Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
Daniel Huigens <d.huigens@protonmail.com> Tue, 28 February 2023 10:51 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30EDCC15DF66 for <openpgp@ietfa.amsl.com>; Tue, 28 Feb 2023 02:51:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Se75hid-08Rg for <openpgp@ietfa.amsl.com>; Tue, 28 Feb 2023 02:51:10 -0800 (PST)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B185DC15DF65 for <openpgp@ietf.org>; Tue, 28 Feb 2023 02:51:10 -0800 (PST)
Date: Tue, 28 Feb 2023 10:50:55 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1677581467; x=1677840667; bh=rZiocsk3AxOQb0mkZswRilDqwXDrYQe6LtanwrLZGgQ=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=TlMDDLoneM94771gD9ufJJV26s0Xtoh7Ewkuei0qwmr5hWVC0sgxB9fT2OUzv4+S8 36QRCotQlmh7B0NyQGO/70uiKCtjnHzbUkTkHly+xulbrMKTWLiseAvTjw/Sz1O6QH tACow52I51QbZtgrqB+302tHXooAg87NNW3fWkLztHzEtUo4uuZeTDhVBEwr2OQkUh nxruDnKisflfGlJ4gpptFe/I1Kev1lKmeO2Ijpfj7M+rh3QsAJEj6T0O+7qdrNdeGb gh2SoClHRaU2Oj1r5l9a0D/sodQLttxDjQoPBqAxdS5bDXsJOWojA/GMf8Gmslg51X jDpbjs/JpN2gQ==
To: Justus Winter <justus@sequoia-pgp.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, openpgp@ietf.org
Message-ID: <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com>
In-Reply-To: <87o7pe69m6.fsf@europ.lan>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/V263Pip5tkfMQVLVo6SCI0HkCks>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2023 10:51:15 -0000
Hi all, On Monday, February 27th, 2023 at 23:12, Justus Winter wrote: > Anyway, I think we made our points, I'll let someone else chime in. I don't have a super strong opinion on this point but I'll take this prompt as a cue to voice one anyway: Our implementations (OpenPGP.js and gopenpgp) do reject signatures with incorrect digest prefixes, and I have a slight preference towards keeping that check. When debugging, it gives an indication about whether the hashed data was wrong, or whether the signing process itself was broken, for example. That being said, it's still possible to check that manually, it's just a bit more of a hassle. If broken signatures are widespread, I would be OK with removing the check for v4 signatures, and checking it only for v6 sigs; or we could add a config option. That being said, we haven't encountered many issues with this check in the wild in an email context. But I guess in the context of git commit signatures this can be considered more widespread. >From a spec perspective, it's then difficult to mandate this check for v4 signatures across the board; any implementation that has to deal with GitHub's signatures (and GitHub itself) will probably not comply with that requirement. So maybe requiring it only for v6 makes sense. I've updated [!213] to reflect that, also because I assume it'll be easier to reach consensus on that. Best, Daniel [!213]: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/213
- [openpgp] Should signatures be rejected if the em… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Daniel Huigens
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Stephen Farrell
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Schaub
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher