[openpgp] subkey revocation signatures -- RFC compliance?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 27 July 2012 04:40 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D34A521F84F6 for <openpgp@ietfa.amsl.com>; Thu, 26 Jul 2012 21:40:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S5-qly3+18fQ for <openpgp@ietfa.amsl.com>; Thu, 26 Jul 2012 21:40:02 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id A963221F848F for <openpgp@ietf.org>; Thu, 26 Jul 2012 21:40:01 -0700 (PDT)
Received: from pip.fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id BE9B5F975 for <openpgp@ietf.org>; Fri, 27 Jul 2012 00:39:59 -0400 (EDT)
Received: by pip.fifthhorseman.net (Postfix, from userid 1000) id E029115665; Thu, 26 Jul 2012 22:39:57 -0600 (CST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: IETF OpenPGP <openpgp@ietf.org>
User-Agent: Notmuch/0.13.2 (http://notmuchmail.org) Emacs/23.4.1 (i486-pc-linux-gnu)
Date: Fri, 27 Jul 2012 00:39:52 -0400
Message-ID: <87ehnxg6lj.fsf@pip.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Subject: [openpgp] subkey revocation signatures -- RFC compliance?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2012 04:40:05 -0000
Hi folks-- I think i'm seeing a discrepancy between packets generated by a popular OpenPGP implementation (GnuPG) and RFC 4880. I'm wondering if anyone can help clarify my understanding of the RFC. https://tools.ietf.org/html/rfc4880#section-5.2.4 says: [...] When a signature is made over a key, the hash data starts with the octet 0x99, followed by a two-octet length of the key, and then body of the key packet. (Note that this is an old-style packet header for a key packet with two-octet length.) A subkey binding signature (type 0x18) or primary key binding signature (type 0x19) then hashes the subkey using the same format as the main key (also using 0x99 as the first octet). Key revocation signatures (types 0x20 and 0x28) hash only the key being revoked. [...] Note that 0x28 is a subkey revocation signature. The subkey revocation packet generated by GnuPG 1.4.12 appears to be made over a digest that includes both the primary key and the subkey. This seems to be in contrast to the idea that it "revocation signatures hash only the key being revoked." Attached is a test key with a single subkey that has been revoked by gpg 1.4.12. I haven't been able to figure out how to revoke a subkey with any other OpenPGP implementation yet. I tried loading the attached key into PGP 6.5.8 (fetched from [0]) and GnuPG 1.4.12 (in an otherwise clean gpg home), and it does look like that version of pgp is willing to accept this form of subkey revocation: 0 wt215@pip:~/src/pgp/pgp-6.5.8$ GNUPGHOME=../gpgtest gpg --check-sigs --verbose gpg: using PGP trust model ../gpgtest/pubring.gpg ---------------------- pub 1024D/51902F1E 2012-07-27 uid test key <testkey@example.net> sig!3 51902F1E 2012-07-27 test key <testkey@example.net> sub 1024g/02CA3054 2012-07-27 [revoked: 2012-07-27] sig! 51902F1E 2012-07-27 test key <testkey@example.net> rev! 51902F1E 2012-07-27 test key <testkey@example.net> 0 wt215@pip:~/src/pgp/pgp-6.5.8$ LD_PRELOAD=./x/usr/lib/libstdc++.so.2.8 ./pgp -kvv Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government. Type bits keyID Date User ID DSS 1024 0x51902F1E 2012/07/27 DH 1024 0x51902F1E 2012/07/27 *** KEY REVOKED *** test key <testkey@example.net> sig 0x51902F1E test key <testkey@example.net> 1 matching key found. 0 wt215@pip:~/src/pgp/pgp-6.5.8$ I also made a bogus subkey revocation packet and tried loading that into a clean PGP 6.5.8 profile instead of the gpg-generated one, and PGP did *not* think that the subkey was properly revoked. So it looks to me like there are at least two implementations that hash more than the key being revoked for subkey revocations. Any pointers to something i've missed in the spec? Or does this warrant an errata? Regards, --dkg [0] http://www.pgpi.org/cgi/download.cgi?filename=PGPcmdln_6.5.8.Lnx_FW.tar.gz
- [openpgp] subkey revocation signatures -- RFC com… Daniel Kahn Gillmor
- Re: [openpgp] subkey revocation signatures -- RFC… Werner Koch
- Re: [openpgp] subkey revocation signatures -- RFC… David Shaw
- Re: [openpgp] subkey revocation signatures -- RFC… Daniel Kahn Gillmor