Signature calculation language
hal@finney.org ("Hal Finney") Wed, 05 October 2005 21:27 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ENGnj-0002nM-Cy for openpgp-archive@megatron.ietf.org; Wed, 05 Oct 2005 17:27:47 -0400
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA01991 for <openpgp-archive@lists.ietf.org>; Wed, 5 Oct 2005 17:27:43 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j95LBIY4089777; Wed, 5 Oct 2005 14:11:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j95LBIIw089776; Wed, 5 Oct 2005 14:11:18 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j95LBHaC089769 for <ietf-openpgp@imc.org>; Wed, 5 Oct 2005 14:11:18 -0700 (PDT) (envelope-from hal@finney.org)
Received: by finney.org (Postfix, from userid 500) id EEB1457EF9; Wed, 5 Oct 2005 14:11:58 -0700 (PDT)
To: ietf-openpgp@imc.org
Subject: Signature calculation language
Message-Id: <20051005211158.EEB1457EF9@finney.org>
Date: Wed, 05 Oct 2005 14:11:58 -0700
From: hal@finney.org
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Some of the language in the draft about signature calculations is confusing and misleading. The brief descriptions in 5.2.1 Signature Types are contradicted by 5.2.4 Computing Signatures. We should make clear that 5.2.4 is authoritative. I suggest that we add to the beginning of 5.2.1, "See section 5.2.4 for detailed information on how to compute and verify signatures of each type." Particular problems: 0x18: Subkey Binding Signature This signature is a statement by the top-level signing key that indicates that it owns the subkey. This signature is calculated directly on the subkey itself, not on any User ID or other packets. A signature that binds a signing subkey also has an embedded signature subpacket in this binding signature which contains a 0x19 signature made by the signing subkey on the primary key. The signature is actually calculated over both the primary key and subkey packets, although here it says it is not calcualted over any other packets. (A separate issue is that the last sentence here should have a SHOULD: "A signature that binds a signing subkey SHOULD have an embedded...") 0x19 Primary Key Binding Signature This signature is a statement by a signing subkey, indicating that it is owned by the primary key. This signature is calculated directly on the primary key itself, and not on any User ID or other packets. Same issue here, the signature is calculated over both the primary key and the subkey packets. 0x28: Subkey revocation signature The signature is calculated directly on the subkey being revoked. A revoked subkey is not to be used. Only revocation signatures by the top-level signature key that is bound to this subkey, or by an authorized revocation key, should be considered valid revocation signatures. This is actually correct, I guess (I don't think PGP supports subpacket revocation signatures). According to 5.2.4 the hash is over just the subkey packet and does not include the primary key packet, unlike ordinary subkey signatures. That seems a little inconsistent to me - is this how other people have implemented it? A couple of comments on section 5.2.4: When a signature is made over a signature packet, the hash data starts with the octet 0x88, followed by the four-octet length of the signature, and then the body of the signature packet. The unhashed subpacket data of the signature packet being hashed is not included in the hash and the unhashed subpacket data length value is set to zero. (Note that this is an old-style packet header for a signature packet with the length-of-length set to zero). The parenthetical note at the end should go after the first sentence. For consistency with other descriptions in this section, we should refer explicitly here to the Third-Party Confirmation Signature, type 0x50, which I think is the only one for which this description applies. One thing that is missing in these two sections is a clear statement that certificate revocation signatures are calculated over the same data as the certificate being revoked. 5.2.1 just says: 0x30: Certification revocation signature This signature revokes an earlier User ID certification signature (signature class 0x10 through 0x13) or direct-key signature (0x1F). It should be issued by the same key that issued the revoked signature or an authorized revocation key. The signature should have a later creation date than the signature it revokes. with no comments about what it is computed over, and 5.2.4 doesn't clearly describe this case either. We could change that last sentence to say, "The signature is computed over the same data as the certificate that it revokes, and should have a later creation date than that certificate." I am also not in love with the classic description of document signatures in 5.2.4: The signature data is simple to compute for document signatures (types 0x00 and 0x01), for which the document itself is the data. First, it is presumptuous and uninformative to say something is simple. "The document itself is the data" has a certain Zen koan quality but does not plainly say what it means. And this fails to distinguish between text and binary signatures; for text signatures, the document itself is not the (hashed) data, but rather the canonicalized document. How about this: "For binary document signatures (type 0x00), the document data is hashed directly. For text document signatures (type 0x01), the document is canonicalized by converting line endings to <CR><LF>, and the resulting data is hashed." Hal Finney
- Signature calculation language "Hal Finney"
- Re: Signature calculation language Daniel A. Nagy
- Re: Signature calculation language Jon Callas
- Re: Signature calculation language David Shaw
- Re: Signature calculation language "Hal Finney"
- Re: Signature calculation language Daniel A. Nagy
- Re: Signature calculation language David Shaw
- Re: Signature calculation language Werner Koch
- Re: Signature calculation language Jon Callas
- Re: Signature calculation language Jon Callas