IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Daniel Huigens <d.huigens@protonmail.com> Tue, 28 February 2023 10:51 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30EDCC15DF66 for <openpgp@ietfa.amsl.com>; Tue, 28 Feb 2023 02:51:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Se75hid-08Rg for <openpgp@ietfa.amsl.com>; Tue, 28 Feb 2023 02:51:10 -0800 (PST)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B185DC15DF65 for <openpgp@ietf.org>; Tue, 28 Feb 2023 02:51:10 -0800 (PST)
Date: Tue, 28 Feb 2023 10:50:55 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1677581467; x=1677840667; bh=rZiocsk3AxOQb0mkZswRilDqwXDrYQe6LtanwrLZGgQ=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=TlMDDLoneM94771gD9ufJJV26s0Xtoh7Ewkuei0qwmr5hWVC0sgxB9fT2OUzv4+S8 36QRCotQlmh7B0NyQGO/70uiKCtjnHzbUkTkHly+xulbrMKTWLiseAvTjw/Sz1O6QH tACow52I51QbZtgrqB+302tHXooAg87NNW3fWkLztHzEtUo4uuZeTDhVBEwr2OQkUh nxruDnKisflfGlJ4gpptFe/I1Kev1lKmeO2Ijpfj7M+rh3QsAJEj6T0O+7qdrNdeGb gh2SoClHRaU2Oj1r5l9a0D/sodQLttxDjQoPBqAxdS5bDXsJOWojA/GMf8Gmslg51X jDpbjs/JpN2gQ==
To: Justus Winter <justus@sequoia-pgp.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, openpgp@ietf.org
Message-ID: <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com>
In-Reply-To: <87o7pe69m6.fsf@europ.lan>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/V263Pip5tkfMQVLVo6SCI0HkCks>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2023 10:51:15 -0000

Hi all,

On Monday, February 27th, 2023 at 23:12, Justus Winter wrote:
> Anyway, I think we made our points, I'll let someone else chime in.

I don't have a super strong opinion on this point but I'll take this
prompt as a cue to voice one anyway:

Our implementations (OpenPGP.js and gopenpgp) do reject signatures
with incorrect digest prefixes, and I have a slight preference towards
keeping that check. When debugging, it gives an indication about whether
the hashed data was wrong, or whether the signing process itself was
broken, for example. That being said, it's still possible to check that
manually, it's just a bit more of a hassle. If broken signatures are
widespread, I would be OK with removing the check for v4 signatures,
and checking it only for v6 sigs; or we could add a config option.

That being said, we haven't encountered many issues with this check in
the wild in an email context. But I guess in the context of git commit
signatures this can be considered more widespread.

>From a spec perspective, it's then difficult to mandate this check for
v4 signatures across the board; any implementation that has to deal
with GitHub's signatures (and GitHub itself) will probably not comply
with that requirement. So maybe requiring it only for v6 makes sense.

I've updated [!213] to reflect that, also because I assume it'll be
easier to reach consensus on that.

Best,
Daniel

[!213]: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/213

v2.23.0 | Report a Bug | By Email