Re: [openpgp] padding packet as first packet in a packet sequence
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 17 December 2022 20:28 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEB55C14CE43 for <openpgp@ietfa.amsl.com>; Sat, 17 Dec 2022 12:28:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.303
X-Spam-Level:
X-Spam-Status: No, score=-6.303 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=HimBZkwW; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=xInTnECx
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iv6kqK6Zh0oC for <openpgp@ietfa.amsl.com>; Sat, 17 Dec 2022 12:28:55 -0800 (PST)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60EE1C14F74F for <openpgp@ietf.org>; Sat, 17 Dec 2022 12:28:55 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1671308934; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=XmqrzgDCcVM4TqzgpEuLJh6FQCWyrS0G6u5o6n6BPe4=; b=HimBZkwWb1liahm87o/nDgZuxaQxW/ZRtT/idfshFl3g8Agv7UB3PBYWYCXK+e7FEuC2+ H7aqgY8/A2j/TRsDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1671308934; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=XmqrzgDCcVM4TqzgpEuLJh6FQCWyrS0G6u5o6n6BPe4=; b=xInTnECx7RCgJ8i83YJVSyxtPAC1dPa0Smyps6fRTfs8Q+GvJp5HOHJEYjBRn3gNRWl6A YN2adIMqcQJ1CsuMgc+r+Fo+wz6Z6B9e/ayB+weJ8oBx4r1rJOCLObBDXVdwVrvV7BdU1Q5 cZxg8g/N6pS/W75gauQ6HRdZGG+UKSqCvH0JLiEQc7o/38DCRYyl7R2T58Xh+w9GCA7OSVe v1B9zGQOf3slHkauutTMbzb8Psuj7fcc4FUsUM407DYoF2kri8J712P99SUMpH+J3U38x+1 WIk7c7NNQEJNOqwuftYP+YyTpejftj/CfwrG9Rh9izROPB8sz9XAwTewO7tw==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 91480F9AF; Sat, 17 Dec 2022 15:28:53 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id EF50B20524; Sat, 17 Dec 2022 11:43:45 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: "Neal H. Walfield" <neal@walfield.org>, IETF OpenPGP WG <openpgp@ietf.org>
In-Reply-To: <87sfhz4e3u.wl-neal@walfield.org>
References: <87sfhz4e3u.wl-neal@walfield.org>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Sat, 17 Dec 2022 11:43:43 -0500
Message-ID: <87h6xu56bk.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/YOeRTMcEHnmitqD1U4EViP5ntsk>
Subject: Re: [openpgp] padding packet as first packet in a packet sequence
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Dec 2022 20:28:59 -0000
On Thu 2022-12-01 11:23:17 +0100, Neal H. Walfield wrote:
>> 5.14. Padding Packet (Tag 21)
>>
>> The Padding packet contains random data...
>>
>> Such a packet MUST be ignored when received.
>
>> 11.4. Detached Signatures
>>
>> In addition, a marker packet (Section 5.8) and a padding packet
>> (Section 5.14) can appear anywhere in the sequence.
>
> The padding packet doesn't contain much identifying information
> (perhaps 8 bits: the two hard-wired high bits, and the 6-bit packet
> tag?). This makes fingerprint files quite difficult.
> Ideally, a program, like file(1), should be able to look at the first
> few kilobytes of data, and quickly identify its format. This is also
> important for an OpenPGP implementation to avoid wasting cycles.
If i'm understanding you correctly, it sounds like "fingerprint files"
here means "identifying files by looking for likely byte signatures",
and has nothing to do with OpenPGP fingerprints.
Are we talking about identifying a file as an OpenPGP sequence, or about
identifying the type of OpenPGP sequence (message, detached signatures,
certificate, secret key)?
fwiw, a unique first octet isn't terrible as far as "magic octets" goes.
> I think the draft should be changed to forbid the padding packet from
> being the first packet in a packet sequence. Something like:
>
> the padding packet MUST NOT occur as the first packet in a packet
> sequence.
What would this mean in practice? MUST NOT generate when producing and
MUST reject when consuming?
And what about wrapped OpenPGP packet sequences? for example, consider
an SEIPD packet that unwraps into another series of OpenPGP packets --
is this saying that the first packet within the inner series of packets
also MUST NOT be a padding packet?
What about tools that concatenate OpenPGP objects and split them apart?
For example, consider two sequences that each make up an OpenPGP
certificate ("Transferable public key"). Concatenating them forms a
"keyring" with two certs in it. If the first certificate has a trailing
padding packet, then the new sequence contains a padding packet in the
middle. One reasonable operation in a keyring is to remove a
certificate. If this is done by removing the first certificate without
also removing the trailing padding packet, it sounds like this would
make the entire keyring invalid. (similar operations are imaginable for
detached signatures, i think)
Overall, this seems like a very strong constraint if the motivation is
only to improve generic libmagic-style file sniffing.
> Alternative, I propose fixing the first few (4? 8?) bytes of the
> padding packet to some value specified by the standard.
This would enhance libmagic's ability to identify a sequence as an
OpenPGP sequence *if* the padding packet comes first, but it would do
nothing to help identify the type of OpenPGP sequence, right? libmagic
would still need to parse the variable packet length in order to know
where to look for the magic value.
And what if the padding packet has no internal length? (e.g. only
minimal padding was needed, so the producer generated an empty padding
packet). What would we expect a libmagic-equivalent to do when scanning
a file containing such a packet first?
Also: if libmagic can parse the packet length, it can also skip to the
next packet header to learn more about the OpenPGP material, right?
It seems like if our goal is to improve libmagic or the equivalents, we
could give implementer guidance in the draft (or just patches to
libmagic directly), but i'm not convinced that strict yet subtle
constraints in the draft are a good idea; they might result in some
sequence rejections that make things overall more brittle than need be.
If we want strict constraints about placement of padding packets to make
sequences more predictable, we could deliberately restrict its placement
to the two locations identified in the current text, though that would
make it less useful for any future padding scheme.
I'd be fine with proposed advisory guidance here, but the MUST seems
like it would make OpenPGP interop more fragile, just for the sake of
making file(1) do a bit less work.
--dkg
- [openpgp] padding packet as first packet in a pac… Neal H. Walfield
- Re: [openpgp] padding packet as first packet in a… Daniel Kahn Gillmor
- Re: [openpgp] padding packet as first packet in a… Ángel