[openpgp] incomplete/confusing guidance around "Hash" Armor header for cleartext signing framework

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 17 March 2021 14:55 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 620713A0EB5 for <openpgp@ietfa.amsl.com>; Wed, 17 Mar 2021 07:55:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=P8/P15l6; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=jVHWMnSW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LSUKwj-aUaqR for <openpgp@ietfa.amsl.com>; Wed, 17 Mar 2021 07:55:18 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB15D3A0E94 for <openpgp@ietf.org>; Wed, 17 Mar 2021 07:55:18 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1615992914; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=9fZpBs39ocpehS6IxQetiDgQkcn0VszA2RViqp1m2u4=; b=P8/P15l6omRsizEVglAeG9qunv3iMcVi0Fi0awcxZGn1HRWUXhC4g2C3qNvWK8NGiKjZj /BDC+G5OL2xsUL0Ag==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1615992914; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=9fZpBs39ocpehS6IxQetiDgQkcn0VszA2RViqp1m2u4=; b=jVHWMnSWk321llaFxyvpvPVBzkvCV6h1mAAGKwYRGutgB6YRfzzDNkoz8MJpxcD5BrqXC VqWnfMn4MmXTr2MgMjCG/JD/AdExlJkI4UXNrzX0UIC66bKQiaCE6xthjXeYtRVF1epKAxW XCHTr0t1YOZ+5UDbsszZYXxGheULQ0Md748U2PopIkSpvtq56qHS0j0vBfC9S2xK3Sa53Ck 87vLtdCWagWSj8AXf4c5lmQdPqafoLpIPJjaUeWo34057Zcw/fHkjEEhLGwTTh2TqD3Bri6 VtfJ4b0GFv7iCe0tmm8uk+3jMDwnPDLRgH7MWeuhvZ7dBSiYdR4SpKJTZroA==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id C2D59F9A6 for <openpgp@ietf.org>; Wed, 17 Mar 2021 10:55:14 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 6390020415; Wed, 17 Mar 2021 09:28:10 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Wed, 17 Mar 2021 09:28:09 -0400
Message-ID: <875z1p7vva.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/jHhPgDSwzJVrvW2Ciap9IzyjlHU>
Subject: [openpgp] incomplete/confusing guidance around "Hash" Armor header for cleartext signing framework
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 14:55:22 -0000

(no hats on, just noticed a textual problem and wanted to record it on
the list)

The current draft (and RFC 4880) seems internally inconsistent about the
mandatory nature of the "Hash" armor header in the Cleartext Signing
Framwork section.

In particular, it defines 'one or more "Hash" Armor Headers' as an
official part of what a clearsigned message looks like, but then it
discusses what it means when such a header is absent.  (and, when the
header is absent, it says it uses MD5, yikes -- that makes this relevant
to the crypto refresh).

Additionally, though multiple headers could be present, "If more than
one message digest is used in the signature, the "Hash" armor header
contains a comma-delimited list of used message digests."

Finally, what should an implementation do if the hash header doesn't
match the digests found in the actual signature?

This text should be reworked to make the expectations clearer, both for
those generating such a message and for those consuming it.  And it
should *not* encourage the use of MD5.

I've noted this as
https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/26.  If anyone wants
to propose a patch that cleans this up, that'd be welcome.

     --dkg