Re: [openpgp] subkey revocation signatures -- RFC compliance?

Werner Koch <wk@gnupg.org> Fri, 27 July 2012 08:11 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F207521F860F for <openpgp@ietfa.amsl.com>; Fri, 27 Jul 2012 01:11:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qWZgIKGaruqj for <openpgp@ietfa.amsl.com>; Fri, 27 Jul 2012 01:11:05 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by ietfa.amsl.com (Postfix) with ESMTP id 73C7D21F8606 for <openpgp@ietf.org>; Fri, 27 Jul 2012 01:11:02 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.72 #1 (Debian)) id 1SufdT-0001bP-G2 for <openpgp@ietf.org>; Fri, 27 Jul 2012 10:10:59 +0200
Received: from wk by vigenere.g10code.de with local (Exim 4.77 #3 (Debian)) id 1Sufc1-0007dT-Pq; Fri, 27 Jul 2012 10:09:29 +0200
From: Werner Koch <wk@gnupg.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <87ehnxg6lj.fsf@pip.fifthhorseman.net>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: id=1E42B367; url=finger:wk@g10code.com
Date: Fri, 27 Jul 2012 10:09:29 +0200
In-Reply-To: <87ehnxg6lj.fsf@pip.fifthhorseman.net> (Daniel Kahn Gillmor's message of "Fri, 27 Jul 2012 00:39:52 -0400")
Message-ID: <87zk6laame.fsf@vigenere.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] subkey revocation signatures -- RFC compliance?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2012 08:11:06 -0000

On Fri, 27 Jul 2012 06:39, dkg@fifthhorseman.net said:

>    the first octet).  Key revocation signatures (types 0x20 and 0x28)
>    hash only the key being revoked.
> [...]

This text goes back to the very first published draft from March 98 (the
I-D states 1997, but this is a typo).

> The subkey revocation packet generated by GnuPG 1.4.12 appears to be
> made over a digest that includes both the primary key and the subkey.

So PGP and GnuPG we have never been OpenPGP compliant.  Good catch.

I don't have that old OpenPGP toolkit implementation anymore around.  We
should check what it does.

The way it is implemented by GnuPG and PGP might technically be
justified by:

   0x28: Subkey revocation signature
       The signature is calculated directly on the subkey being revoked.
       A revoked subkey is not to be used.  Only revocation signatures
       by the top-level signature key that is bound to this subkey, or
       by an authorized revocation key, should be considered valid
       revocation signatures.

With the exception of an authorized revocation key, the primary key is
required to check the signature and thus it needs to be available.
Hashing the primary key along with the subkey is what we have to do for
other key signatures anyway.

We would need to dive into the WG archives to see why we came up with
the specific requirement.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.