Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
Andrew Gallagher <andrewg@andrewg.com> Mon, 27 February 2023 12:13 UTC
Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D19CC1524B4 for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 04:13:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Vx0jSoeUz18 for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 04:13:09 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DF2AC1524A3 for <openpgp@ietf.org>; Mon, 27 Feb 2023 04:13:08 -0800 (PST)
Received: from [192.168.1.140] (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id C45485F4C4 for <openpgp@ietf.org>; Mon, 27 Feb 2023 12:13:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677499983; bh=hIYVYYVABLxUXcdT6Fyt40mxVh3W/wTTJnY0eM6wXks=; h=Date:To:References:From:Subject:In-Reply-To:From; b=ceGmL1rfDhPlnXZhfWdKgnw3wK+GR2YaGsH1DhcWnz2i42vW67yFZX4AuWc0G3MqG mF/0yE/KE4k/aeVOTj8UQSQzi1WzAhMItGaZ4v2aXoEnrPoqiXsfPl240fMzK0UQ8G ghPq+ulQDaoH0gVgAb5kdhNnwfS2pZCzW6FAAuxqmK6Dan89+O1gm3ieQHcTR8HaiZ sYNWoYKr/s/iyPlTxCF5xNp1NtttRlI0ZOuZVMnMD8NVmOzUwwhNHcvK3Uu8jcw1hs cajZsjmrqJbXzFR510EDcXik4Z0DBdQ+KZIl1Vg+TqI6ilqVXZ0JqJOjYpa3clfxm/ i89lFJTpHWYIg==
Message-ID: <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com>
Date: Mon, 27 Feb 2023 12:13:02 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87lekkts65.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/LCS-4joHPyz14wWRRObKtUI1AmQ>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 12:13:14 -0000
On 26/02/2023 14:30, Daniel Kahn Gillmor wrote: > Hi OpenPGP folks-- > > one more question about an outstanding merge request, which i missed in > my earlier review: > > https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/213 proposes > adding a single sentence to the "Notes on Signatures" subsection about > the two octets of hash prefix that are embedded in an OpenPGP signature: > > An implementation MUST reject signatures where these octets don't > match the first two octets of the computed hash. ... > Alternatively, we could be even more conservative and apply this > requirement *only* to v6 signatures, leaving untouched the ambiguity in > verification for v3 and v4 signatures. IMO the check should be mandatory for v6 signatures. If we are keeping the prefix octets in v6, they MUST be meaningful. But I am not happy with retaining the current ambiguity for v3/4 sigs. v4 sigs in particular will be around for a long time to come, so we have an obligation to address the well-known interop problems. Given that there are a significant number of non-conformant historical sigs in the wild, it is wrong to mandate a stricter interpretation in retrospect. Signatures that were previously considered valid (even if only by some implementations) should only be retrospectively invalidated in the event of a security vulnerability, and there is no suggestion that this ambiguity could be exploited to make an invalid signature appear valid. This is an interop issue, not a security one, so IMO the least problematic solution is to be lenient in what we accept. I therefore propose that we modify !213 to insert "v6" before "signatures" and also append the following text: ``` An implementation SHOULD NOT reject v3 or v4 signatures where these octets don't match the computed hash but the signature is otherwise valid. An implementation MAY use the high octets from v3 and v4 signatures for performance optimisation. ``` I can open an alternative MR if required. A
- [openpgp] Should signatures be rejected if the em… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Daniel Huigens
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Stephen Farrell
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Schaub
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher