ3+YWfIMQS36LEre8SKdw3Pf/WROoNw4fBQ7IDCekND8afnnoUjs Kl4kGyweMGcW6j+A+PCwtNTSThk/fmQYzPL/hTcAxxy+aL9s5fMr/r2n5PTCfJwPJnq54qf+VEWo VpAJmfp7r9GDVurYkQRKYoLPyJB1F2w9fKcJZsCTKAl4m5BQNGfBxbtUQX86sxVG3flu5kYOQZi5 HhhHLM2PQVELRhFLRguOf0afU+2VUex1AM7LnvK7LV6GMMvLX//gI5RiG+cEkzH3aOKsjGtTh29z 3SHqWD79UpRvYFk4pFyyooCP4BHIWKl4gAZslvWlYvd0tdBW9hi2Ev7Ebt1hsRUQHdWPRYi3MSHK 4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/CfH0Iby8m5aKAX7YFoZq4gobs0c>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 10:58:27 -0000

Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org> writes:

> On 02/03/2023 09:44, Justus Winter wrote:
>> I don't think either warrants a clarification for v4 (let alone v3)
>> signatures.
>
> I was erring on the side of caution. However, in the interests of moving 
> this along, I withdraw the last sentence of my proposed text.
>
> It now reads:
>
> ```
> RFC4880 did not specify that implementations must reject v3 or v4 
> signatures with incorrect prefix octets, and this allowed a significant 
> number of apparently valid but malformed signatures to accumulate in the 
> wild.
> An implementation MAY accept v3 or v4 signatures where these octets 
> don't match the computed hash but the signature is otherwise valid.
> ```

RFC4880 failed to specify a lot of things.  I fear that if we enumerate
all of them, and retroactively sanction lenient behavior, that a) we're
going to be here until the end of time, and b) weaken the already weak
requirements that RFC4880 failed to nail down.

I understand that this is precisely your point: if the spec would
sanction lenient behavior in this case, then that may convince Proton to
support lenient behavior in GopenPGP, and that would enable Hockeypuck
to serve these signatures.

I assume that with "a significant number of apparently valid but
malformed signatures" you don't mean artifacts produced by openpgp.php,
which I don't believe to be in widespread use.  Instead, I think you
refer to the malformed signatures produced by Github.  If so, are you
going to propose a similar paragraph for the malformed MPIs?

Both cases are contingent on reading RFC4880 as allowing lenient
behavior, which to this day I fundamentally disagree with.

I prefer not to add this paragraph.

Best,
Justus

v2.23.0 | Report a Bug | By Email