IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 01 March 2023 04:06 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EE32C1527A0 for <openpgp@ietfa.amsl.com>; Tue, 28 Feb 2023 20:06:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.303
X-Spam-Level:
X-Spam-Status: No, score=-1.303 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="pR6uT4Rp"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="ZCHUxlwz"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPMGxBzG5pFS for <openpgp@ietfa.amsl.com>; Tue, 28 Feb 2023 20:06:25 -0800 (PST)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB68AC14CE51 for <openpgp@ietf.org>; Tue, 28 Feb 2023 20:06:25 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1677643584; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=MfKmK94iWnE2V3V580J6S/NLjaTMOnIqiHPAEvjRnEg=; b=pR6uT4RpnNBsNKl3WMaeNm6FRRSqdWvDolKKu2LGcBaLJ3Rl+tLsd1uSUbGgBMg67pDTc QP4IvEKxxVpbGrJCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1677643584; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=MfKmK94iWnE2V3V580J6S/NLjaTMOnIqiHPAEvjRnEg=; b=ZCHUxlwzs3wC2MhEDPA1XLzRvFsIidC4pXz6ks6FPo8lVixCc9piYMk++iJmELG60e7Am VmpI8mKRWWbMJquvQsr6AvHWU1RZPKHBsNiPn31/W0vW4Mg0BebhtuDB7tvBtiTa4cuc2VH Jh2p5hz6fAQS1wC88e/PTgIGqpLGGtIILg0bWav9z4/cYxTDeOxk4eTMHFLh47CIpfxM5AS 7pTPR3tXQEMTHDWKd6GfZE8/NovBiiG61/yrDWv+6WsaRl3I8IxAEO/6mydJ2PeELs6V5du oWCcA2/YD6IhsvQP5pwXwv2CcbvrPyoj96byZ22hye4TgnHFCNQTABnLyl4Q==
Received: from fifthhorseman.net (unknown [IPv6:2600:380:8d41:cfe0:e45f:7019:e1fd:a67e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 52FF5F9AD for <openpgp@ietf.org>; Tue, 28 Feb 2023 23:06:24 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id F22A420564; Tue, 28 Feb 2023 23:05:43 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Tue, 28 Feb 2023 23:05:41 -0500
Message-ID: <87wn41ru96.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/MU8abbKX95ggfUsew6Sx79E0_N4>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 04:06:30 -0000

Thanks for proposing text, Andrew.  I'm trying to figure out what it
does, though, and why, and i'm struggling a bit.

On Tue 2023-02-28 15:17:01 +0000, Andrew Gallagher proposed:

> An implementation MAY accept v3 or v4 signatures where these octets 
> don't match the computed hash but the signature is otherwise valid.

this sentence seems likely to prompt questions: why is it OK for v3/v4,
but not ok for v6?  I mean, those of us following this thread
(hopefully) understand the historical context here, but if the goal is
to have the draft explain itself, this sentence on its own, without
justification, seems likely to increase the overall confusion in the
draft.

If the goal is "leave the status quo in place for v3 and v4 signatures"
then perhaps saying nothing about them is the shortest path to retaining
the status quo (since nothing was said before either, leaving us in this
current mess, it really is the status quo).

If we're going to add the above sentence, i'd want some kind of clearer
explanation of why the carveout is in place.

It doesn't sound to me like you would be advocating for this carveout if
there were not a fairly prolific implementation producing malformed
signatures.  Is that right?  So any explanatory text justifying such a
carveout probably needs to make a nod to the relevant historical
circumstances:

 - we failed in RFC 4880 to mandate explicit rejection of signatures
   with an incorrect hash digest prefix.

 - more than one popular implementation was lenient and accepted them
   despite the malformed structure.  But some implementations do reject
   these signatures, leaving an interoperability problem:
   implementations do not agree with each other about certain signatures.

 - a large set of malformed v4 signatures exist in the wild that we
   cannot change without incurring other, non-OpenPGP breakage.

 - To avoid this interoperability problem for future OpenPGP signatures,
   we have a MUST reject for malformed V6 signatures.  The authors
   recommend that any future signature version should also have a strict
   "MUST reject" for any malformed signature, to avoid signature
   validity skew between implementations.

I'm not saying we need all this text in the draft (if we do want
something like it, it probably deserves its own subsection in Security
Considerations).  I'm just saying that if we add an explicit "MAY
accept" for malformed v3/v4 signatures, we should reference a coherent
summary of why there's a difference.

Or we could just not say anything new about v3/v4 here, because this is
a doc largely aiming to define v6 in a way that doesn't cause the same
problems.

> It MUST NOT modify such malformed signatures. 

Where does this constraint come from?  Why is it here?  Wouldn't an
implementation that understands why a signature is malformed *want* to
modify the malformed signature to fix it?

certainly, "fixing" (by modification) an OpenPGP signature embedded in a
git commit would be a disaster for git, because it breaks the id of the
commit.  But the prohibition on modification comes from the fact that
it's a blob in git, not from the fact that it's a malformed OpenPGP
signature.

Plus, i can imagine some useful tools that this would forbid.  For
example, an implementation could correct the certification signatures
within a certificate generated by a non-conformant implementation to get
a certificate that all implementations will accept.  But this sentence
seems to forbid doing so.  Why would we do that?

        --dkg

v2.23.0 | Report a Bug | By Email