Re: [openpgp] Embedded TPK subpacket

Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de> Mon, 25 March 2019 12:27 UTC

Return-Path: <marcus.brinkmann@ruhr-uni-bochum.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90F52120396 for <openpgp@ietfa.amsl.com>; Mon, 25 Mar 2019 05:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ruhr-uni-bochum.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqVc29rGtktS for <openpgp@ietfa.amsl.com>; Mon, 25 Mar 2019 05:27:03 -0700 (PDT)
Received: from out2.mail.ruhr-uni-bochum.de (out2.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001::8693:2ae5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCFD9120390 for <openpgp@ietf.org>; Mon, 25 Mar 2019 05:27:02 -0700 (PDT)
Received: from mx2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out2.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 44SYRS0rMTz4x0X for <openpgp@ietf.org>; Mon, 25 Mar 2019 13:27:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ruhr-uni-bochum.de; s=mail-2017; t=1553516820; bh=rdz4g4+SWywoYNbGB/tx11exeL6TUYEZMTfSd5JrOEI=; h=Subject:To:References:From:Date:In-Reply-To:From; b=jeeQu2AZm6OpPQyasycf/oXyhDaJpmD26HCJMcYFsEe6h3XlKbr8Tnm/V3xdPW0tB HnOX5Q8oMvfCySRUmlBBQogNuDiET/MzcZsLrGuPZfj58EPk0ZVoqRd29mTfbl3EhM AFXapofs9xp4fw54yyEwia7KjvdxfVr3vD3snFxQ=
Received: from out2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx2.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 44SYRR6kfDz4wyC for <openpgp@ietf.org>; Mon, 25 Mar 2019 13:26:59 +0100 (CET)
X-Envelope-Sender: <marcus.brinkmann@ruhr-uni-bochum.de>
X-RUB-Notes: Internal origin=134.147.42.227
Received: from mail1.mail.ruhr-uni-bochum.de (mail.ruhr-uni-bochum.de [134.147.42.227]) by out2.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 44SYRR6Bt6z4wnr for <openpgp@ietf.org>; Mon, 25 Mar 2019 13:26:59 +0100 (CET)
Received: from [192.168.1.102] (phoneyspot-457.nds.ruhr-uni-bochum.de [134.147.159.61]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 44SYRR5HL8zyt6 for <openpgp@ietf.org>; Mon, 25 Mar 2019 13:26:59 +0100 (CET)
To: openpgp@ietf.org
References: <87ef6v71jm.fsf@europa.jade-hamburg.de> <1e6052ec-36ba-d14d-5028-b4aac973a494@ruhr-uni-bochum.de> <87bm1z6xhy.fsf@europa.jade-hamburg.de>
From: Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de>
Openpgp: preference=signencrypt
Autocrypt: addr=marcus.brinkmann@ruhr-uni-bochum.de; keydata= mQINBFZU6WABEADoVonKbB/tV0v25cm39DaSZyN7it70RhTZHLESbpDiHCwiAMi74MK/HB/q VR9LZDkTDF1x5xUnxxMHa2rpxO329dlk5dQFq1iELxIC/yBCEh5HMLT5MkWqwb8UkINYpaFU csQdPvdC2RzZ4Wt5/xX/6mvSnA4g7hSmUKwIiDX6489Fj5jHK3i0UQFnzKty3O7mqSbedTHs ym2q6fPcIlEOvU6unzxJRK4bgfW2NBM6aMqgLeQkKYIkd1Q/OXEWCXC4hQJepak+n34ChIrV RRHIBJ0GHRkEgHQgQUqPLS0fJlMYCaSZFmOAaqmigxVn1ErG3jTnFQPbPkfE5SCssFP2grNV N1ikJzOEpBLYA/4pOaJzSnZ0xx9aKPdUsyBksKmCsLQNiRt4ZTNFpJ2DJ8NbXYAFkrcu15og lrB//CVQj3CfkzUbpyfcwJHAho1K6XaPybI14znuorTJF3ml0qDd3XDkcmnF58s4hfvGHQtz +CEW+85gUF+T9jKLpwNGcNdBhbvdE6d3cSbR7dXeZsxiA4AmqqEhH6SnVmkSqmhX4+k6RksE MrHJnzefTyA4kXIR2QvD60nZXqta35VhhCzIcpkUpxcwABBR7C8nCxiGV7wNmGECgHv+Zl/O hQhWF1Ld1G93xCg7D+Nz0RerRdwtBOUatmCp+2HRTcRXNOW8jQARAQABtDZNYXJjdXMgQnJp bmttYW5uIDxtYXJjdXMuYnJpbmttYW5uQHJ1aHItdW5pLWJvY2h1bS5kZT6JAjgEEwECACIF AlZU6WACGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIiwjVpXtiFAHDUP/0PuDwhn Cyn7b2S7Lrn0BBmi3LOS4ioalCZkV6BenkXydeGwJ9CVVix9WEbiLzCz/DHfvz97l/T9lxcM bACc1tX5a+qvqydzKd2eXFnVdH1JaihqdhG7sWYi22H1uWSyWbHd3rBZaDAts5Qialdg+WC0 kHh9pkmmlUE3BIkTaIOA9k4J93hz4QDOEO7xjB9XMOIRuasZ0lOOPraezS/pKLaQHlzPJZfo QEGL3ndn8U1FXZgR2DWhGtbClEvLaNXJ7RYhIlCeEwCwsTuGg48iDYC0+phvj/nwhZV60+Eb lR4Kux4DjY65s4Rp4kIzh51PRE+bLHtULPx1x9X1x5ZekYQdgwf6doBIIauARZFaxI6dt3i+ HSMjpga3k2Xn5iCaf6NeG1J2bh9sEAH7nntibOOp4sT8YR2SiQ5ab8PnDkydwbghUZcJ39a/ CZnN3f1RFeRX6d3zbfULPsf7o0LM/IvNKFvBoVzVb3AVYdhe5FNOE0DfhOe8lpE88ofu+es6 ECGumfR8UEcQc/O4dSyprngxZjjEdgdo5KqUkCEeGM8lVp+EFcmtLME3uqFhsUihk3YfF9Ni vZ0/0ZcLsmMp3zCZ9wS6HWr2UTkYrgc7Nr3YBClDs9W/jurcSPMmpwwhq2ycWaMMMPqULS4c U2vhGKh6JDPqfIfXFQIfhiVwCMx1uQINBFZU6WABEAC3meKoeQn4r37Z1WCvl/lRVgwYLIEw GX94WCZODxPPEy2zTWStj45yv1ZrSI0HyAqssZzXPelOFJzlM8M+iccxIMRgjnnGJJR0YqYU draf1Z2YQk/x2WjYNUg0blChdyeqwBhLAQKtnPOKkTPZBBGzPjsS+JeB8yN5r4vouFGMG+Cm YFUy4oCmcmuUrdLm9NlzM5ituyTJsPG9CDO834e4qlZsNW/yEzyPsYDW0PxJxgEe/WjLsDJ0 aiwaDhBpR8/i2FfEUTGXl+6wvdXR9lhddBoiUCVlNRu9jiKVxv2JVJepcZa9B/atJwcsDAkZ JgnjP0qRybixx/wo14KromgWVBGwpZ89sFEgZF6HcxPMKuWtieIORzs9kb0jpMFi1hW9xi60 UBHikrpDG9MnwA35d1lg/9kUlrF1nqTnyoz43UxntlgQejl6JcBR2Poaaib3ZtCR34yxslFz 4znXBermA2eEvusEmjYJlxPWozW18grbSYUr1tCmjvKZAIMrspVx37+WSm/4fy8Mq9iqhkIw eFQM10GL+fRQOGJTpSY/KiGxmkaTPtj9iaovJOcGAjUzzreGhi4toIrWWULPNKS6vuV4VgMB F4XxIcVqC9I43yzJ6/cYciwL9bxoWQ4EpHuIG3sewvOWbceeDO9j9DRSd9E6GX67NzrruDPX Ooge2QARAQABiQIfBBgBAgAJBQJWVOlgAhsMAAoJEIiwjVpXtiFAHBwP/3x5953X/1jR2Aeg R6oHSF0HAD8kMnKLP5cwLqrOzUpCwqzFGBCbYdvxrWG106jyvcZdUvtBSGd8n1FuE2WrpQrK gNjdRG65cN2kduk/w66Oq57EqSuO/r6OnadG9hgVZ1YP/QUsL6n4oF7coD0CJiH98UyLw1yP 3Em1ONX8ditvMVHNudVC1VoEN1BFjIX9VWqWoU843vPct9wKi6jLYHHAX3UpnEJtfqLHCj55 4s+0yhMhoaAIfNQZWU9iKzldM6Y0j8DJ/YBSThhw9S/TX7mClhXArJ/iPJSr6FPhlQMMcZRQ aSiQu1gDL76I5G03SkBWCnXbSpeNtTeMiSpsA58c8rpr2T4giCiV29FPgEj4We2/jBrBcwWA /XjSLE2RNOnF2G65dVxHAlaCc84lC2+bh9kVU+Tb+9YDWfHyNO+pNk/Lpaef2Kg6ScKmte6+ wVkWQZFTU8mgkHZqFvQk29RnV02phRTM0ryvWWldNgf3vzztS3iyD3GrJCPcxjm24cAflp+7 JfQ4qV/ec598k++HI4r3SfmSFKFcsxh+073p+oVjs5kIHxM0SExdjKewLOE3BKQYjn1r17xW XogKlIGbTEluQ4Odyh4n88/iA8ZLNPKjvjno7UuwBsZyJxdaTOXlQYt+ZRZNfIBSWqv0U9fY tp9qPuy4vCfkycCucIgO
Message-ID: <b13e0706-af4c-c8f8-ac3e-2cc9b6165eaf@ruhr-uni-bochum.de>
Date: Mon, 25 Mar 2019 13:26:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <87bm1z6xhy.fsf@europa.jade-hamburg.de>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/aoSsEBBTZCc-_jfzQxwS0Ud0lIQ>
Subject: Re: [openpgp] Embedded TPK subpacket
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 12:27:06 -0000

On 3/25/19 11:48 AM, Justus Winter wrote:
>> Can you clarify what keys are allowed as embedded TPKs?  Just the
>> signing key for that signature, or arbitrary keys?
> 
> Arbitrary keys.
> 
>> If the latter (for example to allow more use cases such as key
>> rollover), then the new subpacket would be the first subpacket not to
>> have any relationship to the signature it is contained in, which would
>> be awkward.
> 
> Really?  Plenty of signature subpackets deal with keys, user
> preferences, or can simply contain arbitrary data (notations).

I haven't done an exhaustive analysis, but on a first glance those seem
to be related to the signature. For example, user preferences are part
of binding signatures.

>> It would also potentially allow interesting attack vectors (injecting
>> arbitrary keyring data).
> 
> GnuPG's keyring is uncurated, and it uses trust models to compute the
> validity of userid,key-bindings.  Similar, Sequoia's keystore can
> contain keys that have no bindings.

GnuPG's keyring was very helpful in my enigmail signature spoofing
attack [1]. Just saying :)

[1] https://neopg.io/blog/enigmail-signature-spoof

Thanks,
Marcus

-- 
Dipl.-Math. Marcus Brinkmann

Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum

Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann