Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
Justus Winter <justus@sequoia-pgp.org> Wed, 01 March 2023 11:42 UTC
Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E78D8C151555 for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 03:42:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.693
X-Spam-Level:
X-Spam-Status: No, score=-1.693 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-nFwandb6ZR for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 03:42:29 -0800 (PST)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59B18C14CE44 for <openpgp@ietf.org>; Wed, 1 Mar 2023 03:42:28 -0800 (PST)
Received: (qmail 13643 invoked by uid 500); 1 Mar 2023 11:42:25 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org
In-Reply-To: <87wn41ru96.fsf@fifthhorseman.net>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net>
Date: Wed, 01 Mar 2023 12:42:24 +0100
Message-ID: <87cz5sbsv3.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: -
X-Rspamd-Report: MIME_GOOD(-0.2) SIGNED_PGP(-2) SUBJECT_ENDS_QUESTION(1) BAYES_HAM(-0.511654)
X-Rspamd-Score: -1.711654
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Wed, 01 Mar 2023 12:42:25 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from; bh=bqaLduWyYURXhZrTtg9KFKdCRqBfnWpsO9sBecL5QE0=; b=yLmqs1AUFuL/Wqw2nEOiTiSFmBYSIVbzm9fLlGAd1IJLJaUIw48J+Bv71MbCMNebJPE6jZ5iye S2V9JHVh2Z5VQ12LsTE/0XCLk0TMarfbSsdoGWAgrbyn5kO2PD9xx58Qr6gxj7SRp78dvsYsOi9w 4TCwwsO/iCf/7pzsaPaL0lU+FN5RH8JRqd2FiAScJ6h5DZxx5DV5NmxZiHPqb3If/uYhkEKXK5tH so/3HjUPHDqx3qKz6ebt3oPiE4Kn/zzY1WgE3vgX6C0smg5vYUWQbATbEfEoBrEHwLHBuB6fGPxN EFYC6GaBFrC6LmrPpFqATiWFWYSDdgxSKtqlFm3v9JWkUGOcw0PQ5Z7WlakutuzAMETwLyUlIHJN Rb7OUir9npSBdXFql/cmZroGdpkpxF19y3etpdpR88kwc3gIoMXBfqY4Td4DFriwf3VyHphwih6A pIr34Es48GEJ9YjhHRAnOgR3g2o7JpKIjr7/lWlyb8/2Evc7oiaHocdCiEOxWIsezyTYJwQ4CVPS 5s1tUoirv1b1JyW17qKlLfwiYmkxkXzAiUdAJE17JM/be4pyWW0ZBauVQsfwJtHm0qghD8LnYLu5 NV9Fo3OdlaUwHN2SaDoDSSt4316lCX00RnVlfTyFuaLKRav0Mw7Xd4Sufr/tPqPgMlcrCpRmthHd w=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/aXtaKjrpJvqjGSV1haAm15_qr0M>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 11:42:34 -0000
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes: >> It MUST NOT modify such malformed signatures. > > Where does this constraint come from? Why is it here? I'm also very skeptical of this requirement. Andrew, in your mail you wrote: >> This is more or less a statement of current reality, with an added >> prohibition against invalidating any checksum over the signature >> packet. Note that checksum over signatures in the OpenPGP sense do neither include the digest prefix nor the unhashed subpacket area. Any code that relies on signatures not changing their on-wire representation is likely wrong. If you checksum or compare signatures, you must exclude information not covered by the OpenPGP hash, like the unhashed subpacket area and the packet framing. The unhashed subpacket area is there for the sole purpose of being able to add information to the signature after the fact (or strip them, or reorder them). You cannot rely on others not doing that. Best, Justus
- [openpgp] Should signatures be rejected if the em… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Daniel Huigens
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Stephen Farrell
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Schaub
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher