Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 01 March 2023 11:35 UTC

Message-ID: <7393308e-9c92-c104-e5e2-7ca939cb484c@cs.tcd.ie>
Date: Wed, 01 Mar 2023 11:34:44 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1
Content-Language: en-US
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <87wn41ru96.fsf@fifthhorseman.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------OzoG1QOdW8CDbdY0NhegneaG"
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|AM7PR02MB5970:EE_
X-MS-Office365-Filtering-Correlation-Id: 27ead058-537d-4706-4d16-08db1a48f58f
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: FxTNnSHRQxa7g5jIbkoje4gxHY4yExqsIWrJlf4KNWnQCq7DH5r2nf50fn4G8+UyeGgigBZXLPXgEMehTB2kGby4XITNSjaFSsknHWDFdW8myIXW6A2+TTYa8lXGUDne/dYkdn2W7oLd7Y1HNu0pAYzQvSYBa8Qnz81cl35MWzthwvhtm6LpkOfAdS0F4AkLAF7FK5Y4DKjQDAcRh/E6bWZ3cNPWfwisi7H1XgOEJSXIb4Khd7b3GHR34DRxCqYLkuyr7EsvrI9hpYjGT0wRKwsBQOMuFsMMwBgWE6HGgFzQ3zBQ7ghPkf5dNtK27ZwPHEEWPj5REHnAV55ZQ6DUK/j0EFKAyb7uT9MzO9hxyunc/KsCCZYC8vMhfoXykBz9DH4O5fbuhJzzIwfpjQ5zCRJHURLbSIEvtVOPl+EgoQWy34XdT9/pm+Eu0zc7fhtNRlb5Ozt0hA8Br1UzWQjbqGd4N9cc4W0OEVdP8AOjZfkTP5rUAqG3yOroMfPBtRF8JWXCse1rij3SkX1kelMyb2TpsNBAt0WjmNlw1+ZOVY6I0x3O3f26jKXFKUFnb9EWjEwmlRa2qenHSGiZv+4pFLIdvmLW3T0WFHrlrAHUxZfQCvgSAQFOXKgMQE3FTkh8Nog8lafHajj310zbyIB8h0c2LXY9Q69L5G+pbVuNn5+6UNwKn5A2CxqV5cec2oPCiVLZ6LSsfTzd+sbQYA/VRI5SOqUM2eq1gPLr6Gi3K1A=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(366004)(136003)(39860400002)(376002)(396003)(346002)(451199018)(41320700001)(31686004)(36756003)(478600001)(83380400001)(316002)(786003)(38100700002)(8676002)(66476007)(53546011)(33964004)(2616005)(6506007)(26005)(6512007)(186003)(21480400003)(6486002)(235185007)(5660300002)(31696002)(66946007)(66556008)(44832011)(41300700001)(8936002)(86362001)(2906002)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: MNkSqwPisfSRHDN3R6pWEINh8xpo4bqVlSC+CRoxqg1tBqg2OjVIsu3viL5rrxvRB+npZ4eaSWmlJqe+wHAj5uPYozl2RbYHUNsmY0MV6poCQxgyNdoDW5MjsuA3ZHLO3We2KKCkbhi4n5DylOO6iMYw3fE3ql2fldCmmCo7RhQ4r3Sg5p6035gAaCnum7hP4VItRoOI444CvwLt6BQ/uzVjvs0XzzMM56nGz7o2wWiy40th1bFyBTJR6PcgcwJpqWa/tF23f9yoWCmgYczxaIbVtu77u61zmqs/HD4B2MlXtwcZXaSIBkyRxjR+iI44cDuIOpsdmYHbF+C7LeTPA4DgZ51jhCCe2Z73LtyjejC7EfIAvEdxBanqwWtbL5K05T383mOdqitvrdJynCE37cUfFUslYkpnram4omNPBYg6uBkY3fNjEMiN0WjBegKRpWxRaaobHIGi3utpPObsOkUS/x5K3x/6F7BWvl6om68crEKDSMfFNs5Kx+E+ibe2Z7gzK575vMZLfsudfwkSc0AUDdUsMIuk5vhYqOlNJxmaaFvablBafEG/8nxphFtFyplvOBWXD8ZFz1go2I/iFSTybxX/AIpHvhK1rQN0O+WxclPhAOkqjkvHhMxIwnQP/5X731Cr8EFnsFGmyN/V0gkNVoZPQSdAnennsbDYFXhZc2/t6Q7D9a6Obccp0FtBk1f2o5E1rdloG9Kdr0jpBPuP0WfMC9MJdtwgX4xqdM31NItZpIWqol0tmwa84rsuOkhtfMHfWB5t+7oV0xOGvANem5cs+9Q6xPEQ0MTE4ra6rUjK3pwB6Qp1EX07TJ1QuSLNjaC8+E+Cdqa3Tklp8HoQjxmFwGFzj5hjz4v1vinxKT901syqBYw1WcTqhyMWBrFNJfKkQxRegkd73JVW89UYp20edLjF7MtbYn43AX4brBRP/Q7BeQnqLZ3z9W+SJwobAfN80rdisPTmmdRfSmMtRdz1X4V3cxKqQ6qKWQ494Imk+6NaDaOUTzl6K9YDVHqg3hPVC5W6/A4KhEihuhFtrMz6LoQcl1U5GOhV6Um47SA0i9PNYCSZN0n2uDTHJaYwfBDS/QtYjFJTQyGrAsRfTGGHy+UBRgM0WummfV2zpmj4AY/1vhiKkeA33EYeXUbUeoH9r4PpoZTa3Z6op+5SvRLjZsvmXguXwue1Odzf7NsfMRuucQ3EZWS4HLCb7tJ7ISI8haOiCedwbHXypq8k8c7WjP/pEePpLQvR7LOZIjiU9WvWQvCVQQjv8L4OAOKjxACOkOTLv8vYcVxc7yN6SH3MR2v+wmlPqExm9AZ4ld9gtCp1HkcBD9MpLS2/oMT0lALSqQy4hqUv9uZsNRCgKiSoDR4ahlBGIu/93085/vq4lgfMejnEmgKP9f9arbEZmLzGE2slvSy1tl6WcpFatIqjbaR+gHSwj3AdsGlSdn+4UNhMDwbo/doNwHZGbVTBrqPM5WooZ89QE2ymg8h0U9+9B75aOOsgP9NDo0zGCQWFO0Dw4DWnOKZqN3Aq0oTnsJf4+YhsMNxn0Hvk9EBo1rPsLUnK3rm7qQkiyqXyZ/4JssOHVDSSzqov5D7B
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 27ead058-537d-4706-4d16-08db1a48f58f
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2023 11:34:46.5646 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 6UxHSsg4nb2VIjvDE25MyRAqQHujqVMjZTcOhU66vkBCM1aVWsGpQwHotNFRos4/
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR02MB5970
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Kf3r43hWkng9uAUB29_UgNTVdDo>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 11:35:01 -0000

Hiya,

On 01/03/2023 04:05, Daniel Kahn Gillmor wrote:
> say anything new about v3/v4 here

I've no particular axe to grind on this one, but if
there were a good reference that discusses the issue
(e.g. some paper describing what's deployed and the
associated risks), then simply referring to that may
save us having to craft text where finding rough
consensus is tricky.

Is there such a reference? (It might not need to be
an academic paper, any stable thing is probably a
good enough informational reference for a thing like
this.)

Ta,
S.

Attachment: OpenPGP_0xE4D8E9F997A833DD.asc
Attachment: OpenPGP_signature

[openpgp] Should signatures be rejected if the em… Daniel Kahn Gillmor
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
Re: [openpgp] Should signatures be rejected if th… Justus Winter
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
Re: [openpgp] Should signatures be rejected if th… Justus Winter
Re: [openpgp] Should signatures be rejected if th… Paul Wouters
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
Re: [openpgp] Should signatures be rejected if th… Justus Winter
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
Re: [openpgp] Should signatures be rejected if th… Justus Winter
Re: [openpgp] Should signatures be rejected if th… Daniel Huigens
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
Re: [openpgp] Should signatures be rejected if th… Stephen Farrell
Re: [openpgp] Should signatures be rejected if th… Justus Winter
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
Re: [openpgp] Should signatures be rejected if th… Justus Winter
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
Re: [openpgp] Should signatures be rejected if th… Justus Winter
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
Re: [openpgp] Should signatures be rejected if th… Justus Winter
Re: [openpgp] Should signatures be rejected if th… Paul Schaub
Re: [openpgp] Should signatures be rejected if th… Paul Wouters
Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Attachment: OpenPGP_0xE4D8E9F997A833DD.asc

Attachment: OpenPGP_signature