IETF Logo Mail Archive

Re: [openpgp] Expected client behaviour ambiguity in signature verification

Daniel Huigens <d.huigens@protonmail.com> Wed, 20 July 2022 11:57 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23D70C15A739 for <openpgp@ietfa.amsl.com>; Wed, 20 Jul 2022 04:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2_tZAVNrIbp0 for <openpgp@ietfa.amsl.com>; Wed, 20 Jul 2022 04:57:01 -0700 (PDT)
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7925BC15A731 for <openpgp@ietf.org>; Wed, 20 Jul 2022 04:57:01 -0700 (PDT)
Date: Wed, 20 Jul 2022 11:56:48 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1658318218; x=1658577418; bh=AYtPOlZ7BAei+p48Yy1bdKVGzsTb5rQjNXRq4P4YozQ=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=imIHj3onrHNM3MpThQQpuZEw57YoTAcyriaUenwNp7qzGiRLgj7PBOdYVLlUCp+Hb H0C+zC0NuKYXIM5rReW25k8e2bQWrfKW8jSih7NfnEvWxEzQfSdD7L6nLHqs0pA+GN +zPY/iDXE8o4E9fkrZP4K17T4hkWyhchrFm7Fn/zrjJecJ04fcQ00k3uTW1D+EkR8B KL3a6o7IsQiteganeaF9DU8vrQztGWeY2npQKfRB452BxfeC+qSD0hT3WEmxWGG+JM Dpl4Mg9pfMyVRCbZBV4fTy3ZWhQn2TGyu134jbORE0MsSa1d53DgNYzbM0udk+q1wo luhP0jgIeLAqA==
To: Andrew Gallagher <andrewg@andrewg.com>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <8lUhAvx-fQ2DmGuvWICQlIgw6t9u-Sm2eAebGt3mSp4u5Nbp4OqHcAhJYQyk5vyEnpN_LMuAyr9f2_hpN98qgt6RcaD2LlXbW9WH93JswfA=@protonmail.com>
In-Reply-To: <028B9CE1-85A7-4A3C-844D-59583D8AD6BC@andrewg.com>
References: <d0483dcb-025b-37c2-9a26-e42133b506ac@andrewg.com> <87let3wxtj.fsf@europ.lan> <ejV91k6cLZSWu6XKlMLLyVhrwpYOJWOD6q4Ekp6veU53kVA4kSNM1zZ1EoCJG2QJLlYoq2Rylxd7LWxssmPji5ozUn8iZHiD1f3x8vqJ2wc=@protonmail.com> <637768CF-CD88-4A2C-BC58-EE2945A1F008@andrewg.com> <IdS0-BxA6w80HLI578WI9YpxpzFb0MbynW3DOEhCWSF825_1qT6Dj6KlYX5CYs9-VYOJoNlj-8KZ6dd6ywX3xufc11_k_vScRCI-F1ik9XM=@protonmail.com> <25F2FE86-5B9E-4211-A526-FBCBD18EAA30@andrewg.com> <Xsi4cfl-3WekivJxtTFaLQnzwmNPn6RF3nHdF99G1qZU_e1iLB7ewnR-zRZP9HbdWQvIEQZqTb9CrniOKvufk8mkleyV2PZs8XLDfCQXrFo=@protonmail.com> <359D3E38-0EF5-4B7A-B473-701E0ED2A0CE@andrewg.com> <028B9CE1-85A7-4A3C-844D-59583D8AD6BC@andrewg.com>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_NBEpaY6vnZD4ppRblkJH5Tz6H8DbNcuKqWKlPyJc594"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/NGUnYmHuRo2MA95NDSeGovi4WBE>
Subject: Re: [openpgp] Expected client behaviour ambiguity in signature verification
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2022 11:57:06 -0000

Thanks for the details. Sounds like it's somewhat infeasible to get all those people to fix their keys, then, I guess.

I've created a MR to remove these octets from v5 signatures (option 2 I described previously), here: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/208.

Best,
Daniel

------- Original Message -------
On Sunday, July 17th, 2022 at 22:16, Andrew Gallagher <andrewg@andrewg.com> wrote:

> On 15 Jul 2022, at 16:45, Andrew Gallagher <andrewg@andrewg.com> wrote:
>
>> Signed PGP part
>> On 15 Jul 2022, at 15:25, Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org> wrote:
>>
>>> Are there many keys out
>>> there that fail this check? I understood that GitHub has one, generated
>>> using OpenPGP.php, would it be possible to ask them to generate a new
>>> key, or modify their existing one? (Someone could do that for them, I
>>> guess :)) Or are there too many keys like this out there?
>>
>> I hotpatched hockeypuck to log this particular error against a primary key identifier and loaded an SKS dump. It has only been running a few minutes but it is already at several hundred unique primary keys affected, and counting at ~ 50 keys per batch of 15000. Scaling that up gives a ballpark of 22,000 keys in the full SKS dataset with bad hashtag self-signatures.
>
> I need to clarify and correct the above, sorry.
>
> The figure of 22k keys is an estimate of the total number of primary keys that throw a bad UID self-signature warning on import to hockeypuck. This includes misplaced signature packets as well as badly-constructed high-16-bit fields. The number of keys with high-16-bit errors only is considerably smaller than this total. Unfortunately due to a glitch in docker, my system dropped a large chunk of the import logs, and I'll have to run the test again to get the real numbers, but based on conversations with other hockeypuck operators in the last couple of days, the total number of unusable keys is unlikely to be more than a few hundred.
>
> Of the few keys with high-16-bit errors that I did detect, most are of the form `<wordpress@domain>`, and the other is for a software project that I know uses Wordpress to host their website - all consistent with the theory that openpgp-php is creating them.
>
> A

v2.23.0 | Report a Bug | By Email