Re: [openpgp] reviewing sample v5 certificate: can't validate internal signatures
Paul Wouters <paul@nohats.ca> Fri, 25 November 2022 14:02 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E12FFC14CE46 for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 06:02:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwBAqeFhkiB5 for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 06:02:18 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1BD6C14CE44 for <openpgp@ietf.org>; Fri, 25 Nov 2022 06:02:17 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4NJc4S02Fyz1K1; Fri, 25 Nov 2022 15:02:16 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1669384936; bh=pA9F1sd1Z8Igjw1nFKXYrqMzn1YAV8bo9FOB+07bGoI=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=u/yBcv1pDvB9GR4S1dILDuf+JVzyt3HEP2R8jXDunkTNs4YQcDSQE9c/o20xbmRPa EO/cl/KfAxur8bOl96iVfC4tBYpKsFWVKVO9PT/1bW1f+xT9xmkavFSCYDuD66xz3L /y1NKA3kfAuexhJJ6+Cr68e6C68EDpAXMQ9mM0NY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Cmlx8ZksO9F2; Fri, 25 Nov 2022 15:02:14 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 25 Nov 2022 15:02:14 +0100 (CET)
Received: from smtpclient.apple (unknown [193.110.157.208]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 9B9DB411E81; Fri, 25 Nov 2022 09:02:13 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Fri, 25 Nov 2022 09:02:12 -0500
Message-Id: <433A9BF0-027C-47A3-BF7E-4BF840B8F2F0@nohats.ca>
References: <874junuqb4.fsf@fifthhorseman.net>
Cc: openpgp@ietf.org
In-Reply-To: <874junuqb4.fsf@fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailer: iPhone Mail (19G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/OcBMT1Mk4_hfSBnJ_HKxfkhHxt0>
Subject: Re: [openpgp] reviewing sample v5 certificate: can't validate internal signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 14:02:23 -0000
On Nov 25, 2022, at 08:56, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>
> Here is a broken-out representation of this stream, in a format inspired
> by the nice rendering that Sequoia produces with "sq packet dump --hex".
> The first column is the byte index (in hex), and each byte is
> represented in hex. Each row is 8 octets wide.
>
> ```
> 0000 90 3c 95 63 5b 81 78 3d salt
> 0008 57 3f 32 71 96 56 90 01
> [pubkey begins]
> 0010 9a v5 pubkey
> 0011 00 00 00 37 pubkey length
> 0015 05 pubkey version
> 0016 62 20
> 0018 d0 57 Creation Time
> 001a 16 key algo: EdDSA
> 001b 00 00 00 2d key length
> 001f 09 OID length
> 0020 2b 06 01 04 01 da 47 0f OID (Ed25519)
> 0028 01
> 0029 01 07 MPI length
> 002b 40 prefix octet
> 002c b5 50 fd 42 x coordinate
> 0030 0b de 0a 2a f2 da 98 c8
> 0038 08 6a c7 5f 40 1b 96 07
> 0040 b8 cc 80 1e 30 8e 4f 25
> 0048 29 54 ab 51
> [trailer begins]
> 004c 05 sig version
> 004d 1f sig type: direct key signature
> 004e 16 sig algo: EdDSA
> 004f 0a hash algo: SHA2-512
> 0050 00 00 00 23 hashed subpackets length
> 0054 05 sbpkt length
> 0055 02 sbpkt type: Signature Creation Time
> 0056 62 20 Signature Creation Time
> 0058 d0 57 (2022-03-03T14:27:35Z)
> 005a 03 sbpkt length
> 005b 15 sbpkt type: Pref. Hash Algorithms
> 005c 08 0a Hash Algos: [SHA2-256 SHA2-512]
> 005e 04 sbpkt length
> 005f 16 sbpkt type: Pref. Compression
> 0060 00 02 01 Compress Algos: [none ZLIB ZIP]
> 0063 02 sbpkt length
> 0064 1b sbpkt type: Key Flags
> 0065 03 Key Flags: {certify, sign}
> 0066 02 sbpkt length
> 0067 1e sbpkt type: Features
> 0068 09 Features: {SEIPDv1, SEIPDv2}
> 0069 0d sbpkt length
> 006a 27 sbpkt type: Pref. AEAD Ciphersuites
> 006b 09 03 [AES256-GCM
> 006d 07 03 AES128-GCM
> 006f 09 AES256-EAX
> 0070 01
> 0071 07 01 AES128-EAX
> 0073 09 02 AES256-OCB
> 0075 07 02 AES128-OCB]
> 0077 05 sig version
> 0078 ff sentinel octet
> 0079 00 00 00 00 00 00 00 trailer length
> 0080 2b
> 0081
> ```
>
> I wonder whether it makes sense to include something like this as an
> example in the draft itself, to make it easy for implementers to check
> their work with a concrete example.
That would be great for an appendix entry !
> It's also a little bit weird that the draft's sample cert is advertising
> a AEAD ciphersuite preference for GCM and EAX over OCB, given the
> draft's clear preference for OCB, and that it's using SHA2-512 to sign a
> certificate that advertises a preference for SHA2-256 over SHA2-512.
> And it's odd that there is no symmetric cipher preference list, given
> that the Features subpacket advertises support for SEIPDv1.
>
> I'd propose the sample cert should list the following simple and fairly
> narrow preferences to exercise some of the new directions that the
> update is heading toward:
>
> - hashes: sha2-512 sha3-512 sha2-256 sha3-256
> - symmetric ciphers: aes256 aes128
> - compression: none
> - AEAD: aes256-OCB aes128-OCB
>
> What do y'all think? I don't think this is worth engaging in a conflict
> over, as it's just an example; if folks want to keep the current values,
> i'm happy to keep it as is.
Please do a PR. The example should really comply with the draft text and me as simple as possible.
Paul
- [openpgp] reviewing sample v5 certificate: can't … Daniel Kahn Gillmor
- Re: [openpgp] reviewing sample v5 certificate: ca… Daniel Huigens
- Re: [openpgp] reviewing sample v5 certificate: ca… Daniel Kahn Gillmor
- Re: [openpgp] reviewing sample v5 certificate: ca… Paul Wouters
- Re: [openpgp] reviewing sample v5 certificate: ca… Daniel Huigens
- [openpgp] OpenPGP sample artifacts [was: Re: revi… Daniel Kahn Gillmor