Re: [openpgp] Signing of literal data packet [was: Re: Disadvantages of Salted Signatures]

Andrew Gallagher <andrewg@andrewg.com> Sat, 30 December 2023 11:00 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22339C14F68A for <openpgp@ietfa.amsl.com>; Sat, 30 Dec 2023 03:00:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0vpUzlUirWf for <openpgp@ietfa.amsl.com>; Sat, 30 Dec 2023 03:00:47 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEFBEC14F5F0 for <openpgp@ietf.org>; Sat, 30 Dec 2023 03:00:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1703934042; bh=qPcEnTTV03NehrmvpNOccM0qKQkadXozROEKNabQY7s=; h=From:Subject:Date:References:Cc:In-Reply-To:To:From; b=mRC9fePOCHY8bqT1p/ZV8bZvMIJgU61yuph5hD0O2YwXdRCUqGiKswcBEXC9xqEUM rpfgejPCEY+BDTIjEQ9JmA7oOwBrj0y31aS87RRUk1OidHvXQ0PqMr5dV2qah14NDC RIilK+WTbhQMCNzO7WcvUiz1OvafgPWNbiqQsmBTCVcT5SeSuisSHM5lztDRP3v/zr oxNLrGRozoxyc59mUoEx7yba4jZLqhsQEBlpIjRxx4R1UkmexOJ/qTWuEH1mZrM1Fl HBEiv3k5Oe7DHyFGrzQJcbdz2b5ZlEVmHYg0xuj4Ts47G6UMG844BxudU3BMTCv2yX KZl+o8REpbpPA==
Received: from smtpclient.apple (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id E0FE05DC2B; Sat, 30 Dec 2023 11:00:42 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
From: Andrew Gallagher <andrewg@andrewg.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 30 Dec 2023 11:00:31 +0000
Message-Id: <74B3BAF7-5158-4054-93BA-2FEE9D0FBC82@andrewg.com>
References: <871qb46hau.fsf@jacob.g10code.de>
Cc: Heiko Schäfer <heiko.schaefer@posteo.de>, openpgp@ietf.org
In-Reply-To: <871qb46hau.fsf@jacob.g10code.de>
To: Werner Koch <wk@gnupg.org>
X-Mailer: iPhone Mail (21C66)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/KpBMhgX5mfVQABNM8u-Db5l02Dk>
Subject: Re: [openpgp] Signing of literal data packet [was: Re: Disadvantages of Salted Signatures]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Dec 2023 11:00:51 -0000

On 29 Dec 2023, at 17:37, Werner Koch <wk@gnupg.org> wrote:
> 
> Right, and this means that it does not fix the long standing bug that
> the creation date, mode, and filename was not signed.  In LibrePGP
> (i.e. rfc4880bis/crypto-refresh up to summer 2021) this was fixed.

In that case why not define the Literal Data Meta Hash subpacket for v6 sigs? Librepgp already defines it for v4 sigs.

In addition, if we allowed a nonzero (0x1?) value in the first byte of the subpacket to indicate that the rest of the packet contains a copy of the metadata verbatim (unhashed), we regain the ability to detach and reattach sigs, save ourselves a redundant extra hash calculation, and if the filename is short we even save a couple of bytes on the wire (compared to hashed metadata).

A