Re: [openpgp] Expected client behaviour ambiguity in signature verification
Andrew Gallagher <andrewg@andrewg.com> Fri, 08 July 2022 11:18 UTC
Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF9BFC14F739 for <openpgp@ietfa.amsl.com>; Fri, 8 Jul 2022 04:18:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.983
X-Spam-Level:
X-Spam-Status: No, score=-3.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id saMhQFx5d39e for <openpgp@ietfa.amsl.com>; Fri, 8 Jul 2022 04:18:23 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7731AC157908 for <openpgp@ietf.org>; Fri, 8 Jul 2022 04:18:23 -0700 (PDT)
Received: from [IPv6:fc93:5820:737b:2d0b:a807::1] (whippet [IPv6:fc93:5820:737b:2d0b:a807::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 8B55C5EC9D; Fri, 8 Jul 2022 11:18:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1657279100; bh=dF79M0BntrzKEVmm7jrMYJIDZcXWHe844VdyAlAg0UY=; h=To:References:From:Subject:Date:In-Reply-To:From; b=Wkrct88mxPCuGoZn7EZ71xHvWwMyC+XYWkTxogSbFDeVJQofUTH0bWN7jjtv+t4oz orLPLGr3xwoHhBC0dErEQg6HIuB2UZPF8WAyncP1YwehTPg6R+QxEJUEbakGz1INNK GFO6xoWAQ2XPciB/IFN7+4eIUwYtFldpuQVDcjQRgnrCMGbqqi0q+qF/RPJ2aju2Fs zDj3GmGBb5k3sC4+sYf+2bGR8j2R1XaIoTi7gBLvM+sYRapwgSHmtIzl3hD8S9lcgI LLOAG0DSYBDt/VGRJWLLmoW+LphqeF8BsmOd6+RtXjBTdKIaEtuknqytme/FacNoNm 2I5ej6WPXiIeA==
To: Jonathan McDowell <noodles@earth.li>, openpgp@ietf.org, Justus Winter <justus@sequoia-pgp.org>
References: <d0483dcb-025b-37c2-9a26-e42133b506ac@andrewg.com> <YscsLPg2I0Oaio8B@earth.li> <87v8s7x4cs.fsf@europ.lan> <YsgNt4FJ21JAVvFg@earth.li>
From: Andrew Gallagher <andrewg@andrewg.com>
Message-ID: <2780fc0d-b780-bad2-f61d-9bd4b39c127c@andrewg.com>
Date: Fri, 08 Jul 2022 12:18:13 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <YsgNt4FJ21JAVvFg@earth.li>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="IcVOwBsSBGFwzW0pMoXYcW4BPrQLQ2h89"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/UaYjW7KxnNN8dx2OaVvvIgrqsLA>
Subject: Re: [openpgp] Expected client behaviour ambiguity in signature verification
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 11:18:27 -0000
On 08/07/2022 11:57, Jonathan McDowell wrote: > On Fri, Jul 08, 2022 at 12:53:39PM +0200, Justus Winter wrote: > >> Alternatively, keyservers (anyone, really) could fix the digest prefix. We could normalize in the keyservers, but I'd like to first get the opinion of other implementations about whether this might cause them any issues when merging compliant and non-compliant versions of the same signature packet. > We still don't seem to know what's *generating* the bad data. Nikolay's earlier reply indicates that it is probably openpgp-php: https://github.com/singpolyma/openpgp-php/issues/120#issuecomment-1012034968 https://github.com/singpolyma/openpgp-php/blob/2a48242a7ad1dc6c7be90191ec814619ae20aa1b/lib/openpgp.php#L701 A
- [openpgp] Expected client behaviour ambiguity in … Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Jonathan McDowell
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Nickolay Olshevsky
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Jonathan McDowell
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Paul Schaub
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Peter Gutmann
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher