Re: Signature Subpacket 10?

[David Shaw <dshaw@jabberwocky.com>]

On Thu, Jun 30, 2005 at 01:13:02PM +0100, Ben Laurie wrote:

> Aha. Well, I'd like to be able to extract the data, just for 
> completeness. Does anyone have a format for the packet?

I believe it is the same as the format for the designated revocation
subpacket (#12).  A class byte, followed by an algorithm byte for the
public key algorithm of the key being ARR-ed to, followed by the (V4)
fingerprint of the ARR key.

The class byte has bits defined to express "please follow this ARR" or
"you must follow this ARR", but I'm afraid I don't know which bits
mean what offhand.

David





Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5UD1B4K064364; Thu, 30 Jun 2005 06:01:11 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5UD1Bfs064362; Thu, 30 Jun 2005 06:01:11 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5UD1ADA064256 for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 06:01:10 -0700 (PDT) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (sccrmhc12) with ESMTP id <2005063013010401200hep3be>; Thu, 30 Jun 2005 13:01:04 +0000
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j5UD147G021641 for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 09:01:04 -0400
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j5UD13KP030053 for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 09:01:03 -0400
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j5UD13dA030052 for ietf-openpgp@imc.org; Thu, 30 Jun 2005 09:01:03 -0400
Date: Thu, 30 Jun 2005 09:01:02 -0400
From: David Shaw <dshaw@jabberwocky.com>
To: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: Signature Subpacket 10?
Message-ID: <20050630130102.GA24509@jabberwocky.com>
Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org>
References: <42C3ACFC.9070905@algroup.co.uk> <87wtoc6sso.fsf@wheatstone.g10code.de> <200506301216.29338.iang@systemics.com> <42C3E1CE.2000407@algroup.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <42C3E1CE.2000407@algroup.co.uk>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.8i
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Thu, Jun 30, 2005 at 01:13:02PM +0100, Ben Laurie wrote:

> Aha. Well, I'd like to be able to extract the data, just for 
> completeness. Does anyone have a format for the packet?

I believe it is the same as the format for the designated revocation
subpacket (#12).  A class byte, followed by an algorithm byte for the
public key algorithm of the key being ARR-ed to, followed by the (V4)
fingerprint of the ARR key.

The class byte has bits defined to express "please follow this ARR" or
"you must follow this ARR", but I'm afraid I don't know which bits
mean what offhand.

David



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5UCF8s4007866; Thu, 30 Jun 2005 05:15:08 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5UCF8Xs007865; Thu, 30 Jun 2005 05:15:08 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5UCF65v007828 for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 05:15:06 -0700 (PDT) (envelope-from ben@algroup.co.uk)
Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 65D7333C1B; Thu, 30 Jun 2005 13:15:11 +0100 (BST)
Message-ID: <42C3E1CE.2000407@algroup.co.uk>
Date: Thu, 30 Jun 2005 13:13:02 +0100
From: Ben Laurie <ben@algroup.co.uk>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Ian Grigg <iang@systemics.com>
CC: Werner Koch <wk@gnupg.org>, OpenPGP <ietf-openpgp@imc.org>
Subject: Re: Signature Subpacket 10?
References: <42C3ACFC.9070905@algroup.co.uk> <87wtoc6sso.fsf@wheatstone.g10code.de> <200506301216.29338.iang@systemics.com>
In-Reply-To: <200506301216.29338.iang@systemics.com>
X-Enigmail-Version: 0.89.6.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Ian Grigg wrote:
> On Thursday 30 June 2005 11:30, Werner Koch wrote:
> 
>>On Thu, 30 Jun 2005 09:27:40 +0100, Ben Laurie said:
>>
>>
>>>I see it is reserved "for backward compatibility". I'm curious to
>>>know: what's in this packet? Is it documented somewhere?
>>
>>    SIGSUBPKT_ARR	   =10, /* additional recipient request */
>>
>>aka additional decrytpion key.
> 
> 
> 
> A little background.  This was added by the old
> PGP Inc company for commercial users so as to
> escrow email.  If a key had this subpacket, you
> would encrypt to that additional key as well.
> 
> The notion was that it should go
> in the standard, but that was politically charged
> at the time - indeed Loius Freeh stood up in
> front of Congress and used this very feature as
> proof that it was possible to force all crypto
> programs to escrow messages for the FBI...
> 
> The compromise that was reached was that it
> not be documented in the standard.  I don't
> know if GPG implements it, or even if it the PGP
> line still includes it.  I think architecturally speaking,
> such a feature is better off in the proxy products,
> and layered over the top at the admin level
> rather than put in the tech.  I think it is relatively
> safe to ignore it.

Aha. Well, I'd like to be able to extract the data, just for 
completeness. Does anyone have a format for the packet?

Cheers,

Ben.

-- 
 >>>ApacheCon Europe<<<                   http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5UBti0Z084896; Thu, 30 Jun 2005 04:55:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5UBtiAm084895; Thu, 30 Jun 2005 04:55:44 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5UBtgbM084877 for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 04:55:43 -0700 (PDT) (envelope-from wk@gnupg.org)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.34 #1 (Debian)) id 1DnwmZ-0001hG-7C for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 13:00:35 +0200
Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1Dnxal-0000MU-Nt; Thu, 30 Jun 2005 13:52:27 +0200
To: Ian Grigg <iang@systemics.com>
Cc: Ben Laurie <ben@algroup.co.uk>, OpenPGP <ietf-openpgp@imc.org>
Subject: Re: Signature Subpacket 10?
References: <42C3ACFC.9070905@algroup.co.uk> <87wtoc6sso.fsf@wheatstone.g10code.de> <200506301216.29338.iang@systemics.com>
From: Werner Koch <wk@gnupg.org>
Organisation: g10 Code GmbH
OpenPGP: id=5B0358A2; url=finger:wk@g10code.com
Date: Thu, 30 Jun 2005 13:52:27 +0200
In-Reply-To: <200506301216.29338.iang@systemics.com> (Ian Grigg's message of "Thu, 30 Jun 2005 12:16:26 +0100")
Message-ID: <877jgc6ozo.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Thu, 30 Jun 2005 12:16:26 +0100, Ian Grigg said:

> at the time - indeed Loius Freeh stood up in
> front of Congress and used this very feature as
> proof that it was possible to force all crypto
> programs to escrow messages for the FBI...

I did not know that; interesting.  The ARR became known due to a bug
in the implementation at that time.

> not be documented in the standard.  I don't
> know if GPG implements it, or even if it the PGP

No, never did it.  We only have a warning for that bug:

    if ( type == SIGSUBPKT_ARR && !hashed ) {
        fprintf (listfp,
                 "\tsubpkt %d len %u (additional recipient request)\n"
                 "WARNING: PGP versions > 5.0 and < 6.5.8 will automagically "
                 "encrypt to this key and thereby reveal the plaintext to "
                 "the owner of this ARR key. Detailed info follows:\n",
                 type, (unsigned)length );
    }



Shalom-Salam,

   Werner



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5UBIQUM046020; Thu, 30 Jun 2005 04:18:26 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5UBIQda046018; Thu, 30 Jun 2005 04:18:26 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from postix.sonance.net (mx2.sonance.net [62.116.45.130]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5UBIPV9045972 for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 04:18:25 -0700 (PDT) (envelope-from iang@systemics.com)
Received: from localhost (localhost [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id E37751A34F5; Thu, 30 Jun 2005 13:17:41 +0200 (CEST)
Received: from postix.sonance.net ([127.0.0.1]) by localhost (zentrix [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14384-05; Thu, 30 Jun 2005 13:17:41 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by postix.sonance.net (Postfix) with ESMTP id 311271A34F4; Thu, 30 Jun 2005 13:17:41 +0200 (CEST)
From: Ian Grigg <iang@systemics.com>
To: Ben Laurie <ben@algroup.co.uk>
Subject: Re: Signature Subpacket 10?
Date: Thu, 30 Jun 2005 12:16:26 +0100
User-Agent: KMail/1.8
Cc: Werner Koch <wk@gnupg.org>, OpenPGP <ietf-openpgp@imc.org>
References: <42C3ACFC.9070905@algroup.co.uk> <87wtoc6sso.fsf@wheatstone.g10code.de>
In-Reply-To: <87wtoc6sso.fsf@wheatstone.g10code.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200506301216.29338.iang@systemics.com>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at sonance.net
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Thursday 30 June 2005 11:30, Werner Koch wrote:
> 
> On Thu, 30 Jun 2005 09:27:40 +0100, Ben Laurie said:
> 
> > I see it is reserved "for backward compatibility". I'm curious to
> > know: what's in this packet? Is it documented somewhere?
> 
>     SIGSUBPKT_ARR	   =10, /* additional recipient request */
> 
> aka additional decrytpion key.


A little background.  This was added by the old
PGP Inc company for commercial users so as to
escrow email.  If a key had this subpacket, you
would encrypt to that additional key as well.

The notion was that it should go
in the standard, but that was politically charged
at the time - indeed Loius Freeh stood up in
front of Congress and used this very feature as
proof that it was possible to force all crypto
programs to escrow messages for the FBI...

The compromise that was reached was that it
not be documented in the standard.  I don't
know if GPG implements it, or even if it the PGP
line still includes it.  I think architecturally speaking,
such a feature is better off in the proxy products,
and layered over the top at the admin level
rather than put in the tech.  I think it is relatively
safe to ignore it.

iang
-- 
Advances in Financial Cryptography, Issue 2:
   https://www.financialcryptography.com/mt/archives/000498.html
Mark Stiegler, An Introduction to Petname Systems
Nick Szabo, Scarce Objects
Ian Grigg, Triple Entry Accounting



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5UAZi5I001776; Thu, 30 Jun 2005 03:35:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5UAZirK001772; Thu, 30 Jun 2005 03:35:44 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5UAZgR5001737 for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 03:35:43 -0700 (PDT) (envelope-from wk@gnupg.org)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.34 #1 (Debian)) id 1DnvXA-0001EE-9m for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 11:40:36 +0200
Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1DnwJD-0000H8-H6; Thu, 30 Jun 2005 12:30:15 +0200
To: Ben Laurie <ben@algroup.co.uk>
Cc: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: Signature Subpacket 10?
References: <42C3ACFC.9070905@algroup.co.uk>
From: Werner Koch <wk@gnupg.org>
Organisation: g10 Code GmbH
OpenPGP: id=5B0358A2; url=finger:wk@g10code.com
Date: Thu, 30 Jun 2005 12:30:15 +0200
In-Reply-To: <42C3ACFC.9070905@algroup.co.uk> (Ben Laurie's message of "Thu, 30 Jun 2005 09:27:40 +0100")
Message-ID: <87wtoc6sso.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Thu, 30 Jun 2005 09:27:40 +0100, Ben Laurie said:

> I see it is reserved "for backward compatibility". I'm curious to
> know: what's in this packet? Is it documented somewhere?

    SIGSUBPKT_ARR	   =10, /* additional recipient request */

aka additional decrytpion key.


Salam-Shalom,

   Werner



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5U8TiGe085721; Thu, 30 Jun 2005 01:29:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5U8Ti8X085720; Thu, 30 Jun 2005 01:29:44 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5U8ThiF085685 for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 01:29:44 -0700 (PDT) (envelope-from ben@algroup.co.uk)
Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 5257233C1B for <ietf-openpgp@imc.org>; Thu, 30 Jun 2005 09:29:49 +0100 (BST)
Message-ID: <42C3ACFC.9070905@algroup.co.uk>
Date: Thu, 30 Jun 2005 09:27:40 +0100
From: Ben Laurie <ben@algroup.co.uk>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: OpenPGP <ietf-openpgp@imc.org>
Subject: Signature Subpacket 10?
X-Enigmail-Version: 0.89.6.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

I see it is reserved "for backward compatibility". I'm curious to know: 
what's in this packet? Is it documented somewhere?

Cheers,

Ben.

-- 
 >>>ApacheCon Europe<<<                   http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5M1GSWU054197; Tue, 21 Jun 2005 18:16:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5M1GSmb054196; Tue, 21 Jun 2005 18:16:28 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from smtpd.itss.auckland.ac.nz (zeppo.itss.auckland.ac.nz [130.216.190.14]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5M1GQHD054186 for <ietf-openpgp@imc.org>; Tue, 21 Jun 2005 18:16:27 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtpd.itss.auckland.ac.nz (Postfix) with ESMTP id 1CED434ECF; Wed, 22 Jun 2005 13:16:26 +1200 (NZST)
Received: from smtpd.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpd.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31135-18; Wed, 22 Jun 2005 13:16:26 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by smtpd.itss.auckland.ac.nz (Postfix) with ESMTP id D78EC34ECC; Wed, 22 Jun 2005 13:16:25 +1200 (NZST)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 4B31E37746; Wed, 22 Jun 2005 13:16:25 +1200 (NZST)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1Dktqu-0005mw-00; Wed, 22 Jun 2005 13:16:28 +1200
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: ben@algroup.co.uk, pgut001@cs.auckland.ac.nz
Subject: Re: Power function PGP math library?
Cc: hal@finney.org, ietf-openpgp@imc.org, spider-41@hotmail.com
In-Reply-To: <42B83877.8080305@algroup.co.uk>
Message-Id: <E1Dktqu-0005mw-00@medusa01.cs.auckland.ac.nz>
Date: Wed, 22 Jun 2005 13:16:28 +1200
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Ben Laurie <ben@algroup.co.uk> writes:
>Peter Gutmann wrote:
>>>openssl
>>
>>The code is the crypto equivalent of Heathrow Airport.
>
>The bignum code is reasonably OK :-)

I'd always seen that as the bit with all the excavators :-).

Peter.



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5LFvfEk005640; Tue, 21 Jun 2005 08:57:41 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5LFvfdx005639; Tue, 21 Jun 2005 08:57:41 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5LFvd8n005621 for <ietf-openpgp@imc.org>; Tue, 21 Jun 2005 08:57:40 -0700 (PDT) (envelope-from ben@algroup.co.uk)
Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 1179F33C1B; Tue, 21 Jun 2005 16:57:43 +0100 (BST)
Message-ID: <42B83877.8080305@algroup.co.uk>
Date: Tue, 21 Jun 2005 16:55:35 +0100
From: Ben Laurie <ben@algroup.co.uk>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: hal@finney.org, ietf-openpgp@imc.org, spider-41@hotmail.com
Subject: Re: Power function PGP math library?
References: <E1DjExf-0002Ao-00@medusa01.cs.auckland.ac.nz>
In-Reply-To: <E1DjExf-0002Ao-00@medusa01.cs.auckland.ac.nz>
X-Enigmail-Version: 0.89.6.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Peter Gutmann wrote:
>>openssl
> 
> The code is the crypto equivalent of Heathrow Airport.

The bignum code is reasonably OK :-)

-- 
 >>>ApacheCon Europe<<<                   http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5HBOULw075726; Fri, 17 Jun 2005 04:24:30 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5HBOURR075725; Fri, 17 Jun 2005 04:24:30 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from smtpa.itss.auckland.ac.nz (groucho.itss.auckland.ac.nz [130.216.190.11]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5HBOTGJ075695 for <ietf-openpgp@imc.org>; Fri, 17 Jun 2005 04:24:29 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) by smtpa.itss.auckland.ac.nz (Postfix) with ESMTP id 5E5A83466E; Fri, 17 Jun 2005 23:24:28 +1200 (NZST)
Received: from smtpa.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26936-07; Fri, 17 Jun 2005 23:24:28 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by smtpa.itss.auckland.ac.nz (Postfix) with ESMTP id 3E28D340D7; Fri, 17 Jun 2005 23:24:28 +1200 (NZST)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id F333937756; Fri, 17 Jun 2005 23:24:27 +1200 (NZST)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1DjExf-0002Ao-00; Fri, 17 Jun 2005 23:24:35 +1200
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: hal@finney.org, ietf-openpgp@imc.org, spider-41@hotmail.com
Subject: Re: Power function PGP math library?
In-Reply-To: <20050617062528.E8C5457E8C@finney.org>
Message-Id: <E1DjExf-0002Ao-00@medusa01.cs.auckland.ac.nz>
Date: Fri, 17 Jun 2005 23:24:35 +1200
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

hal@finney.org ("Hal Finney") writes:

>I have to say that I think there are better choices for math libraries these
>days than that old code.  gmp, crypto++ and openssl are three that I have
>used and are good quality.  I've also heard good things about libtommath.
>You can find more about any of these via google.

Some thoughts:

>gmp,

Needs GNU-everything-else in order to build, a problem if you're targetting
multiple platforms and need to use non-GNU tools (e.g. VC++).

>crypto++

Extreme C++, both in the code style and the requirements it places on
compilers.

>openssl

The code is the crypto equivalent of Heathrow Airport.

>libtommath

Very nice, although it suffers the no-visible-means-of-support problem that
killed the earlier (and equally nice) bnlib: What happens if the author gets
tired of maintaining it?

Peter.



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5H7EIOi088594; Fri, 17 Jun 2005 00:14:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5H7EISv088593; Fri, 17 Jun 2005 00:14:18 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5H7EHuI088577 for <ietf-openpgp@imc.org>; Fri, 17 Jun 2005 00:14:17 -0700 (PDT) (envelope-from hal@finney.org)
Received: by finney.org (Postfix, from userid 500) id E8C5457E8C; Thu, 16 Jun 2005 23:25:28 -0700 (PDT)
To: ietf-openpgp@imc.org, spider-41@hotmail.com
Subject: Re: Power function PGP math library?
Message-Id: <20050617062528.E8C5457E8C@finney.org>
Date: Thu, 16 Jun 2005 23:25:28 -0700 (PDT)
From: hal@finney.org ("Hal Finney")
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Kimmo writes:
> I need to verify the DSA signature in my application, and the verifier has 
> to compute these parameters, which are defined in the DSS (Digital Signature 
> Standard).
>
> w = (s')^-1 mod q
> u1 = ((SHA(M')w) mod q
> u2 = ((r')w) mod q
> v = (((g)^u1 * (y^u2) mod p) mod q
>
> I'm using PGP math library in calculation. The problem is how to calculate 
> parameter v.
>
> The parameters g (power to u1) and y (power to u2) should be calculated 
> first and then these factors should be calculated together and so on. But 
> there isn't a function in the math library to calculate powers. The 
> calculation could be done with mp_mult, but it is very slow way to do it.

If you are using the math library I think, the one that came with the
old, old version 2.x of PGP, you can look at a web page I wrote back in
1993 that describes the math library,
http://www.finney.org/~hal/pgp_math_lib.html.  There you will see that
there is in fact a function to calculate powers, mp_modexp.  This does
a modular exponentiation, so you would use p as the modulus to calculate
g^u1 and y^u2, then multiply them together using mp_modmult.  Note that
mp_modmult does not take a modulus parameter, rather you have to call
stage_modulus with p before calling mp_modmult.  Then you can use mp_mod
to take v mod q.

I have to say that I think there are better choices for math libraries
these days than that old code.  gmp, crypto++ and openssl are three
that I have used and are good quality.  I've also heard good things
about libtommath.  You can find more about any of these via google.

Hal Finney



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5H78V1p083734; Fri, 17 Jun 2005 00:08:31 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5H78Vuw083732; Fri, 17 Jun 2005 00:08:31 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from p15139323.pureserver.info (silmor.de [217.160.219.75]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5H78TDW083555 for <ietf-openpgp@imc.org>; Fri, 17 Jun 2005 00:08:30 -0700 (PDT) (envelope-from konrad@silmor.de)
Received: from localhost ([127.0.0.1] helo=silmor.de ident=www-data) by p15139323.pureserver.info with esmtp (Exim 3.35 #1 (Debian)) id 1DjAxh-0004vr-00; Fri, 17 Jun 2005 09:08:21 +0200
Received: from 62.154.250.43 (SquirrelMail authenticated user konrad) by silmor.de with HTTP; Fri, 17 Jun 2005 09:08:21 +0200 (CEST)
Message-ID: <58790.62.154.250.43.1118992101.squirrel@silmor.de>
In-Reply-To: <BAY18-F349DEB902B40CD35684C9FEF40@phx.gbl>
References: <BAY18-F349DEB902B40CD35684C9FEF40@phx.gbl>
Date: Fri, 17 Jun 2005 09:08:21 +0200 (CEST)
Subject: Re: Power function PGP math library?
From: "Konrad Rosenbaum" <konrad@silmor.de>
To: Kimmo =?iso-8859-1?Q?M=E4kel=E4inen?= <spider-41@hotmail.com>
Cc: ietf-openpgp@imc.org
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Kimmo Mäkeläinen said:
> v = (((g)^u1 * (y^u2) mod p) mod q
>
> I'm using PGP math library in calculation. The problem is how to calculate
> parameter v.
>
> The parameters g (power to u1) and y (power to u2) should be calculated
> first and then these factors should be calculated together and so on. But
> there isn't a function in the math library to calculate powers. The
> calculation could be done with mp_mult, but it is very slow way to do it.

Basic modular math:

(g^u1 * y^u2) mod p == ( ((g^u1)mod p) * ((y^u2) mod p) ) mod p

you do not really want to calculate g^u1 or y^u2 since it will be a Really
Big Number [tm].


     Konrad





Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5H5tGIt020792; Thu, 16 Jun 2005 22:55:16 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5H5tG14020791; Thu, 16 Jun 2005 22:55:16 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from hotmail.com (bay18-f3.bay18.hotmail.com [65.54.187.53]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5H5tF72020725 for <ietf-openpgp@imc.org>; Thu, 16 Jun 2005 22:55:15 -0700 (PDT) (envelope-from spider-41@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 16 Jun 2005 22:55:10 -0700
Message-ID: <BAY18-F349DEB902B40CD35684C9FEF40@phx.gbl>
Received: from 193.210.155.190 by by18fd.bay18.hotmail.msn.com with HTTP; Fri, 17 Jun 2005 05:55:10 GMT
X-Originating-IP: [193.210.155.190]
X-Originating-Email: [spider-41@hotmail.com]
X-Sender: spider-41@hotmail.com
From: =?iso-8859-1?B?S2ltbW8gTeRrZWzkaW5lbg==?= <spider-41@hotmail.com>
To: ietf-openpgp@imc.org
Subject: Power function PGP math library?
Date: Fri, 17 Jun 2005 08:55:10 +0300
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
X-OriginalArrivalTime: 17 Jun 2005 05:55:10.0634 (UTC) FILETIME=[1F3F70A0:01C57301]
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Hey,

I need to verify the DSA signature in my application, and the verifier has 
to compute these parameters, which are defined in the DSS (Digital Signature 
Standard).

w = (s')^-1 mod q
u1 = ((SHA(M')w) mod q
u2 = ((r')w) mod q
v = (((g)^u1 * (y^u2) mod p) mod q

I'm using PGP math library in calculation. The problem is how to calculate 
parameter v.

The parameters g (power to u1) and y (power to u2) should be calculated 
first and then these factors should be calculated together and so on. But 
there isn't a function in the math library to calculate powers. The 
calculation could be done with mp_mult, but it is very slow way to do it.

Best regards,

Kimmo

_________________________________________________________________
Nopea ja hauska tapa lähettää viestejä reaaliaikaisesti - MSN Messenger. 
http://messenger.msn.fi



Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5776PBK062815; Tue, 7 Jun 2005 00:06:25 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5776PvK062814; Tue, 7 Jun 2005 00:06:25 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5776NNZ062785 for <ietf-openpgp@imc.org>; Tue, 7 Jun 2005 00:06:24 -0700 (PDT) (envelope-from ben@algroup.co.uk)
Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 058C833C1A; Tue,  7 Jun 2005 08:06:24 +0100 (BST)
Message-ID: <42A546F5.4090000@algroup.co.uk>
Date: Tue, 07 Jun 2005 08:04:21 +0100
From: Ben Laurie <ben@algroup.co.uk>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Derek Atkins <derek@ihtfp.com>
CC: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org, spider-41@hotmail.com
Subject: Re: Problems with calculating signatures over keys
References: <20050526153429.2EE6957E8C@finney.org> <sjmu0kqq68x.fsf@cliodev.pgp.com>
In-Reply-To: <sjmu0kqq68x.fsf@cliodev.pgp.com>
X-Enigmail-Version: 0.89.6.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Derek Atkins wrote:
> Hal,
> 
> <chair hat>
> 
> hal@finney.org ("Hal Finney") writes:
> 
> 
>>We might want to consider some "test vectors" in the RFC which work
>>through the process of verifying a signature.  We'd show the key and
>>associated packets, and then show the exact sequence of bytes which
>>gets hashed.  I think that would be a big help to implementors.
> 
> 
> I agree that this would be a boon to implementors.  Do you want to
> volunteer to do this?  :)
> 
> 
>>Unfortunately once we open the door to including such an example,
>>there are a lot of other things we might need to show.  The public key
>>signature operations themselves, signatures on text and binary messages,
>>encryption and decryption, encrypt+sign, etc.  We could almost use a
>>separate RFC just with examples as an aid to implementors.
> 
> 
> I also agree that a separate "Test Vectors" draft would be the right
> place to put it.  It could even be an informational draft instead of a
> standards-track draft, but it could still be called something like:
>    draft-ietf-openpgp-test-vectors
> 
> 
>>Hal Finney
> 
> 
> Are there any objections from the WG to doing this?  As chair I think
> it's a good idea and would welcome a test vectors draft.

Sounds good to me.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff