IETF Logo Mail Archive

Re: [openpgp] Expected client behaviour ambiguity in signature verification

Daniel Huigens <d.huigens@protonmail.com> Fri, 08 July 2022 11:13 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94392C14CF15 for <openpgp@ietfa.amsl.com>; Fri, 8 Jul 2022 04:13:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qX6cGKuqMPz1 for <openpgp@ietfa.amsl.com>; Fri, 8 Jul 2022 04:13:12 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61AD1C14CF07 for <openpgp@ietf.org>; Fri, 8 Jul 2022 04:13:12 -0700 (PDT)
Date: Fri, 08 Jul 2022 11:13:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1657278788; x=1657537988; bh=zmjbW8KRVEIbft38jN4MtpLm3VVrrCX0tdclAGBLsn0=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=MCHuMOi9N2mVRBXTt16SlVsss2Z3BOhacRBKMj+XaxPDiiA0LwO/4/UQA2awc8anC Oz5bxoL4L9okIthJV8qji8odbERnlitRtmbc2KqqRpmhmOPMgeTuyUdN3OJs2uAtiG x5mNlDIvkHUb5iHhLTuL8VGvExNJ4lA1KFvCn2hsjBrITjgwTXdRuet7zwTQ9MLVBA OC6MWaQ4AtdTWMIEbt6bk+23TXIhShC+0nnA0QTMiC4MzP8Qgyqz0n+gdJI3AyMQMq DaXRssoMQOkg9Ntr4qJzZGkb7V+TuURbDt3gpXHlXpkJ7gs3GNaL9USW0cW+TUPwbG MockEWzG86Jhw==
To: Justus Winter <justus@sequoia-pgp.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: Andrew Gallagher <andrewg@andrewg.com>, openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <HcMPnSrBDMEb2UqLScL9OTrornuJln5O0WG0ZBe2FLW3Q3YbJ9plFBKGJGdWYyVF-Wz9HA6supa9tXH5y8DfJTe05cUD5Uk0VciCnGuQNMo=@protonmail.com>
In-Reply-To: <87sfnbx3we.fsf@europ.lan>
References: <d0483dcb-025b-37c2-9a26-e42133b506ac@andrewg.com> <rFGQzFpo7YRJdeCEIqSDMYYZhf_svkyx8UHG3GE__VMZFj2pRAbcTa-G9jjQoppUln1XNblYl6Lbjn7wMDMLqwzTJxB-hO0RwAofwLJL7wc=@protonmail.com> <87sfnbx3we.fsf@europ.lan>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/UxTaAg4MYafaDGxJQRIA0Sql5bQ>
Subject: Re: [openpgp] Expected client behaviour ambiguity in signature verification
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 11:13:16 -0000

On Friday, July 8th, 2022 at 13:03, Justus Winter wrote:

> Sequoia uses the digest prefix as when canonicalizing certificates. If
> we encounter a third party certification for which we don't have the
> issuers certificate, we use the digest prefix as a heuristic to check if
> a signature is associated with the right component, and if not, use it
> to find the right component (with a chance of 2^16 of getting it wrong,
> in which case we duplicate the signature).

I would prefer not to (have to) do such heuristics. Signatures should be
after the component they're associated with, and if they're not, just
ignore them, imo. Being lenient about signature placement in this way
can (eventually) force other implementations to do the same, similarly
to what apparently happened with not checking the hash prefix bytes.

Best,
Daniel

v2.23.0 | Report a Bug | By Email