[openpgp] subkey revocation signatures -- RFC compliance?

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 27 July 2012 04:40 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D34A521F84F6 for <openpgp@ietfa.amsl.com>; Thu, 26 Jul 2012 21:40:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S5-qly3+18fQ for <openpgp@ietfa.amsl.com>; Thu, 26 Jul 2012 21:40:02 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id A963221F848F for <openpgp@ietf.org>; Thu, 26 Jul 2012 21:40:01 -0700 (PDT)
Received: from pip.fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id BE9B5F975 for <openpgp@ietf.org>; Fri, 27 Jul 2012 00:39:59 -0400 (EDT)
Received: by pip.fifthhorseman.net (Postfix, from userid 1000) id E029115665; Thu, 26 Jul 2012 22:39:57 -0600 (CST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: IETF OpenPGP <openpgp@ietf.org>
User-Agent: Notmuch/0.13.2 (http://notmuchmail.org) Emacs/23.4.1 (i486-pc-linux-gnu)
Date: Fri, 27 Jul 2012 00:39:52 -0400
Message-ID: <87ehnxg6lj.fsf@pip.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Subject: [openpgp] subkey revocation signatures -- RFC compliance?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2012 04:40:05 -0000

Hi folks--

I think i'm seeing a discrepancy between packets generated by a popular
OpenPGP implementation (GnuPG) and RFC 4880.  I'm wondering if anyone
can help clarify my understanding of the RFC.

https://tools.ietf.org/html/rfc4880#section-5.2.4 says:

[...]
   When a signature is made over a key, the hash data starts with the
   octet 0x99, followed by a two-octet length of the key, and then body
   of the key packet.  (Note that this is an old-style packet header for
   a key packet with two-octet length.)  A subkey binding signature
   (type 0x18) or primary key binding signature (type 0x19) then hashes
   the subkey using the same format as the main key (also using 0x99 as
   the first octet).  Key revocation signatures (types 0x20 and 0x28)
   hash only the key being revoked.
[...]

Note that 0x28 is a subkey revocation signature.

The subkey revocation packet generated by GnuPG 1.4.12 appears to be
made over a digest that includes both the primary key and the subkey.

This seems to be in contrast to the idea that it "revocation signatures
hash only the key being revoked."

Attached is a test key with a single subkey that has been revoked by gpg
1.4.12.  I haven't been able to figure out how to revoke a subkey with
any other OpenPGP implementation yet.

I tried loading the attached key into PGP 6.5.8 (fetched from [0]) and
GnuPG 1.4.12 (in an otherwise clean gpg home), and it does look like
that version of pgp is willing to accept this form of subkey revocation:

0 wt215@pip:~/src/pgp/pgp-6.5.8$ GNUPGHOME=../gpgtest gpg --check-sigs --verbose
gpg: using PGP trust model
../gpgtest/pubring.gpg
----------------------
pub   1024D/51902F1E 2012-07-27
uid                  test key <testkey@example.net>
sig!3        51902F1E 2012-07-27  test key <testkey@example.net>
sub   1024g/02CA3054 2012-07-27 [revoked: 2012-07-27]
sig!         51902F1E 2012-07-27  test key <testkey@example.net>
rev!         51902F1E 2012-07-27  test key <testkey@example.net>

0 wt215@pip:~/src/pgp/pgp-6.5.8$ LD_PRELOAD=./x/usr/lib/libstdc++.so.2.8 ./pgp -kvv
Pretty Good Privacy(tm) Version 6.5.8
(c) 1999 Network Associates Inc.
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Export of this software may be restricted by the U.S. government.


Type bits      keyID      Date       User ID
DSS  1024      0x51902F1E 2012/07/27 
 DH  1024      0x51902F1E 2012/07/27 *** KEY REVOKED ***
                                      test key <testkey@example.net>
sig            0x51902F1E             test key <testkey@example.net>
1 matching key found.
0 wt215@pip:~/src/pgp/pgp-6.5.8$ 

I also made a bogus subkey revocation packet and tried loading that into
a clean PGP 6.5.8 profile instead of the gpg-generated one, and PGP did
*not* think that the subkey was properly revoked.

So it looks to me like there are at least two implementations that hash
more than the key being revoked for subkey revocations.

Any pointers to something i've missed in the spec?  Or does this warrant
an errata?

Regards,

        --dkg

[0] http://www.pgpi.org/cgi/download.cgi?filename=PGPcmdln_6.5.8.Lnx_FW.tar.gz