IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Justus Winter <justus@sequoia-pgp.org> Thu, 02 March 2023 09:44 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99A11C151B12 for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 01:44:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.694
X-Spam-Level:
X-Spam-Status: No, score=-1.694 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mCyc0tiGaKRT for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 01:44:50 -0800 (PST)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F17BC151547 for <openpgp@ietf.org>; Thu, 2 Mar 2023 01:44:49 -0800 (PST)
Received: (qmail 32113 invoked by uid 500); 2 Mar 2023 09:44:46 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, openpgp@ietf.org
In-Reply-To: <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan> <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com> <87lekgs64c.fsf@fifthhorseman.net> <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com>
Date: Thu, 02 Mar 2023 10:44:44 +0100
Message-ID: <87a60vbi7n.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: -
X-Rspamd-Report: R_MISSING_CHARSET(0.5) MIME_GOOD(-0.2) SIGNED_PGP(-2) SUBJECT_ENDS_QUESTION(1) BAYES_HAM(-0.344429)
X-Rspamd-Score: -1.044429
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Thu, 02 Mar 2023 10:44:46 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from; bh=BZIECy7s1llGPZltNonTe8y6erJUhI+pG3ahEDFZ4XU=; b=FDroce2pcJrv/5+QzNTnobUIN9nwxU5oErPwSl75KWsi0oCBdVJIBECNtVrOGSfK8BHT8cJG51 yTMuQ+qMIjBaQu34QjVuBpsIOn0bsJKv6iR2S/onOGip6MLstZV0nhswD2//flTqPtnN1m8fzXPl IhCNfwX0bvQ2mpj8OmeA/FqWlNCw6CD2rkpo63ogMW3MM20HIO9jIbVoT1cdVS7nWmDF1y/9Rlj3 QuBAwxZ5F5CY4debtQfR33GKGWDGuF+ldskwFb3JPl2fmmkx/C6tmkcYEl7QQ6oq15O47PP18QZQ 8ybFAn7ura+ZzzL1EIHkDzIw7XHkZSaVlDrZs42Aukgj979tAhVxqGRJbtuLHvqONkPrz+iUWLX7 ibWp8oii9G9WFe5vuh8BCBGMjrRsfvMjrlYJG870Gs45Eg5jyr5P57Rq8BBq2FcfVc7p+ZdtazF4 wFbDn/mhywIuPbwclVgtqBvHf3rmCVJ7ZalqonTVNF7iLbs6vydf/Q8bY0UNbJlLcVbbcBiQNVpb cdJBY06C3eQ7dJReE9TVAtL3YHrYWfzr4DpVLCxAGFhZG8TXF71ub551cbuyn3piTO88ax9BWoHk mbrteutPrZHzr8XN9ElOhwQ5lnXTFadZkuEo5dqqghirlHBydyhX1K5PGDK9fkpFp9CriVY/C1lt M=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/WhMBIMubQ2-i8oGTdV-ma-28oqg>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 09:44:54 -0000

Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org> writes:

> On 01/03/2023 18:01, Daniel Kahn Gillmor wrote:
>> On Wed 2023-03-01 12:46:26 +0000, Andrew Gallagher wrote:
>>> The body of a signature packet contains the prefix octets, and the above
>>> only says to remove the unhashed subpacket area. So fixing up the prefix
>>> octets will invalidate 0x50 sigs.
>> 
>> I think this is correct, but surely "do not tamper with the subject of a
>> signature if you want the signature to still validate" is true
>> *regardless* of whether the subject of the signature is itself an
>> OpenPGP signature or not.
>> 
>> Why should the working group prohibit an implementation that wants to
>> fix a malformed certification that is *not* covered by a 0x50 signature
>> or embedded in a digest-dependent chain like a git repo?
>
> Because in a distributed system you don't know that a signature is not 
> the subject of a countersignature or digest somewhere else. We can 
> easily construct a case where a signature is stored on some central 
> system (e.g. a keyserver), and also distributed to a third party (or 
> parties) for countersignature. When a countersig comes back, what 
> happens if the original sig has been fixed up in the meantime? Does the 
> keyserver refuse to process the countersig (being invalid) or does it 
> revert to the previous (malformed) version? What if one third party 
> countersigs the malformed sig and another countersigs the fixed-up copy?
>
> This is a can of worms that should be nailed firmly shut IMO.

While this is true, I fear that we're having an argument for the sake of
having an argument.

You indeed found a place where hashing in the OpenPGP sense does cover
the digest prefix.  However, I'm not aware of an implementation of
third-party confirmation signatures, or even a clear cut use case, and I
haven't seen such a signature, neither in the wild nor in test data.

(Attestation Key Signatures also seem to hash the digest, and I have
actually implemented that, but noone else has AIUI, and Attestation Key
Signatures have been deemed unchartered, so they are not really a
thing.)

I don't think either warrants a clarification for v4 (let alone v3)
signatures.

Best,
Justus

v2.23.0 | Report a Bug | By Email