Re: Date fields
hal@finney.org Sat, 31 March 2001 19:09 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA23362 for <openpgp-archive@odin.ietf.org>; Sat, 31 Mar 2001 14:09:50 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id KAA12700 for ietf-openpgp-bks; Sat, 31 Mar 2001 10:53:20 -0800 (PST)
Received: from computer (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA12695 for <ietf-openpgp@imc.org>; Sat, 31 Mar 2001 10:53:18 -0800 (PST)
From: hal@finney.org
Received: (from hal@localhost) by finney.org (8.9.3/8.9.3) id KAA25658; Sat, 31 Mar 2001 10:49:56 -0800
Date: Sat, 31 Mar 2001 10:49:56 -0800
Message-Id: <200103311849.KAA25658@finney.org>
To: exelrud@usa.net, ietf-openpgp@imc.org
Subject: Re: Date fields
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
> Are those problems worth the change of the date fields from > localtime to UTC ? They are in UTC. See RFC2440: 3.5. Time fields A time field is an unsigned four-octet number containing the number of seconds elapsed since midnight, 1 January 1970 UTC. Hal Received: by above.proper.com (8.9.3/8.9.3) id KAA12700 for ietf-openpgp-bks; Sat, 31 Mar 2001 10:53:20 -0800 (PST) Received: from computer (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA12695 for <ietf-openpgp@imc.org>; Sat, 31 Mar 2001 10:53:18 -0800 (PST) From: hal@finney.org Received: (from hal@localhost) by finney.org (8.9.3/8.9.3) id KAA25658; Sat, 31 Mar 2001 10:49:56 -0800 Date: Sat, 31 Mar 2001 10:49:56 -0800 Message-Id: <200103311849.KAA25658@finney.org> To: exelrud@usa.net, ietf-openpgp@imc.org Subject: Re: Date fields Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > Are those problems worth the change of the date fields from > localtime to UTC ? They are in UTC. See RFC2440: 3.5. Time fields A time field is an unsigned four-octet number containing the number of seconds elapsed since midnight, 1 January 1970 UTC. Hal Received: by above.proper.com (8.9.3/8.9.3) id JAA08660 for ietf-openpgp-bks; Sat, 31 Mar 2001 09:05:54 -0800 (PST) Received: from webmail.vento.com.br ([200.214.174.70]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA08655 for <ietf-openpgp@imc.org>; Sat, 31 Mar 2001 09:05:51 -0800 (PST) Received: from pterodactilo (200.251.73.191) by webmail.vento.com.br (5.1.056) id 3ABFF8C700057B87 for ietf-openpgp@imc.org; Sat, 31 Mar 2001 14:05:50 -0300 Message-ID: <003501c0ba04$55313e60$0140a8c0@pterodactilo> From: "Jacques Exelrud" <exelrud@usa.net> To: <ietf-openpgp@imc.org> Subject: Date fields Date: Sat, 31 Mar 2001 13:54:32 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Recently I was faced with a strange behavior of one of my keys. One of the subkeys was showing the start date of 1/1/2002 and the end date of 31/12/2002 in some machines and 31/12/2001 for starting date and 30/21/2002 for ending date in some other machines. Seems the problem is related to DST as the date is interpreted as localtime and based on wht if those date fall inside DST periods in some countries and if the computer is configured to take this into account or not. Ate least the third subkey does behave this way on my machine. If I turn DST handling on or off the dates do change. What is still not clear is why just one of the subkeys behaves this way and the other two seems imune to that funtinality. In my opinion, this may lead to some problems. For split-keys (hope that's a OpenPGP feature and not just a PGP feature, have not checked the rfc) it may happen that parts of this key be located in different parts of the worl so some group of key holders may be able to still use the key while others may not. For non split-keys the problem may not be as serious. What may happen is that the user may receive an encrypted message with the about to expire subkey while he is waiting to receive the message encrypted to the new subkey. At first sign this does not lead to any security/legal problem. At most the lack of certain on the date the message was generated because there is a one day lag the the key have geographic locations able to use it and some that are not. Are those problems worth the change of the date fields from localtime to UTC ? Thanks in advance, Jacques -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> Comment: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x81F4 iQA/AwUBOsYLxYI01R+B9JjDEQKM7gCfX+KybuWNLNLmkKx97j0bUd61rFYAoMzr QLhupXonjgiDcvsb2ruqxKhm =DzLI -----END PGP SIGNATURE----- Received: by above.proper.com (8.9.3/8.9.3) id SAA14216 for ietf-openpgp-bks; Thu, 29 Mar 2001 18:18:09 -0800 (PST) Received: from webmail.vento.com.br ([200.214.174.71]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA14211 for <ietf-openpgp@imc.org>; Thu, 29 Mar 2001 18:18:06 -0800 (PST) Received: from pterodactilo (200.251.73.186) by webmail.vento.com.br (5.1.056) id 3ABB2F16000712A7 for ietf-openpgp@imc.org; Thu, 29 Mar 2001 23:18:07 -0300 Message-ID: <002601c0b8bf$27a8eba0$0140a8c0@pterodactilo> From: "Jacques Exelrud" <exelrud@usa.net> To: <ietf-openpgp@imc.org> References: <200103291816.KAA11027@finney.org> Subject: Java implementation Date: Thu, 29 Mar 2001 23:14:27 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Does anyone knows if I can find Java implementations of OpenPGP ? Cryptix has one but it's not ready yet. Any other ? Thanks in advance, Jacques Received: by above.proper.com (8.9.3/8.9.3) id KAA18917 for ietf-openpgp-bks; Thu, 29 Mar 2001 10:19:59 -0800 (PST) Received: from computer (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA18913 for <ietf-openpgp@imc.org>; Thu, 29 Mar 2001 10:19:58 -0800 (PST) From: hal@finney.org Received: (from hal@localhost) by finney.org (8.9.3/8.9.3) id KAA11027; Thu, 29 Mar 2001 10:16:28 -0800 Date: Thu, 29 Mar 2001 10:16:28 -0800 Message-Id: <200103291816.KAA11027@finney.org> To: ietf-openpgp@imc.org, wk@gnupg.org Subject: Re: Czech attack to PGP Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Werner Koch writes, quoting Hal: > > A thread on sci.crypt recently pointed to an AsiaCrypt 2000 paper by Mihir > > Bellare, http://www-cse.ucsd.edu/users/mihir/papers/oem.html. This is > > Thanks. > > > In our case we might just compute an HMAC over the entire secret key > > packet, and append it. > > This still does not solve the problem, how to get the key for the > HMAC. Yes, it is true we would need another key. > I didn't read the Bellare paper in detail but I can't see > that it goes into the problem of possible interaction between the > encryption and HMAC key. I think it is good practise, not to use > the same key (or a derived onbe). So we would need a second > passphrase - argh. What is usually done is that both the encryption key and the MAC key are derived from a common seed. In this case the seed would be the passphrase. Presently we put the passphrase through a hash-based transform to generate the encryption key. We could use a different transform to generate the HMAC key. Perhaps it could have a different iteration count or the hash function could be pre-loaded with a different prefix value. > > The commercial version of PGP also uses some special S2K values, but > > we could certainly decide on a new value to identify the new form of > > Can you please tell us which identifiers you use, so that we don't > run into problems if we encounter such identifiers. Yes, I'll put together some documentation on these and on the other places we use packets. For now, we use S2K identifier numbers 4 and 5. Hal Received: by above.proper.com (8.9.3/8.9.3) id XAA13854 for ietf-openpgp-bks; Wed, 28 Mar 2001 23:42:45 -0800 (PST) Received: from kasiski.gnupg.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA13848 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 23:42:43 -0800 (PST) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.16 #1 (Debian)) id 14iXQr-0005lF-00; Thu, 29 Mar 2001 10:05:25 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.12 #1 (Debian)) id 14iX5T-0006si-00; Thu, 29 Mar 2001 09:43:19 +0200 Date: Thu, 29 Mar 2001 09:43:19 +0200 From: Werner Koch <wk@gnupg.org> To: ietf-openpgp@imc.org Subject: Re: Czech attack to PGP Message-ID: <20010329094319.M18296@alberti.gnupg.de> Mail-Followup-To: ietf-openpgp@imc.org References: <200103281918.LAA30520@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.16i In-Reply-To: <200103281918.LAA30520@finney.org>; from hal@finney.org on Wed, Mar 28, 2001 at 11:18:12AM -0800 X-PGP-KeyID: 621CC013 X-PGP-CertKey: A4D9 4E92 B098 6AB5 EE9D CD75 5DE2 4996 5B03 58A2 X-Request-PGP: finger:wk@porta.u64.de Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, 28 Mar 2001, hal@finney.org wrote: > A thread on sci.crypt recently pointed to an AsiaCrypt 2000 paper by Mihir > Bellare, http://www-cse.ucsd.edu/users/mihir/papers/oem.html. This is Thanks. > In our case we might just compute an HMAC over the entire secret key > packet, and append it. This still does not solve the problem, how to get the key for the HMAC. I didn't read the Bellare paper in detail but I can't see that it goes into the problem of possible interaction between the encryption and HMAC key. I think it is good practise, not to use the same key (or a derived onbe). So we would need a second passphrase - argh. > The commercial version of PGP also uses some special S2K values, but > we could certainly decide on a new value to identify the new form of Can you please tell us which identifiers you use, so that we don't run into problems if we encounter such identifiers. Ciao, Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus Received: by above.proper.com (8.9.3/8.9.3) id XAA12736 for ietf-openpgp-bks; Wed, 28 Mar 2001 23:36:45 -0800 (PST) Received: from kasiski.gnupg.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA12725 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 23:36:43 -0800 (PST) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.16 #1 (Debian)) id 14iXL3-0005kx-00; Thu, 29 Mar 2001 09:59:25 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.12 #1 (Debian)) id 14iWzw-0006s7-00; Thu, 29 Mar 2001 09:37:36 +0200 Date: Thu, 29 Mar 2001 09:37:36 +0200 From: Werner Koch <wk@gnupg.org> To: ietf-openpgp@imc.org Subject: Re: Fix the secret key packet, not the S2K Message-ID: <20010329093736.L18296@alberti.gnupg.de> Mail-Followup-To: ietf-openpgp@imc.org References: <200103282349.PAA02149@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.16i In-Reply-To: <200103282349.PAA02149@finney.org>; from hal@finney.org on Wed, Mar 28, 2001 at 03:49:04PM -0800 X-PGP-KeyID: 621CC013 X-PGP-CertKey: A4D9 4E92 B098 6AB5 EE9D CD75 5DE2 4996 5B03 58A2 X-Request-PGP: finger:wk@porta.u64.de Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, 28 Mar 2001, hal@finney.org wrote: > comes shortly before the S2K in the secret key packet. This byte is > fixed at a value of 255 to flag that an S2K is in use. We could perhaps > use some alternate value for this byte to flag that the private key is > using a different form of checksum protection. That would be fine with me. Although GnuPG already uses the S2K for similiar purposes. > is a signature subpacket that holds an X.509 cert. We should probably > add these to the revised draft as reserved identifiers. GPG or other > implementations may also have some reserved values. We already have a range for experimental/private extensions (except for the S2K. IMHO, an implementation should use these values as long as that new feature is not in the standard or the WG has agreed on some new values. Of course, there should be a way to distinguish between different usages of those experimental values. For example, GnuPG adds a string "GNU" to its private extensions to the S2K. Ciao, Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus Received: by above.proper.com (8.9.3/8.9.3) id XAA11849 for ietf-openpgp-bks; Wed, 28 Mar 2001 23:32:51 -0800 (PST) Received: from kasiski.gnupg.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA11833 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 23:32:48 -0800 (PST) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.16 #1 (Debian)) id 14iXHA-0005kr-00; Thu, 29 Mar 2001 09:55:24 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.12 #1 (Debian)) id 14iWue-0006rm-00; Thu, 29 Mar 2001 09:32:08 +0200 Date: Thu, 29 Mar 2001 09:32:08 +0200 From: Werner Koch <wk@gnupg.org> To: ietf-openpgp@imc.org Subject: Re: Fix the secret key packet, not the S2K Message-ID: <20010329093208.K18296@alberti.gnupg.de> Mail-Followup-To: ietf-openpgp@imc.org References: <200103282349.PAA02149@finney.org> <03df01c0b7e9$c8c090a0$23c52609@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.16i In-Reply-To: <03df01c0b7e9$c8c090a0$23c52609@transarc.ibm.com>; from mwy-opgp97@the-youngs.org on Wed, Mar 28, 2001 at 07:47:07PM -0500 X-PGP-KeyID: 621CC013 X-PGP-CertKey: A4D9 4E92 B098 6AB5 EE9D CD75 5DE2 4996 5B03 58A2 X-Request-PGP: finger:wk@porta.u64.de Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, 28 Mar 2001, Michael Young wrote: > >First, the secret key packet as such doesn't have a version number. > > There is no deep reason that it couldn't. Instead of forcing a > tight coupling between the two, give it its own version byte > (starting with 5). The whole public key packet (or just its contents) The problem ist that this is not a local change but _may_ affect other parts of an implementation. For example, at a couple of places we have to check whether this is a v[23] or v4 packet and if at some place a version == 4 has accidently been used this would lead to a lot of other bugs. We are currently planning for interoperability tests and such a change may delay those test even further. By not changing the the packet version number we can implement that as a implementation specific change and don't have to change the specs right now. Ciao, Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus Received: by above.proper.com (8.9.3/8.9.3) id QAA15764 for ietf-openpgp-bks; Wed, 28 Mar 2001 16:50:45 -0800 (PST) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA15759 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 16:50:44 -0800 (PST) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id TAA32092 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 19:44:27 -0500 (EST) Received: from mwyoung (dhcp-197-35.transarc.ibm.com [9.38.197.35]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id TAA05817 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 19:50:16 -0500 (EST) Message-ID: <03df01c0b7e9$c8c090a0$23c52609@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <200103282349.PAA02149@finney.org> Subject: Re: Fix the secret key packet, not the S2K Date: Wed, 28 Mar 2001 19:47:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- >First, the secret key packet as such doesn't have a version number. There is no deep reason that it couldn't. Instead of forcing a tight coupling between the two, give it its own version byte (starting with 5). The whole public key packet (or just its contents) could follow, including its (independent) version number. > Another place we could represent the alternative format is the byte > which comes shortly before the S2K in the secret key packet. A fine alternative... keeps the compatibility hacks together. How about 254? -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOsKFw2NDnIII+QUHAQHTNQf/R3PgVwTixzk/XnjTpNxstfi2th0MwDrA lFYHDHCHhBrIiPenaqxnGFQ6saAtfJpDGtWkBdC85NyNBDz1j9Z9YQYssh6HC8aC 3jq22nfW//py29GV/QOrO8cUXRhns3nZUJYaYtvO/JB6FtWZpKWJPRsxSmBSgmae P1irG8KvuLeGmmPH6SH/LuESz1Aw1/VPTc2oX5uIWsc+iLDZ600byTchXeKOZasS DDuPLzyxdnTVjDytu5UuBc/AGoDpjynFg6Li2eDf2/XqEwMAAvpOVzZlbxEgg43R 5EgDxFbK7/TQlXS8tPnJv+FL2T9TpE9N2OaHapLGw/4AdXUvmaOTvg== =kjmv -----END PGP SIGNATURE----- Received: by above.proper.com (8.9.3/8.9.3) id QAA14001 for ietf-openpgp-bks; Wed, 28 Mar 2001 16:17:18 -0800 (PST) Received: from barry.mail.mindspring.net (barry.mail.mindspring.net [207.69.200.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA13996 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 16:17:16 -0800 (PST) Received: from [209.86.2.16] (user-38lc01t.dialup.mindspring.com [209.86.0.61]) by barry.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id TAA08079; Wed, 28 Mar 2001 19:16:53 -0500 (EST) Message-Id: <v03110737b6e82d7a8017@[209.86.2.16]> In-Reply-To: <200103281918.LAA30520@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 28 Mar 2001 16:12:43 -0800 To: hal@finney.org, ietf-openpgp@imc.org, wk@gnupg.org From: Bill Frantz <frantz@pwpconsult.com> Subject: Re: Czech attack to PGP Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 11:18 AM -0800 3/28/01, hal@finney.org wrote: >A thread on sci.crypt recently pointed to an AsiaCrypt 2000 paper by Mihir >Bellare, http://www-cse.ucsd.edu/users/mihir/papers/oem.html. This is >a theoretical analysis showing that based on very minimal assumptions >of the properties of MAC and encryption algorithms, the strongest mode >is to encrypt and then MAC. That is, you compute a keyed MAC on the >ciphertext in order to detect modification. > >In our case we might just compute an HMAC over the entire secret key >packet, and append it. I must admit that when coding for the real world, I always liked checking the MAC as late as possible. That lets the MAC check as much of the process as possible for errors. (If you compute the MAC before encryption and check it after decryption, the MAC checks the encryption-decryption process. In real life, I have found a timing dependant error using this check.) In the specific case of secret keys, the arithmetic consistency checks may result in the same degree of assurance as a MAC, so applying the MAC after encryption and checking it before decryption may be the right answer. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | Microsoft Outlook, the | Periwinkle -- Consulting (408)356-8506 | hacker's path to your | 16345 Englewood Ave. frantz@netcom.com | hard disk. | Los Gatos, CA 95032, USA Received: by above.proper.com (8.9.3/8.9.3) id PAA11938 for ietf-openpgp-bks; Wed, 28 Mar 2001 15:52:32 -0800 (PST) Received: from computer (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.9.3/8.9.3) with SMTP id PAA11933 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 15:52:30 -0800 (PST) From: hal@finney.org Received: (from hal@localhost) by finney.org (8.9.3/8.9.3) id PAA02149; Wed, 28 Mar 2001 15:49:04 -0800 Date: Wed, 28 Mar 2001 15:49:04 -0800 Message-Id: <200103282349.PAA02149@finney.org> To: ietf-openpgp@imc.org, mwy-opgp97@the-youngs.org Subject: Re: Fix the secret key packet, not the S2K Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Michael Young, <mwy-opgp97@the-youngs.org>, writes: > Why is a new S2K mode preferable to a new key version? I see two reasons: First, the secret key packet as such doesn't have a version number. The version number is borrowed from the public key packet that begins the secret key packet. In other words, the secret key packet is a public key packet with extra data stored at the end. So in order to change the secret key packet version, we need to bump the public key packet version. If we create a "V5" secret key then we need to create a corresponding "V5" public key. But since we aren't changing the public key packet format, this is somewhat redundant, since V4 and V5 public keys would be entirely identical. Second, the purpose of the S2K specifier and associated information (algorithm ID etc) is to describe how the secret data is protected. Since we are making a change with regard to this protection, this is a reasonable place to represent that change. > The S2K is used in more than just the secret key packet. > Adding another context-specific flag to the S2K seems > wrong (unless you meant for this checksumming behavior > to apply to other uses, which also seems wrong). This is true, the S2K is also used for passphrase encrypted messages. Another place we could represent the alternative format is the byte which comes shortly before the S2K in the secret key packet. This byte is fixed at a value of 255 to flag that an S2K is in use. We could perhaps use some alternate value for this byte to flag that the private key is using a different form of checksum protection. > Do you think that existing implementations would just > happen to ignore extra bits in the S2K specifier and > extra checksum bytes at the end? If so, I admire > the trickery, but I don't think this is serious > enough to warrant it in the spec -- as many folks have > pointed out, local key storage can use any hackery > an implementation likes anyway. No, I think existing implementations will refuse to use the new keys regardless of where we make the change. > > The commercial version of PGP also uses some special S2K values, but > > Yes... the "raw" key used in key-splitting. > > Which brings me to another point: can we at least > put placeholders in the spec for these existing PGP > product features? I know that some of these hidden > features (ADKs, for instance) are unpopular, but an > OpenPGP implementation may well run across them. > I'd really like the spec to say how they appear (and > even what they do), even if it does not endorse them, > so that implementations can recognize them if they want. > The spec does have a "placeholder" for the ADK > subpacket. Shouldn't it for the S2K extensions? > Are there others we just haven't run across yet? This is a good idea. There are a few others I know of which are undocumented, besides the two S2K identifiers. These relate to X.509 certificate support. There is a packet type used as CRL, and there is a signature subpacket that holds an X.509 cert. We should probably add these to the revised draft as reserved identifiers. GPG or other implementations may also have some reserved values. Hal Received: by above.proper.com (8.9.3/8.9.3) id OAA07151 for ietf-openpgp-bks; Wed, 28 Mar 2001 14:26:10 -0800 (PST) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA07136 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 14:26:03 -0800 (PST) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id RAA30820 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 17:19:45 -0500 (EST) Received: from mwyoung (dhcp-197-35.transarc.ibm.com [9.38.197.35]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id RAA05036 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 17:25:35 -0500 (EST) Message-ID: <007701c0b7d5$af3b73c0$23c52609@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <200103281918.LAA30520@finney.org> Subject: Fix the secret key packet, not the S2K Date: Wed, 28 Mar 2001 17:22:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hal seems to endorse to Werner's suggestion: > > We introcude a new S2K mode and encrypt this: Why is a new S2K mode preferable to a new key version? The S2K is used in more than just the secret key packet. Adding another context-specific flag to the S2K seems wrong (unless you meant for this checksumming behavior to apply to other uses, which also seems wrong). Do you think that existing implementations would just happen to ignore extra bits in the S2K specifier and extra checksum bytes at the end? If so, I admire the trickery, but I don't think this is serious enough to warrant it in the spec -- as many folks have pointed out, local key storage can use any hackery an implementation likes anyway. > The commercial version of PGP also uses some special S2K values, but Yes... the "raw" key used in key-splitting. Which brings me to another point: can we at least put placeholders in the spec for these existing PGP product features? I know that some of these hidden features (ADKs, for instance) are unpopular, but an OpenPGP implementation may well run across them. I'd really like the spec to say how they appear (and even what they do), even if it does not endorse them, so that implementations can recognize them if they want. The spec does have a "placeholder" for the ADK subpacket. Shouldn't it for the S2K extensions? Are there others we just haven't run across yet? -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOsJj/2NDnIII+QUHAQHU2QgAl36/7/SQ++dtBv1am8pEECYoAF3v7r8+ YOXSImQ9fODIx/hSipgtIrbzz4Ky1rkHPhlLwy43XhOT2msStghXKDgzjYzu2CJn nvyCAkVLrT8QpfOr8cT7gvM4UlkgB5+TmPOJ4Uuz0wtfuz2BLvdBXDEBT9EbeCeE QQuclQ/nJe99Dme1SThnKWRchmF3JkHLOxfS5PHwf0wYXihaL0ziZmQezMvGUQVL zxfWKVlVzCGWwCG7bWtvpr7n6+Ye5ZoCEOCM8Qa642K0EMJ477E7CrSeZbvyMcps 4Vwb20ONtah80/Afko85vjSIzpXgGKQsKQIUihiR8vnSp4BB8ZxaZw== =eplI -----END PGP SIGNATURE----- Received: by above.proper.com (8.9.3/8.9.3) id LAA23748 for ietf-openpgp-bks; Wed, 28 Mar 2001 11:21:59 -0800 (PST) Received: from computer (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA23734 for <ietf-openpgp@imc.org>; Wed, 28 Mar 2001 11:21:48 -0800 (PST) From: hal@finney.org Received: (from hal@localhost) by finney.org (8.9.3/8.9.3) id LAA30520; Wed, 28 Mar 2001 11:18:12 -0800 Date: Wed, 28 Mar 2001 11:18:12 -0800 Message-Id: <200103281918.LAA30520@finney.org> To: ietf-openpgp@imc.org, wk@gnupg.org Subject: Re: Czech attack to PGP Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Werner Koch writes: > No need for a new format - doing such changes for OpenPGP right now > will delay getting to draft even more. > > There is a far easier way to do this and we can do this first in our > implementations and use the old format for transferring secret keys > (which is a Bad Thing doing it at all or over an insecure channel): Yes, I like the idea of doing extra checks internally, while retaining at least for now the current format as a data interchange. We could add language to the draft warning implementors to check the arithmetic validity of the keys if the files may have been meddled with. > We introcude a new S2K mode and encrypt this: > > 1. fingerprint of the public key > 2. the secret MPIs > 3. A SHA-1 hash over 1 and 2. A thread on sci.crypt recently pointed to an AsiaCrypt 2000 paper by Mihir Bellare, http://www-cse.ucsd.edu/users/mihir/papers/oem.html. This is a theoretical analysis showing that based on very minimal assumptions of the properties of MAC and encryption algorithms, the strongest mode is to encrypt and then MAC. That is, you compute a keyed MAC on the ciphertext in order to detect modification. In our case we might just compute an HMAC over the entire secret key packet, and append it. Now, Bellare's analysis is highly theoretical, and some of the attacks he shows on other modes are quite artificial. In practice something like what Werner suggests should be fine. But still we might want to consider using the Bellare approach since it is strong even when we consider artificial-seeming attacks. > So either each implementation uses it's own scheme or we agree > informally on one in the (not officially reserved) private range of > S2K mode. The commercial version of PGP also uses some special S2K values, but we could certainly decide on a new value to identify the new form of checksum. Hal Received: by above.proper.com (8.9.3/8.9.3) id XAA09602 for ietf-openpgp-bks; Sun, 25 Mar 2001 23:28:43 -0800 (PST) Received: from breakaway.Stanford.EDU (breakaway.Stanford.EDU [171.64.20.202]) by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA09598 for <ietf-openpgp@imc.org>; Sun, 25 Mar 2001 23:28:42 -0800 (PST) Received: from localhost (hodges@localhost) by breakaway.Stanford.EDU (8.9.3/8.9.3) with ESMTP id XAA17067 for <ietf-openpgp@imc.org>; Sun, 25 Mar 2001 23:28:41 -0800 (PST) Message-Id: <200103260728.XAA17067@breakaway.Stanford.EDU> X-Mailer: exmh version 2.0.2 2/24/98 Subject: fyi: PGP attack specs [english] To: ietf-openpgp@imc.org Reply-to: ietf-openpgp@imc.org From: Jeff.Hodges@kingsmountain.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 25 Mar 2001 23:28:41 -0800 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> ------- Forwarded Message Date: Sun, 25 Mar 2001 18:13:27 +0100 To: ukcrypto@chiark.greenend.org.uk From: Donald ramsbottom <donald@ramsbottom.co.uk> Subject: PGP attack specs Via Cryptome, below is the URL for the tech specs on the PGP attack http://www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted ------- End of Forwarded Message Received: by above.proper.com (8.9.3/8.9.3) id AAA10083 for ietf-openpgp-bks; Sun, 25 Mar 2001 00:09:44 -0800 (PST) Received: from sm10.texas.rr.com (sm10.texas.rr.com [24.93.35.222]) by above.proper.com (8.9.3/8.9.3) with ESMTP id AAA10073 for <ietf-openpgp@imc.org>; Sun, 25 Mar 2001 00:09:43 -0800 (PST) Received: from localhost (cs2773-200.houston.rr.com [24.27.73.200]) by sm10.texas.rr.com (8.12.0.Beta5/8.12.0.Beta5) with ESMTP id f2P81Bll013083 for <ietf-openpgp@imc.org>; Sun, 25 Mar 2001 02:07:51 -0600 Message-Id: <200103250807.f2P81Bll013083@sm10.texas.rr.com> X-Sender: hermag@excite.com From: "hermag@excite.com" <hermag@excite.com> To: ietf-openpgp@imc.org Date: Sun, 25 Mar 2001 02:04:33 -0600 Subject: Would you like to recieve information on how to register your pet online for free? MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001__18829276_7473.76" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> This is a Multipart MIME message. ------=_NextPart_000_001__18829276_7473.76 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit ------=_NextPart_000_001__18829276_7473.76 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5VbnRpdGxlZCBEb2N1bWVudDwvdGl0bGU+DQo8bWV0 YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNl dD1pc28tODg1OS0xIj4NCjwvaGVhZD4NCg0KPGJvZHkgYmdjb2xvcj0iI0ZGRkZGRiIgdGV4 dD0iIzAwMDAwMCI+DQo8cD5IZWxsbyE8L3A+DQo8cD5Xb3VsZCB5b3UgbGlrZSB0byBrbm93 IGhvdyB0byByZWdpc3RlciB5b3VyIHBldCBvbmxpbmUgZm9yIGZyZWU/PC9wPg0KPHA+SWYg eW91IHdvdWxkIGxpa2UgdG8gYmUgcmVtb3ZlZCBmcm9tIGV2ZXIgcmVjZWl2aW5nIGFub3Ro ZXIgZW1haWwgcGxlYXNlIHR5cGUgDQogIFJFTU9WRSBvbmx5IGluIHRoZSByZXR1cm4gc3Vi amVjdCBoZWFkZXIuIFdlIHJlc3BlY3QgeW91ciByaWdodCB0byBwcml2YWN5LjwvcD4NCjxw PklmIHlvdSB3b3VsZCBsaWtlIHRvIHJlY2VpdmUgbW9yZSBpbmZvcm1hdGlvbiBvbiBob3cg dG8gcmVnaXN0ZXIgeW91ciBwZXQgZm9yIA0KICBmcmVlIGp1c3QgcmVwbHkgdG8gdGhpcyBl bWFpbCBtZXNzYWdlIHdpdGggUExFQVNFIFNFTkQgSU5GTyBvbmx5IGluIHRoZSBzdWJqZWN0 IA0KICBoZWFkZXIuPC9wPg0KPHA+PC9wPg0KPHA+VGhhbmsgWW91PGJyPg0KPC9wPg0KPC9i b2R5Pg0KPC9odG1sPg0K ------=_NextPart_000_001__18829276_7473.76-- Received: by above.proper.com (8.9.3/8.9.3) id FAA20116 for ietf-openpgp-bks; Sat, 24 Mar 2001 05:51:14 -0800 (PST) Received: from kasiski.gnupg.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA20108 for <ietf-openpgp@imc.org>; Sat, 24 Mar 2001 05:51:11 -0800 (PST) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.16 #1 (Debian)) id 14gomb-0008Sz-00; Sat, 24 Mar 2001 15:12:45 +0100 Received: from wk by alberti.gnupg.de with local (Exim 3.12 #1 (Debian)) id 14goRq-0003xF-00; Sat, 24 Mar 2001 14:51:18 +0100 Date: Sat, 24 Mar 2001 14:51:18 +0100 From: Werner Koch <wk@gnupg.org> To: ietf-openpgp@imc.org Subject: Re: Czech attack to PGP Message-ID: <20010324145118.N14316@alberti.gnupg.de> Mail-Followup-To: ietf-openpgp@imc.org References: <200103221851.KAA21545@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103221851.KAA21545@finney.org>; from hal@finney.org on Thu, Mar 22, 2001 at 10:51:30AM -0800 X-PGP-KeyID: 621CC013 X-PGP-CertKey: A4D9 4E92 B098 6AB5 EE9D CD75 5DE2 4996 5B03 58A2 X-Request-PGP: finger:wk@porta.u64.de Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 22 Mar 2001, hal@finney.org wrote: > and how the key for the HMAC is calculated from the passphrase (generally > it is a good idea for MAC keys to be different from decryption keys). > Do we need to define a new packet format, V5 for keys? Or could we keep No need for a new format - doing such changes for OpenPGP right now will delay getting to draft even more. There is a far easier way to do this and we can do this first in our implementations and use the old format for transferring secret keys (which is a Bad Thing doing it at all or over an insecure channel): We introcude a new S2K mode and encrypt this: 1. fingerprint of the public key 2. the secret MPIs 3. A SHA-1 hash over 1 and 2. This closly resembles the MDC encryption we are now using. The fingerprint also comes handy to store these secret parts on hardware tokens and migh be a good idea anyway for an internal secret key storage format. If there are concerns about known plaintext we could leave the fingerprint out of the encryption so that we hash 1+2 and encrypt 2+3. GnuPG can already use an extension to the secret key protection, which is used to allow for a primary key without secret key but workable secret subkeys (nice on a automated system): | S2K mode 101 is used to identify these extensions. | After the hash algorithm the 3 bytes "GNU" are used to make | clear that these are extensions for GNU, the next bytes gives the | GNU protection mode - 1000. Defined modes are: | 1001 - do not store the secret part at all So either each implementation uses it's own scheme or we agree informally on one in the (not officially reserved) private range of S2K mode. I agree with Hal that there is no urgent need to do something. This might backfire on repudation of the OpenPGP specs. Ciao, Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus Received: by above.proper.com (8.9.3/8.9.3) id UAA00669 for ietf-openpgp-bks; Fri, 23 Mar 2001 20:28:16 -0800 (PST) Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47]) by above.proper.com (8.9.3/8.9.3) with ESMTP id UAA00665 for <ietf-openpgp@imc.org>; Fri, 23 Mar 2001 20:28:15 -0800 (PST) Received: by cypherpunks.ai (Postfix, from userid 1019) id 1F2D54C; Sat, 24 Mar 2001 00:27:47 -0400 (AST) Date: Sat, 24 Mar 2001 00:27:47 -0400 From: Adam Back <adam@cypherspace.org> To: hal@finney.org Cc: adam@cypherspace.org, ietf-openpgp@imc.org, adamb@zks.net Subject: Re: pgp-6.5.8 secret key keyID export bug? / rfc doesn't specify keyIDs Message-ID: <20010324002747.C21990@cypherpunks.ai> References: <200103240414.UAA03535@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <200103240414.UAA03535@finney.org>; from hal@finney.org on Fri, Mar 23, 2001 at 08:14:37PM -0800 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Yes you are right. I'll see if I can fix pgpacket.pl. (It is internally computing hashes using some perl sha1 code.) It has an option not to do it even because the hashes are slow, I should have remembered that as Mark Shoulson was telling me about it. Adam On Fri, Mar 23, 2001 at 08:14:37PM -0800, hal@finney.org wrote: > The keyID is not present as a field in key packets. It must be computed > from the key data. For DSA keys it is defined as the last 64 (or 32) > bits of the fingerprint, which is itself a hash of the data in the public > key packet. > > Probably that packet-dump program you were using computes keyids > incorrectly for private key packets. It is probably hashing too much > data. Received: by above.proper.com (8.9.3/8.9.3) id UAA00525 for ietf-openpgp-bks; Fri, 23 Mar 2001 20:18:34 -0800 (PST) Received: from computer (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.9.3/8.9.3) with SMTP id UAA00521 for <ietf-openpgp@imc.org>; Fri, 23 Mar 2001 20:18:33 -0800 (PST) From: hal@finney.org Received: (from hal@localhost) by finney.org (8.9.3/8.9.3) id UAA03535; Fri, 23 Mar 2001 20:14:37 -0800 Date: Fri, 23 Mar 2001 20:14:37 -0800 Message-Id: <200103240414.UAA03535@finney.org> To: adam@cypherspace.org, ietf-openpgp@imc.org Subject: Re: pgp-6.5.8 secret key keyID export bug? / rfc doesn't specify keyIDs Cc: adamb@zks.net Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Adam writes: > actually it looks like gnuPG does the same thing as PGP. > > I'm presuming the keyID includes the private key components for private > keys, so the private key has a different keyID even though the gui doesn't > display it that way, if you display the contents of the private key file. > > So I guess you have to compute the keyID rather than reading it in form the > secret key file if you're working from a secret key and not a public key. The keyID is not present as a field in key packets. It must be computed from the key data. For DSA keys it is defined as the last 64 (or 32) bits of the fingerprint, which is itself a hash of the data in the public key packet. Probably that packet-dump program you were using computes keyids incorrectly for private key packets. It is probably hashing too much data. Hal Received: by above.proper.com (8.9.3/8.9.3) id TAA29732 for ietf-openpgp-bks; Fri, 23 Mar 2001 19:45:35 -0800 (PST) Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47]) by above.proper.com (8.9.3/8.9.3) with ESMTP id TAA29728 for <ietf-openpgp@imc.org>; Fri, 23 Mar 2001 19:45:33 -0800 (PST) Received: by cypherpunks.ai (Postfix, from userid 1019) id 2CEDE94; Fri, 23 Mar 2001 23:45:07 -0400 (AST) Date: Fri, 23 Mar 2001 23:45:07 -0400 From: Adam Back <adam@cypherspace.org> To: ietf-openpgp@imc.org Cc: adamb@zks.net Subject: Re: pgp-6.5.8 secret key keyID export bug? / rfc doesn't specify keyIDs Message-ID: <20010323234507.B21990@cypherpunks.ai> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I wrote: > (I was testing with gnuPG 1.0.4 also, and it seems to do the right thing.) actually it looks like gnuPG does the same thing as PGP. I'm presuming the keyID includes the private key components for private keys, so the private key has a different keyID even though the gui doesn't display it that way, if you display the contents of the private key file. So I guess you have to compute the keyID rather than reading it in form the secret key file if you're working from a secret key and not a public key. Adam Received: by above.proper.com (8.9.3/8.9.3) id TAA29389 for ietf-openpgp-bks; Fri, 23 Mar 2001 19:28:14 -0800 (PST) Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47]) by above.proper.com (8.9.3/8.9.3) with ESMTP id TAA29385 for <ietf-openpgp@imc.org>; Fri, 23 Mar 2001 19:28:12 -0800 (PST) Received: by cypherpunks.ai (Postfix, from userid 1019) id 5F01694; Fri, 23 Mar 2001 23:27:45 -0400 (AST) Date: Fri, 23 Mar 2001 23:27:45 -0400 From: Adam Back <adam@cypherspace.org> To: ietf-openpgp@imc.org Cc: adamb@zks.net Subject: pgp-6.5.8 secret key keyID export bug? / rfc doesn't specify keyIDs Message-ID: <20010323232745.A21990@cypherpunks.ai> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I notice that pgp-6.5.8 outputs (using pgpacket3.1.pl), when you export a private DSA key: > --------------------------- > Packet Type: Secret Key Packet > Length: 443 > Version Byte: 4 > Key Created: 23 Mar 2001 00:32:07 > Algorithm: 17 (DSA) > P: 0xFF1C014574D484878B11438147F1B6D763701B486BFBFED1CC151533CDEBC0B3871A5180B209195E28FB6B4F8C9DDC354CE97CF73ADD0B9AB7855F3AC5A915A9A5F75008ABD4FB0E751D3B31FBE63A8F8BC961FCA625B8F0F990B7EC989875A1119470C5DCA4C692C7687B901B86C0105A4A8AE2A56F373B3603C1970F7AB6D5 > Q: 0xFFF7C19017F4FDB1BA22D013835819FFBD290F91 > G: 0x3706F602DB508F8AC6B871EB266712859A2F52A90F311DA9D6033FE251E58BDDF7BFDF7EE52558E270677F19AF2AEAE4E1AF6E723B79382DB2DAB846FDB8A852630BC1A9B1E4B7CE185A8211B0F91CBF04C086DAA921F254B5C9A92FA1023D2AB4A472EFD524321D8D1920CCF9CE339BC11ED4FFE7CAC886503461B6CE9CD528 > Y: 0x13035892703E33CEA75C2E437444D5EC1E9CE5F1473442760A1C3EB34A15331EC6AF6673F5287C20FEE84B5193CD784214DAFF55AD09737E7A724AE18F8D2E1DA5EB1CB33A7F0B33D001EBD003C2F60D550EC6DC71ADD68457A5F34EEE10031875885622670DC9541E0F2DD5472B04A3C3AA5BA0EA856DFCA6CC862DA216EE1B > Protection Algorithm: 0 (None). > X: 0x009E3362E8C0A65C6921FCE2890727BC0DD4E1C8E83A > Checksum: 0x0B64 > Key ID: 0xBF9829693FEB29C7 but the public key keyID is different (and correct): --------------------------- Packet Type: Public Key Packet Length: 418 Version Byte: 4 Key Created: 23 Mar 2001 00:32:07 Algorithm: 17 (DSA) P: 0xFF1C014574D484878B11438147F1B6D763701B486BFBFED1CC151533CDEBC0B3871A5180B209195E28FB6B4F8C9DDC354CE97CF73ADD0B9AB7855F3AC5A915A9A5F75008ABD4FB0E751D3B31FBE63A8F8BC961FCA625B8F0F990B7EC989875A1119470C5DCA4C692C7687B901B86C0105A4A8AE2A56F373B3603C1970F7AB6D5 Q: 0xFFF7C19017F4FDB1BA22D013835819FFBD290F91 G: 0x3706F602DB508F8AC6B871EB266712859A2F52A90F311DA9D6033FE251E58BDDF7BFDF7EE52558E270677F19AF2AEAE4E1AF6E723B79382DB2DAB846FDB8A852630BC1A9B1E4B7CE185A8211B0F91CBF04C086DAA921F254B5C9A92FA1023D2AB4A472EFD524321D8D1920CCF9CE339BC11ED4FFE7CAC886503461B6CE9CD528 Y: 0x13035892703E33CEA75C2E437444D5EC1E9CE5F1473442760A1C3EB34A15331EC6AF6673F5287C20FEE84B5193CD784214DAFF55AD09737E7A724AE18F8D2E1DA5EB1CB33A7F0B33D001EBD003C2F60D550EC6DC71ADD68457A5F34EEE10031875885622670DC9541E0F2DD5472B04A3C3AA5BA0EA856DFCA6CC862DA216EE1B Key ID: 0xF77801127F715726 and the self-sigature made by that key identifies itself by a the same correct keyID. So a couple of problems: - is pgp-6.5.8 using the keyID field on secret key packets for something else (checksum?), or is it a bug? - rfc2440 does not mention the keyID which is part of the secret key and public key packets. If you look in sections 5.5.2 and 5.5.3 there appears to be no mention of the keyID. This seems like an error in the RFC. (I was testing with gnuPG 1.0.4 also, and it seems to do the right thing.) Adam Received: by above.proper.com (8.9.3/8.9.3) id XAA02750 for ietf-openpgp-bks; Thu, 22 Mar 2001 23:54:06 -0800 (PST) Received: from grannus.iks-jena.de (root@grannus.iks-jena.de [217.17.192.68]) by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA02743 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 23:54:03 -0800 (PST) Received: (from news@localhost) by grannus.iks-jena.de (8.11.3/8.10.1) id f2N7s1n13338 for ietf-openpgp@imc.org; Fri, 23 Mar 2001 08:54:01 +0100 To: ietf-openpgp@imc.org Path: lutz From: lutz@iks-jena.de (Lutz Donnerhacke) Newsgroups: iks.lists.ietf-open-pgp Subject: Re: Czech attack to PGP Date: 23 Mar 2001 07:54:01 GMT Organization: IKS GmbH Jena Lines: 20 Message-ID: <slrn9bm03b.ji.lutz@taranis.iks-jena.de> References: <200103222355.PAA06633@above.proper.com> NNTP-Posting-Host: taranis.iks-jena.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: slrn/0.9.6.3 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> * alphabeta@beta2.freedom.net wrote: >Then there is the issue that if we are changing the packet format, maybe >we should make other changes as well. There is no need to do so. >Then, if we're changing the secret key packet format, should the public >key packet be changed as well, There is not connection between the public and the secret key format. >kind of opens a can of worms if we go this way. On the other hand, given >that any new key format won't be backwards-compatible, if there are other >secret-key-specific changes this might be a good time to make them. I oppose quick changes. OpenPGP needs a deep protocol analysis and a much easier format. This can't be done in a few weeks. Our short term solution should be: Encourage the implementors to choose better storage formats and urge more integrity checks. Received: by above.proper.com (8.9.3/8.9.3) id VAA16633 for ietf-openpgp-bks; Thu, 22 Mar 2001 21:26:12 -0800 (PST) Received: from rcn.ihtfp.org (me@pcp000818pcs.wireless.meeting.ietf.org [135.222.65.62]) by above.proper.com (8.9.3/8.9.3) with ESMTP id VAA16629 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 21:26:10 -0800 (PST) Received: (from warlord@localhost) by rcn.ihtfp.org (8.9.3) id AAA25433; Fri, 23 Mar 2001 00:26:13 -0500 To: Taral <taral@taral.net> Cc: ietf-openpgp@imc.org Subject: Re: Question References: <20010322172647.A3761@taral.net> <sjmitl116gb.fsf@rcn.ihtfp.org> <20010322232340.A6215@taral.net> From: Derek Atkins <warlord@mit.edu> Date: 23 Mar 2001 00:26:08 -0500 In-Reply-To: Taral's message of "Thu, 22 Mar 2001 23:23:40 -0600" Message-ID: <sjmhf0l12fj.fsf@rcn.ihtfp.org> Lines: 60 X-Mailer: Gnus v5.5/Emacs 20.3 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> And this is one way in which MIME was broken to begin with, because it didn't play nice with security. With security multiparts, you MUST NOT change the message in transit. If you want to change it, you must super-encode it, so that in the end you can return to the original bit-stream of the original message. -derek Taral <taral@taral.net> writes: > --/9DWx/yDrRhgMJTb > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Thu, Mar 22, 2001 at 10:59:16PM -0500, Derek Atkins wrote: > > The multipart/security RFC (please excuse me for not spewing the > > number) specifically forbids MIME agents from re-calcuating the > > _INTERNAL_ CTE of a message. You may change the CTE of a message for > > transport, but you must revert to the original CTE before security > > decapsulation. > >=20 > > In other words, sendmail may apply a radix64 to the message provided > > that the receiving sendmail reverts the radix64 back to the original > > form. In other other words, multipart/security forbids the use of > > this MIME feature. > > This seems awfully strange. The whole point of MIME is to be able to > be permissive in these kinds of things. Having read the MIME standards a > few times, I would never have assumed that a multipart type would ever > have special restrictions like this based on subtype. In fact, > multipart/signed is not required to be implemented by agents, and they > are _explicitly_ permitted to treated like multipart/mixed, in which the > CTE can be changed if recoding is needed. > > --=20 > Taral <taral@taral.net> > Please use PGP/GPG to send me mail. > "Never ascribe to malice what can as easily be put down to stupidity." > > --/9DWx/yDrRhgMJTb > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjq63dwACgkQ7rh4CE+nYElQrQCfat5GtKE0EzfT922bouIMunPi > xEkAn3BOVqwFU8scRR6OVDwV7ZVqAEI9 > =0YMf > -----END PGP SIGNATURE----- > > --/9DWx/yDrRhgMJTb-- -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available Received: by above.proper.com (8.9.3/8.9.3) id VAA16591 for ietf-openpgp-bks; Thu, 22 Mar 2001 21:23:38 -0800 (PST) Received: from dragon.taral.net (postfix@cs666822-22.austin.rr.com [66.68.22.22]) by above.proper.com (8.9.3/8.9.3) with ESMTP id VAA16586 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 21:23:36 -0800 (PST) Received: by dragon.taral.net (Postfix, from userid 1000) id 50AC512CE4; Thu, 22 Mar 2001 23:23:40 -0600 (CST) Date: Thu, 22 Mar 2001 23:23:40 -0600 From: Taral <taral@taral.net> To: Derek Atkins <warlord@mit.edu> Cc: ietf-openpgp@imc.org Subject: Re: Question Message-ID: <20010322232340.A6215@taral.net> References: <20010322172647.A3761@taral.net> <sjmitl116gb.fsf@rcn.ihtfp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/9DWx/yDrRhgMJTb" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: <sjmitl116gb.fsf@rcn.ihtfp.org>; from warlord@MIT.EDU on Thu, Mar 22, 2001 at 10:59:16PM -0500 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 22, 2001 at 10:59:16PM -0500, Derek Atkins wrote: > The multipart/security RFC (please excuse me for not spewing the > number) specifically forbids MIME agents from re-calcuating the > _INTERNAL_ CTE of a message. You may change the CTE of a message for > transport, but you must revert to the original CTE before security > decapsulation. >=20 > In other words, sendmail may apply a radix64 to the message provided > that the receiving sendmail reverts the radix64 back to the original > form. In other other words, multipart/security forbids the use of > this MIME feature. This seems awfully strange. The whole point of MIME is to be able to be permissive in these kinds of things. Having read the MIME standards a few times, I would never have assumed that a multipart type would ever have special restrictions like this based on subtype. In fact, multipart/signed is not required to be implemented by agents, and they are _explicitly_ permitted to treated like multipart/mixed, in which the CTE can be changed if recoding is needed. --=20 Taral <taral@taral.net> Please use PGP/GPG to send me mail. "Never ascribe to malice what can as easily be put down to stupidity." --/9DWx/yDrRhgMJTb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjq63dwACgkQ7rh4CE+nYElQrQCfat5GtKE0EzfT922bouIMunPi xEkAn3BOVqwFU8scRR6OVDwV7ZVqAEI9 =0YMf -----END PGP SIGNATURE----- --/9DWx/yDrRhgMJTb-- Received: by above.proper.com (8.9.3/8.9.3) id TAA15492 for ietf-openpgp-bks; Thu, 22 Mar 2001 19:59:35 -0800 (PST) Received: from rcn.ihtfp.org (me@pcp000818pcs.wireless.meeting.ietf.org [135.222.65.62]) by above.proper.com (8.9.3/8.9.3) with ESMTP id TAA15488 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 19:59:33 -0800 (PST) Received: (from warlord@localhost) by rcn.ihtfp.org (8.9.3) id WAA25292; Thu, 22 Mar 2001 22:59:21 -0500 To: Taral <taral@taral.net> Cc: ietf-openpgp@imc.org Subject: Re: Question References: <20010322172647.A3761@taral.net> From: Derek Atkins <warlord@mit.edu> Date: 22 Mar 2001 22:59:16 -0500 In-Reply-To: Taral's message of "Thu, 22 Mar 2001 17:26:47 -0600" Message-ID: <sjmitl116gb.fsf@rcn.ihtfp.org> Lines: 57 X-Mailer: Gnus v5.5/Emacs 20.3 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> The multipart/security RFC (please excuse me for not spewing the number) specifically forbids MIME agents from re-calcuating the _INTERNAL_ CTE of a message. You may change the CTE of a message for transport, but you must revert to the original CTE before security decapsulation. In other words, sendmail may apply a radix64 to the message provided that the receiving sendmail reverts the radix64 back to the original form. In other other words, multipart/security forbids the use of this MIME feature. -derek Taral <taral@taral.net> writes: > --tKW2IUtsqtDRztdT > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > [ Please Cc: me on messages, I am not on this list ] > > I'm sure this has been asked before, but I'm going to ask it, because I > have yet to locate a sufficient answer. > > In the current PGP/MIME standard, it is specifically stated that > signatures are calculated after the application of the CTE. However, > RFC 2045 makes it clear that MTAs may re-encode bodies as necessary. The > way signatures are currently calculated, this operation (which is > perfectly valid under MIME) invalidates the signature. Can anyone > explain why this would be a desirable situation? > > --=20 > Taral <taral@taral.net> > Please use PGP/GPG to send me mail. > "Never ascribe to malice what can as easily be put down to stupidity." > > --tKW2IUtsqtDRztdT > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjq6ijcACgkQ7rh4CE+nYEkQ/gCeJMAPsXtQ5/j6LMxpEoEk9HWN > BPsAoPLXQ1VMF8SC6WrmZU6kS5nbEMjX > =snc9 > -----END PGP SIGNATURE----- > > --tKW2IUtsqtDRztdT-- -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available Received: by above.proper.com (8.9.3/8.9.3) id QAA07900 for ietf-openpgp-bks; Thu, 22 Mar 2001 16:28:43 -0800 (PST) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA07891 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 16:28:41 -0800 (PST) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.12 #4) id 14gFRA-0007oY-00; Fri, 23 Mar 2001 01:28:16 +0100 To: alphabeta@beta2.freedom.net Cc: ietf-openpgp@imc.org Subject: Re: Czech attack to PGP References: <200103222355.AAA17509@artemis.rus.uni-stuttgart.de> From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> Date: 23 Mar 2001 01:28:16 +0100 In-Reply-To: <200103222355.AAA17509@artemis.rus.uni-stuttgart.de> Message-ID: <tg7l1h72hr.fsf@mercury.rus.uni-stuttgart.de> Lines: 17 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> alphabeta@beta2.freedom.net writes: > Then there is the issue that if we are changing the packet format, maybe > we should make other changes as well. Then, if we're changing the secret > key packet format, should the public key packet be changed as well, > which introduces interoperability and backwards-compatiblity problems. It's certainly better to break compatibility explicitly than to introduce a new interpretation of an existing data format (e.g. based on packet length). The former will result in clear error messages for users of old software, the latter will cause obscure errors and messages. -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: by above.proper.com (8.9.3/8.9.3) id PAA06637 for ietf-openpgp-bks; Thu, 22 Mar 2001 15:55:54 -0800 (PST) Received: from RELAY.beta2.freedom.net (relay.beta2.freedom.net [207.107.115.76]) by above.proper.com (8.9.3/8.9.3) with SMTP id PAA06633 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 15:55:53 -0800 (PST) From: alphabeta@beta2.freedom.net Message-Id: <200103222355.PAA06633@above.proper.com> Received: (qmail 23551 invoked from network); 22 Mar 2001 23:55:52 -0000 Received: from unknown (207.107.115.85) by 0 with QMQP; 22 Mar 2001 23:55:52 -0000 Received: (qmail 11057 invoked from network); 22 Mar 2001 23:55:52 -0000 Received: from unknown (207.107.115.83) by 0 with QMQP; 22 Mar 2001 23:55:52 -0000 Received: from unknown (192.168.84.11) by 0 with SMTP; 22 Mar 2001 23:55:51 -0000 X-Freedom-Envelope-Sig: ietf-openpgp@imc.org AQEN/97SMl6dI10KmFsERdtsBF7zIgdw6l1X+1y0/W7atydMQOzJHVNr Date: Thu, 22 Mar 2001 15:52:06 -0800 Old-From: alphabeta@beta2.freedom.net To: Florian.Weimer@RUS.Uni-Stuttgart.DE, ietf-openpgp@imc.org Subject: Re: Czech attack to PGP Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Florian Weimer, <Florian.Weimer@RUS.Uni-Stuttgart.DE>, writes: > Hmm. What about introducing a new secret key packet with a hash > instead of a checksum? This approach seems to be much cleaner, and it > doesn't cause surprising problems for the end user. I think that is basically what I was suggesting, except using an HMAC (which is a keyed hash). This would be a new format for secret key packets. Then we'd have to work out the details in terms of what we do with version numbers and such. Then there is the issue that if we are changing the packet format, maybe we should make other changes as well. Then, if we're changing the secret key packet format, should the public key packet be changed as well, which introduces interoperability and backwards-compatiblity problems. It kind of opens a can of worms if we go this way. On the other hand, given that any new key format won't be backwards-compatible, if there are other secret-key-specific changes this might be a good time to make them. Hal ________________________________________________________________________ Total Internet Privacy -- get your Freedom Nym at http://www.freedom.net Received: by above.proper.com (8.9.3/8.9.3) id PAA04398 for ietf-openpgp-bks; Thu, 22 Mar 2001 15:26:45 -0800 (PST) Received: from dragon.taral.net (postfix@cs666822-22.austin.rr.com [66.68.22.22]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA04392 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 15:26:44 -0800 (PST) Received: by dragon.taral.net (Postfix, from userid 1000) id 4E65312CE4; Thu, 22 Mar 2001 17:26:47 -0600 (CST) Date: Thu, 22 Mar 2001 17:26:47 -0600 From: Taral <taral@taral.net> To: ietf-openpgp@imc.org Subject: Question Message-ID: <20010322172647.A3761@taral.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.3.15i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ Please Cc: me on messages, I am not on this list ] I'm sure this has been asked before, but I'm going to ask it, because I have yet to locate a sufficient answer. In the current PGP/MIME standard, it is specifically stated that signatures are calculated after the application of the CTE. However, RFC 2045 makes it clear that MTAs may re-encode bodies as necessary. The way signatures are currently calculated, this operation (which is perfectly valid under MIME) invalidates the signature. Can anyone explain why this would be a desirable situation? --=20 Taral <taral@taral.net> Please use PGP/GPG to send me mail. "Never ascribe to malice what can as easily be put down to stupidity." --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjq6ijcACgkQ7rh4CE+nYEkQ/gCeJMAPsXtQ5/j6LMxpEoEk9HWN BPsAoPLXQ1VMF8SC6WrmZU6kS5nbEMjX =snc9 -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- Received: by above.proper.com (8.9.3/8.9.3) id MAA21239 for ietf-openpgp-bks; Thu, 22 Mar 2001 12:25:39 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA21235 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 12:25:37 -0800 (PST) Received: from [135.222.66.224] (vpnap-g1-012017.qualcomm.com [10.13.12.17]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f2MKPXV24919; Thu, 22 Mar 2001 12:25:33 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com Message-Id: <a05100705b6e00c3468a0@[135.222.66.224]> In-Reply-To: <slrn9bklqr.6i7.lutz@belenus.iks-jena.de> References: <200103221851.KAA21545@finney.org> <slrn9bklqr.6i7.lutz@belenus.iks-jena.de> X-Mailer: Eudora [Macintosh version 5.1-0319010029] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 X-Priority: 2 (High) Date: Thu, 22 Mar 2001 14:16:04 -0600 To: lutz@iks-jena.de (Lutz Donnerhacke) From: John W Noerenberg II <jwn2@qualcomm.com> Subject: Re: Czech attack to PGP - keep the kimono closed Cc: ietf-openpgp@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 7:49 PM +0000 3/22/01, Lutz Donnerhacke wrote: >Ack. We should stress that private key files should not reside on shared >media and that OpenPGP ist a transport message format, not a local storage >recommendation. Implementations are free to choose anything else. Yes, definitely, Lutz. This has been mentioned in a number of different messages, but this is probably the single most important point, and worth singling it out. Transferring secret key files makes them vulnerable to attack. Vlastimil and Rosa have shown a particular way to attack them. best, -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------- Peace of mind isn't at all superficial, really. It's the whole thing. That which produces it is good maintenance; that which disturbs it is poor maintenance. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 -------------------------------------------------------------------------- Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id LAA17605 for ietf-openpgp-bks; Thu, 22 Mar 2001 11:49:48 -0800 (PST) Received: from grannus.iks-jena.de (root@grannus.iks-jena.de [217.17.192.68]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA17599 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 11:49:46 -0800 (PST) Received: (from news@localhost) by grannus.iks-jena.de (8.11.3/8.10.1) id f2MJnl019959 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 20:49:47 +0100 To: ietf-openpgp@imc.org Path: lutz From: lutz@iks-jena.de (Lutz Donnerhacke) Newsgroups: iks.lists.ietf-open-pgp Subject: Re: Czech attack to PGP Date: 22 Mar 2001 19:49:47 GMT Organization: IKS GmbH Jena Lines: 85 Message-ID: <slrn9bklqr.6i7.lutz@belenus.iks-jena.de> References: <200103221851.KAA21545@finney.org> NNTP-Posting-Host: belenus.iks-jena.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: slrn/0.9.6.3 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> * hal@finney.org wrote: >The RSA attack is the one Lutz called a "Bellcore" attack, based on the >Eurocrypt 97 paper by Boneh et al at >http://theory.stanford.edu/~dabo/papers/faults.ps.gz. Yep. Thanks for the link. 'Bellcore attack' is the name in the German smartcard hacking scene. >one side of the signature is done wrong. Specifically they change the >last value in the secret key, "u", which is the inverse of p mod q. Posted this yesterday: Yep possible, even to change the checksum. >The DSA attack is quite different. In this case they change the >public parameters of the DSA key to weaken it but leave the private >part alone. They change p and g to be a group where discrete logs are >easy, one where (p-1) has only small factors. Then when the signature >is calculated, they can find the secret k value by taking the discrete >log of r, and from this they can calculate the user's secret key. Great idea. >whenever it decrypts RSA private key data, it does the following checks: > > n = p*q > d*e mod p = 1 > d*e mod q = 1 > p*u mod q = 1 > >This validates all of the private key data and makes sure it is consistent >with the public key values. In particular the last check prevents the It makes sure, that is consistent in itself, but it does not say anything about a prevented attack: Assume an attack able to modifiy the parameter q to be equal 1. If have to sleep about this. >Note that these checks are quite fast, just a few multiplies and >divides, so they do not slow down the signature calculation by much, >since it involves exponentiations. They do not address probability attacks to errors in the MPI calculus. (Wait for a bellcore scenario ... most customer PCs run far from there specifications, so we have a real smartcard analogon). Thats why PGP263(i)n does check against any miscalculations. > - Use CBC mode rather than CFB to encrypt private key components > - Use an HMAC to protect public and private key data > - Use PSS padding from PKCS-1 v 2.1 rather than the v 1.5 padding I'd like to add: Throw away the bit gambling. Redesign from scratch. >bit pattern into it. They use this to attack RSA V4 keys. However, >CBC mode allows similar perturbations, but to the first block rather >than the last block. So this fix does not go to the heart of the problem >and could still leave vulnerabilities. Yep. This would be a HMAC. >The last idea, to use PSS padding, also does not seem to fundamentally >help. It would still be possible to disrupt the CRC calculation. We could prevent algebraic attacks by applying the P.1363 recommendation. >Broadly speaking, because the attack requires write access to users' >private keys, I don't think making changes is an urgent matter. Ack. We should stress that private key files should not reside on shared media and that OpenPGP ist a transport message format, not a local storage recommendation. Implementations are free to choose anything else. >Do we need to define a new packet format, V5 for keys? Or could we keep >the old format number and use the length difference of a 20-byte HMAC >vs a 2-byte checksum to recognize which one is being used? No more bit gamblings! Use v5 for secret keys. A public part to index and a whole encrypted and hashed private part including the whole pulic key data again. >If we do add an HMAC, software could then work in a mode where old-format >keys get the extra checks applied to carefully validate them, then >get rewritten using the HMAC. From then on the extra checks are not >necessary and the HMAC alone will detect changes. So we will retain >fast performance, plus have security against tampered private key files. I'm feeling bad. Received: by above.proper.com (8.9.3/8.9.3) id LAA16724 for ietf-openpgp-bks; Thu, 22 Mar 2001 11:39:09 -0800 (PST) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA16718 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 11:39:07 -0800 (PST) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.12 #4) id 14gAuv-0006wQ-00 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 20:38:41 +0100 To: ietf-openpgp@imc.org Subject: Re: Czech attack to PGP References: <200103221851.KAA21545@finney.org> From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> Date: 22 Mar 2001 20:38:41 +0100 In-Reply-To: <200103221851.KAA21545@finney.org> Message-ID: <tgd7b97fwe.fsf@mercury.rus.uni-stuttgart.de> Lines: 19 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> hal@finney.org writes: > Do we need to define a new packet format, V5 for keys? A V5 key format could address the protocol error with key expiration, too. > Or could we keep the old format number and use the length difference > of a 20-byte HMAC vs a 2-byte checksum to recognize which one is > being used? Hmm. What about introducing a new secret key packet with a hash instead of a checksum? This approach seems to be much cleaner, and it doesn't cause surprising problems for the end user. -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: by above.proper.com (8.9.3/8.9.3) id LAA16523 for ietf-openpgp-bks; Thu, 22 Mar 2001 11:32:14 -0800 (PST) Received: from grannus.iks-jena.de (root@grannus.iks-jena.de [217.17.192.68]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA16519 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 11:32:12 -0800 (PST) Received: (from news@localhost) by grannus.iks-jena.de (8.11.3/8.10.1) id f2MJWDP19243 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 20:32:13 +0100 To: ietf-openpgp@imc.org Path: lutz From: lutz@iks-jena.de (Lutz Donnerhacke) Newsgroups: iks.lists.ietf-open-pgp Subject: Re: Czech attack to PGP Date: 22 Mar 2001 19:32:12 GMT Organization: IKS GmbH Jena Lines: 14 Message-ID: <slrn9bkkps.6i7.lutz@belenus.iks-jena.de> References: <200103221756.JAA20729@finney.org> <tgu24l8w51.fsf@mercury.rus.uni-stuttgart.de> NNTP-Posting-Host: belenus.iks-jena.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: slrn/0.9.6.3 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> * Florian Weimer wrote: >hal@finney.org writes: >> whenever it decrypts RSA private key data, it does the following checks: >> n = p*q Nope. I'd rejected this to do the more general check recommented in the smarcard papers: Check the whole cryptosystem (at least the RSA part). My n=p*q check was driven by a complete other reason: n is used to determine the blocksize of the result. >I'm sorry about that. Yep. I told you it is a bad idea to check only the parts known to be attackable. Assume an error in mpilib ... Received: by above.proper.com (8.9.3/8.9.3) id LAA14793 for ietf-openpgp-bks; Thu, 22 Mar 2001 11:03:02 -0800 (PST) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA14788 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 11:03:00 -0800 (PST) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.12 #4) id 14gALy-0006oJ-00 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 20:02:34 +0100 To: ietf-openpgp@imc.org Subject: Re: Czech attack to PGP References: <200103221756.JAA20729@finney.org> From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> Date: 22 Mar 2001 20:02:34 +0100 In-Reply-To: <200103221756.JAA20729@finney.org> Message-ID: <tgu24l8w51.fsf@mercury.rus.uni-stuttgart.de> Lines: 18 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> hal@finney.org writes: > The commercial version of PGP, and possibly others, does extra checks on > RSA private keys which prevent the RSA attack from working. Specifically, > whenever it decrypts RSA private key data, it does the following checks: > > n = p*q I missed the attacks on the supposedly protected part of the secret key packet, and n = p*q is the only check performed by GnuPG, so GnuPG *is* vulnerable against these attacks, despite my claim that is not. I'm sorry about that. -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id KAA14119 for ietf-openpgp-bks; Thu, 22 Mar 2001 10:55:12 -0800 (PST) Received: from computer (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA14113 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 10:55:07 -0800 (PST) From: hal@finney.org Received: (from hal@localhost) by finney.org (8.9.3/8.9.3) id KAA21545 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 10:51:30 -0800 Date: Thu, 22 Mar 2001 10:51:30 -0800 Message-Id: <200103221851.KAA21545@finney.org> To: ietf-openpgp@imc.org Subject: Re: Czech attack to PGP Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> [I sent this an hour ago but it has not appeared so I'm trying again...] Links to English language versions of their paper and PowerPoint slides are at http://www.i.cz/en/. There are really two different attacks, one for RSA and one for DSA. Both require modifying your secret key file. Of course, for most users this is not an issue. Any attacker who could get to their secret key file and modify it would also be able to modify their PGP executable or public key file and weaken the program in any number of ways. So the practical impact of this attack is very low. However it is very interesting theoretically. Even though the attack is relatively easy to see once the idea is raised (several people had reconstructed the attack just from the press release in the last few days), it is a new idea and may be applicable to other systems than OpenPGP. The RSA attack is the one Lutz called a "Bellcore" attack, based on the Eurocrypt 97 paper by Boneh et al at http://theory.stanford.edu/~dabo/papers/faults.ps.gz. One of the attacks in this paper is against RSA done using the Chinese Remainder Theorem. (The authors of the Czech paper attributed the idea to Arjen Lenstra.) This optimization of RSA signature involves doing the calculation twice, mod p and mod q, and then combining the result. Boneh/Lenstra showed that if you could disrupt one side of this calculation, the resulting signature would leak the key. His group was looking at hardware faults, but the Czech group accomplishes the same thing by perturbing some of the RSA secret parameters so that one side of the signature is done wrong. Specifically they change the last value in the secret key, "u", which is the inverse of p mod q. This disrupts the part of the CRT calculation which is mod q while leaving the mod p alone, satisfying the requirement for the Boneh attack. A simple subtraction and GCD will recover p from the result. The DSA attack is quite different. In this case they change the public parameters of the DSA key to weaken it but leave the private part alone. They change p and g to be a group where discrete logs are easy, one where (p-1) has only small factors. Then when the signature is calculated, they can find the secret k value by taking the discrete log of r, and from this they can calculate the user's secret key. The commercial version of PGP, and possibly others, does extra checks on RSA private keys which prevent the RSA attack from working. Specifically, whenever it decrypts RSA private key data, it does the following checks: n = p*q d*e mod p = 1 d*e mod q = 1 p*u mod q = 1 This validates all of the private key data and makes sure it is consistent with the public key values. In particular the last check prevents the Czech attack from working as a change to u will make this one fail. Note that these checks are quite fast, just a few multiplies and divides, so they do not slow down the signature calculation by much, since it involves exponentiations. Unfortunately such fast checks are not possible for DSA keys. To validate the parameters two exponentiations are necessary, while only one exponentiation is used in a DSA signature. Doing validations will therefore slow down DSA signing by a factor of three. The authors of the paper make several recommendations for changes to OpenPGP to address these kinds of attacks. They are: - Use CBC mode rather than CFB to encrypt private key components - Use an HMAC to protect public and private key data - Use PSS padding from PKCS-1 v 2.1 rather than the v 1.5 padding The idea behind using CBC mode is that you can perturb the last block of data encrypted in CFB in a predictable way; you can XOR any desired bit pattern into it. They use this to attack RSA V4 keys. However, CBC mode allows similar perturbations, but to the first block rather than the last block. So this fix does not go to the heart of the problem and could still leave vulnerabilities. The last idea, to use PSS padding, also does not seem to fundamentally help. It would still be possible to disrupt the CRC calculation. The best idea seems to be to replace the current checksum with an HMAC. This would cover both the private and public components; it would be keyed based on the passphrase. Then it would be impossible for an attacker to alter private key data undetectably unless they knew the passphrase. Broadly speaking, because the attack requires write access to users' private keys, I don't think making changes is an urgent matter. Users need to be careful to protect their private key files in any case. For most users, if attackers can get at these files they could cause many other sorts of problems. However we may want to begin discussing a change to using HMAC in place of checksum. We need to agree on exactly what data is covered by the HMAC, and how the key for the HMAC is calculated from the passphrase (generally it is a good idea for MAC keys to be different from decryption keys). Do we need to define a new packet format, V5 for keys? Or could we keep the old format number and use the length difference of a 20-byte HMAC vs a 2-byte checksum to recognize which one is being used? If we do add an HMAC, software could then work in a mode where old-format keys get the extra checks applied to carefully validate them, then get rewritten using the HMAC. From then on the extra checks are not necessary and the HMAC alone will detect changes. So we will retain fast performance, plus have security against tampered private key files. Hal Finney Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id JAA11203 for ietf-openpgp-bks; Thu, 22 Mar 2001 09:59:44 -0800 (PST) Received: from computer (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.9.3/8.9.3) with SMTP id JAA11199 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 09:59:42 -0800 (PST) From: hal@finney.org Received: (from hal@localhost) by finney.org (8.9.3/8.9.3) id JAA20729 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 09:56:11 -0800 Date: Thu, 22 Mar 2001 09:56:11 -0800 Message-Id: <200103221756.JAA20729@finney.org> To: ietf-openpgp@imc.org Subject: Re: Czech attack to PGP Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Links to English language versions of their paper and PowerPoint slides are at http://www.i.cz/en/. There are really two different attacks, one for RSA and one for DSA. Both require modifying your secret key file. Of course, for most users this is not an issue. Any attacker who could get to their secret key file and modify it would also be able to modify their PGP executable or public key file and weaken the program in any number of ways. So the practical impact of this attack is very low. However it is very interesting theoretically. Even though the attack is relatively easy to see once the idea is raised (several people had reconstructed the attack just from the press release in the last few days), it is a new idea and may be applicable to other systems than OpenPGP. The RSA attack is the one Lutz called a "Bellcore" attack, based on the Eurocrypt 97 paper by Boneh et al at http://theory.stanford.edu/~dabo/papers/faults.ps.gz. One of the attacks in this paper is against RSA done using the Chinese Remainder Theorem. (The authors of the Czech paper attributed the idea to Arjen Lenstra.) This optimization of RSA signature involves doing the calculation twice, mod p and mod q, and then combining the result. Boneh/Lenstra showed that if you could disrupt one side of this calculation, the resulting signature would leak the key. His group was looking at hardware faults, but the Czech group accomplishes the same thing by perturbing some of the RSA secret parameters so that one side of the signature is done wrong. Specifically they change the last value in the secret key, "u", which is the inverse of p mod q. This disrupts the part of the CRT calculation which is mod q while leaving the mod p alone, satisfying the requirement for the Boneh attack. A simple subtraction and GCD will recover p from the result. The DSA attack is quite different. In this case they change the public parameters of the DSA key to weaken it but leave the private part alone. They change p and g to be a group where discrete logs are easy, one where (p-1) has only small factors. Then when the signature is calculated, they can find the secret k value by taking the discrete log of r, and from this they can calculate the user's secret key. The commercial version of PGP, and possibly others, does extra checks on RSA private keys which prevent the RSA attack from working. Specifically, whenever it decrypts RSA private key data, it does the following checks: n = p*q d*e mod p = 1 d*e mod q = 1 p*u mod q = 1 This validates all of the private key data and makes sure it is consistent with the public key values. In particular the last check prevents the Czech attack from working as a change to u will make this one fail. Note that these checks are quite fast, just a few multiplies and divides, so they do not slow down the signature calculation by much, since it involves exponentiations. Unfortunately such fast checks are not possible for DSA keys. To validate the parameters two exponentiations are necessary, while only one exponentiation is used in a DSA signature. Doing validations will therefore slow down DSA signing by a factor of three. The authors of the paper make several recommendations for changes to OpenPGP to address these kinds of attacks. They are: - Use CBC mode rather than CFB to encrypt private key components - Use an HMAC to protect public and private key data - Use PSS padding from PKCS-1 v 2.1 rather than the v 1.5 padding The idea behind using CBC mode is that you can perturb the last block of data encrypted in CFB in a predictable way; you can XOR any desired bit pattern into it. They use this to attack RSA V4 keys. However, CBC mode allows similar perturbations, but to the first block rather than the last block. So this fix does not go to the heart of the problem and could still leave vulnerabilities. The last idea, to use PSS padding, also does not seem to fundamentally help. It would still be possible to disrupt the CRC calculation. The best idea seems to be to replace the current checksum with an HMAC. This would cover both the private and public components; it would be keyed based on the passphrase. Then it would be impossible for an attacker to alter private key data undetectably unless they knew the passphrase. Broadly speaking, because the attack requires write access to users' private keys, I don't think making changes is an urgent matter. Users need to be careful to protect their private key files in any case. For most users, if attackers can get at these files they could cause many other sorts of problems. However we may want to begin discussing a change to using HMAC in place of checksum. We need to agree on exactly what data is covered by the HMAC, and how the key for the HMAC is calculated from the passphrase (generally it is a good idea for MAC keys to be different from decryption keys). Do we need to define a new packet format, V5 for keys? Or could we keep the old format number and use the length difference of a 20-byte HMAC vs a 2-byte checksum to recognize which one is being used? If we do add an HMAC, software could then work in a mode where old-format keys get the extra checks applied to carefully validate them, then get rewritten using the HMAC. From then on the extra checks are not necessary and the HMAC alone will detect changes. So we will retain fast performance, plus have security against tampered private key files. Hal Finney Received: by above.proper.com (8.9.3/8.9.3) id JAA11119 for ietf-openpgp-bks; Thu, 22 Mar 2001 09:58:46 -0800 (PST) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA11115 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 09:58:45 -0800 (PST) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.12 #4) id 14g9Ln-0006aU-00 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 18:58:19 +0100 To: ietf-openpgp@imc.org Subject: Re: Bellcore Attack References: <5.0.0.25.2.20010322092502.03703b40@127.0.0.1> <5.0.0.25.2.20010322090310.035b4200@127.0.0.1> <slrn9bh26b.i8.lutz@taranis.iks-jena.de> <5.0.0.25.2.20010321175456.032d54d0@127.0.0.1> <slrn9bjbv5.jp.lutz@taranis.iks-jena.de> <5.0.0.25.2.20010322090310.035b4200@127.0.0.1> <20010322160422.A1615@taranis.iks-jena.de> <5.0.0.25.2.20010322092502.03703b40@127.0.0.1> <20010322162229.B1615@taranis.iks-jena.de> <5.0.0.25.2.20010322093203.03674b80@127.0.0.1> <20010322165500.C1615@taranis.iks-jena.de> From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> Date: 22 Mar 2001 18:58:18 +0100 In-Reply-To: <20010322165500.C1615@taranis.iks-jena.de> Message-ID: <tg7l1hbs91.fsf@mercury.rus.uni-stuttgart.de> Lines: 40 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Lutz Donnerhacke <lutz@iks-jena.de> writes: > > > PGP2.6.3(i)n is fixed against all those types of attacks (and I had > > >a look on buffer overflows). > > > you should mention that on the ietf open pgp list. > > I posted the announcement some minutes ago to the usenet. > OK. CC: ML > > ftp://ftp.iks-jena.de/mitarb/lutz/crypt/software/pgp/pgp263in/ I've just decided that I won't implement a similar check for the DSA case (actually, I've implemented it already, but I won't recommend its use). The situation is much too murky. Maybe a relative proof of security can be obtained, but I very much doubt it. (Peter Gutmann told me about a different attack against unprotected DSA parameters, the whole situation doesn't look very promising at all.) IMHO, the problem can only be addressed in a safe way if the format is changed. Implementations can already do this on their own, of course, but there's still the problem that the standard is really misleading in this area. Unfortunately, this is not the first problem due to the attempt to minimize the amount of data which is cryptographically protected, a rather questionable design goal. It's not hard to spot the pattern in the list of past problems with OpenPGP and OpenPGP-derived protocols. :-( BTW: With RSA keys, GnuPG is not as reliable as it could be (it doesn't check the computed signatures and performs only a simple consistency check), but it's not vulnerable to the described attack. The situation is much better with RSA keys anyway because the secret key packet contains all necessary information in the encrypted area. I whish it were true for DSA as well. :-/ -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: by above.proper.com (8.9.3/8.9.3) id HAA01139 for ietf-openpgp-bks; Thu, 22 Mar 2001 07:58:01 -0800 (PST) Received: from excalibur.iks-jena.de (root@excalibur.iks-jena.de [217.17.192.67]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA01134 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 07:57:59 -0800 (PST) Received: from taranis.iks-jena.de (taranis.iks-jena.de [217.17.192.37]) by excalibur.iks-jena.de (8.11.3/8.10.1) with ESMTP id f2MFw0V09791; Thu, 22 Mar 2001 16:58:00 +0100 Received: (from lutz@localhost) by taranis.iks-jena.de (8.11.3/8.10.1) id f2MFt1M01885; Thu, 22 Mar 2001 16:55:01 +0100 Date: Thu, 22 Mar 2001 16:55:00 +0100 From: Lutz Donnerhacke <lutz@iks-jena.de> To: Rodney Thayer <rodney@tillerman.to> Cc: ietf-openpgp@imc.org Subject: Re: Bellcore Attack Message-ID: <20010322165500.C1615@taranis.iks-jena.de> References: <5.0.0.25.2.20010322092502.03703b40@127.0.0.1> <5.0.0.25.2.20010322090310.035b4200@127.0.0.1> <slrn9bh26b.i8.lutz@taranis.iks-jena.de> <5.0.0.25.2.20010321175456.032d54d0@127.0.0.1> <slrn9bjbv5.jp.lutz@taranis.iks-jena.de> <5.0.0.25.2.20010322090310.035b4200@127.0.0.1> <20010322160422.A1615@taranis.iks-jena.de> <5.0.0.25.2.20010322092502.03703b40@127.0.0.1> <20010322162229.B1615@taranis.iks-jena.de> <5.0.0.25.2.20010322093203.03674b80@127.0.0.1> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.0.25.2.20010322093203.03674b80@127.0.0.1>; from rodney@tillerman.to on Thu, Mar 22, 2001 at 09:32:23AM -0600 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > > PGP2.6.3(i)n is fixed against all those types of attacks (and I had > >a look on buffer overflows). > you should mention that on the ietf open pgp list. I posted the announcement some minutes ago to the usenet. OK. CC: ML ftp://ftp.iks-jena.de/mitarb/lutz/crypt/software/pgp/pgp263in/ Received: by above.proper.com (8.9.3/8.9.3) id EAA11324 for ietf-openpgp-bks; Thu, 22 Mar 2001 04:22:39 -0800 (PST) Received: from excalibur.iks-jena.de (root@excalibur.iks-jena.de [217.17.192.67]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA11320 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 04:22:37 -0800 (PST) Received: from taranis.iks-jena.de (taranis.iks-jena.de [217.17.192.37]) by excalibur.iks-jena.de (8.11.3/8.10.1) with ESMTP id f2MCMbV29371; Thu, 22 Mar 2001 13:22:37 +0100 Received: (from lutz@localhost) by taranis.iks-jena.de (8.11.3/8.10.1) id f2MCJdF01094; Thu, 22 Mar 2001 13:19:39 +0100 Date: Thu, 22 Mar 2001 13:19:39 +0100 From: Lutz Donnerhacke <lutz@iks-jena.de> To: ietf-openpgp@imc.org, krypto@thur.de, v.klima@decros.cz, t.rosa@decros.cz Message-Id: <slrn9bjrep.jp.lutz@taranis.iks-jena.de> Posted-To: de.comp.security.misc,sci.crypt Subject: Re: Czech attack to PGP References: <200103212354.PAA12957@finney.org> <tglmpyf2hb.fsf@mercury.rus.uni-stuttgart.de> Organization: IKS GmbH Jena Followup-To: sci.crypt Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> [This message has also been posted.] * Florian Weimer wrote: >They seem to, see http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf. It's Great work. >informative even if you cannot read Czech (there's one diagram showing >the secret key packet modification, which is quite instructive). Was Yes, it is. >The attack is rather obvious, I have to say. Of course, every good idea is obvious afterwards. >I'm still working on a fix. Assuming a bellcore attack I suggested to check it against the public key, but there is a problem: If the major modulus of the public key is shrinked and access to the files is assumed, there is no real reason to modify the public key accordingly in order to fool even all the certificate checks on my own keys. So this solution does not work. For RSA we can fix it by regenerating the public part from the encrypted private ones and stop working if this check failes. Afterwards we should check the signature by the verified public key. I'll do so for PGP2.6.3(i)n. >The basic question is: Is it possible to create a set of public DSA >parameters which are consistent with the secret one, without knowing the >latter? We could check if y = g**x mod p. If p and g are not trivial (check this!) and x is assumed to be not published before this signing attempt, there might be a chance to prevent a format modification. OTOH, we do not relay on a modifiction anyway, the programms are free to choose any secret key storage format the like. Received: by above.proper.com (8.9.3/8.9.3) id DAA10097 for ietf-openpgp-bks; Thu, 22 Mar 2001 03:49:33 -0800 (PST) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA10089 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 03:49:31 -0800 (PST) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.12 #4) id 14g3aS-0005fu-00 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 12:49:04 +0100 To: ietf-openpgp@imc.org Subject: Re: Algorithm Specific Fields for DSA secret keys References: <200103212354.PAA12957@finney.org> <tgsnk6qdvx.fsf@mercury.rus.uni-stuttgart.de> <slrn9bjma0.jp.lutz@taranis.iks-jena.de> From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> Date: 22 Mar 2001 12:49:04 +0100 In-Reply-To: <slrn9bjma0.jp.lutz@taranis.iks-jena.de> Message-ID: <tglmpyf2hb.fsf@mercury.rus.uni-stuttgart.de> Lines: 35 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> lutz@iks-jena.de (Lutz Donnerhacke) writes: > * Florian Weimer wrote: > >Okay, I missed this one. I thought the public key components were also > >cryptographically protected. May I assume that the i.cz attack is target > >against the unprotected public key part of the secret key packet? Such an > >attack seems feasible. > > If they do so, the attack will be /very/ interesting. They seem to, see http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf. It's informative even if you cannot read Czech (there's one diagram showing the secret key packet modification, which is quite instructive). Was this information available to the Minneapolis meeting? What were their conclusions? The attack is rather obvious, I have to say. Before I read Hal's reply, I assumed that all data needed for signature generation was protected by the passphrase. I was really surprised when I discovered that it wasn't (at least in the DSA case, however, if you do RSA using the Chinese Remainder theorem, it is), and I was far less surprised when I finally found the paper and confirmed that the attack is mounted against the unprotected portion of the secret key. I'm still working on a fix. The basic question is: Is it possible to create a set of public DSA parameters which are consistent with the secret one, without knowing the latter? If the answer is yes, we have to modify the OpenPGP format, otherwise, a consistency check is sufficient to protect against this attack. (The consistency check performed by GnuPG is probably not sufficient.) -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: by above.proper.com (8.9.3/8.9.3) id CAA02664 for ietf-openpgp-bks; Thu, 22 Mar 2001 02:54:43 -0800 (PST) Received: from grannus.iks-jena.de (root@grannus.iks-jena.de [217.17.192.68]) by above.proper.com (8.9.3/8.9.3) with ESMTP id CAA02659 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 02:54:41 -0800 (PST) Received: (from news@localhost) by grannus.iks-jena.de (8.11.3/8.10.1) id f2MAseX00538 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 11:54:40 +0100 To: ietf-openpgp@imc.org Path: lutz From: lutz@iks-jena.de (Lutz Donnerhacke) Newsgroups: iks.lists.ietf-open-pgp Subject: Re: Algorithm Specific Fields for DSA secret keys Date: 22 Mar 2001 10:54:39 GMT Organization: IKS GmbH Jena Lines: 7 Message-ID: <slrn9bjma0.jp.lutz@taranis.iks-jena.de> References: <200103212354.PAA12957@finney.org> <tgsnk6qdvx.fsf@mercury.rus.uni-stuttgart.de> NNTP-Posting-Host: taranis.iks-jena.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: slrn/0.9.6.3 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> * Florian Weimer wrote: >Okay, I missed this one. I thought the public key components were also >cryptographically protected. May I assume that the i.cz attack is target >against the unprotected public key part of the secret key packet? Such an >attack seems feasible. If they do so, the attack will be /very/ interesting. Received: by above.proper.com (8.9.3/8.9.3) id CAA02052 for ietf-openpgp-bks; Thu, 22 Mar 2001 02:47:42 -0800 (PST) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.9.3/8.9.3) with ESMTP id CAA02046 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 02:47:41 -0800 (PST) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.12 #4) id 14g2cc-0005Xv-00 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 11:47:14 +0100 To: ietf-openpgp@imc.org Subject: Re: Algorithm Specific Fields for DSA secret keys References: <200103212354.PAA12957@finney.org> From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> Date: 22 Mar 2001 11:47:14 +0100 In-Reply-To: <200103212354.PAA12957@finney.org> Message-ID: <tgsnk6qdvx.fsf@mercury.rus.uni-stuttgart.de> Lines: 23 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> hal@finney.org writes: > If you look at the whole section, it says, > > 5.5.3. Secret Key Packet Formats > > The Secret Key and Secret Subkey packets contain all the data of the > Public Key and Public Subkey packets, with additional algorithm- > specific secret key data appended, in encrypted form. > > The packet contains: > > - A Public Key or Public Subkey packet, as described above Okay, I missed this one. I thought the public key components were also cryptographically protected. May I assume that the i.cz attack is target against the unprotected public key part of the secret key packet? Such an attack seems feasible. -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: by above.proper.com (8.9.3/8.9.3) id AAA11607 for ietf-openpgp-bks; Thu, 22 Mar 2001 00:03:21 -0800 (PST) Received: from grannus.iks-jena.de (root@grannus.iks-jena.de [217.17.192.68]) by above.proper.com (8.9.3/8.9.3) with ESMTP id AAA11595 for <ietf-openpgp@imc.org>; Thu, 22 Mar 2001 00:03:19 -0800 (PST) Received: (from news@localhost) by grannus.iks-jena.de (8.11.3/8.10.1) id f2M83I427365 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 09:03:18 +0100 To: ietf-openpgp@imc.org Path: lutz From: lutz@iks-jena.de (Lutz Donnerhacke) Newsgroups: iks.lists.ietf-open-pgp Subject: Re: Bellcore Attack Date: 22 Mar 2001 08:03:18 GMT Organization: IKS GmbH Jena Lines: 9 Message-ID: <slrn9bjc8o.jp.lutz@taranis.iks-jena.de> References: <slrn9bh26b.i8.lutz@taranis.iks-jena.de> <p04320401b6defa7ed7e3@[172.20.1.38]> NNTP-Posting-Host: taranis.iks-jena.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: slrn/0.9.6.3 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> * Jon Callas wrote: >The gist, as much as we know of it now is that they claim that they can >write into a V3 secret key (the PGP 2.6 format) in such a way as to force >you to make signatures that the attacker can then forge. We don't know the That seems resonable: Modifying the least significant in the last crypted secret key component can be used (in conjunction with the chipher feedback mode) to determine the necessary checksum fooling PGP integrity checks. It might be possible to extend this to v4 keys too. Received: by above.proper.com (8.9.3/8.9.3) id XAA10589 for ietf-openpgp-bks; Wed, 21 Mar 2001 23:58:15 -0800 (PST) Received: from grannus.iks-jena.de (root@grannus.iks-jena.de [217.17.192.68]) by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA10577 for <ietf-openpgp@imc.org>; Wed, 21 Mar 2001 23:58:13 -0800 (PST) Received: (from news@localhost) by grannus.iks-jena.de (8.11.3/8.10.1) id f2M7wBL27323 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 08:58:11 +0100 To: ietf-openpgp@imc.org Path: lutz From: lutz@iks-jena.de (Lutz Donnerhacke) Newsgroups: iks.lists.ietf-open-pgp Subject: Re: Bellcore Attack Date: 22 Mar 2001 07:58:11 GMT Organization: IKS GmbH Jena Lines: 5 Message-ID: <slrn9bjbv5.jp.lutz@taranis.iks-jena.de> References: <slrn9bh26b.i8.lutz@taranis.iks-jena.de> <5.0.0.25.2.20010321175456.032d54d0@127.0.0.1> NNTP-Posting-Host: taranis.iks-jena.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: slrn/0.9.6.3 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> * Rodney Thayer wrote: >what is the reference to calling this a "Bellcore attack"? I did. There was no reference, but only the Bellcore attack or a substantial new type of attack seems a valid assumption to me. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id UAA23431 for ietf-openpgp-bks; Wed, 21 Mar 2001 20:36:24 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id UAA23427 for <ietf-openpgp@imc.org>; Wed, 21 Mar 2001 20:36:23 -0800 (PST) Received: from [135.222.66.224] (vpnap-g1-012097.qualcomm.com [10.13.12.97]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f2M4aKV14821; Wed, 21 Mar 2001 20:36:21 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com (Unverified) Message-Id: <a05100705b6df29654662@[135.222.66.224]> X-Mailer: Eudora [Macintosh version 5.1-0319010029] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Wed, 21 Mar 2001 22:31:24 -0600 To: minutes@ietf.org From: John W Noerenberg II <jwn2@qualcomm.com> Subject: OpenPGP minutes Cc: OpenPGP mailing list <ietf-openpgp@imc.org> Content-Type: multipart/alternative; boundary="============_-1226886708==_ma============" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --============_-1226886708==_ma============ Content-Type: text/plain; charset="iso-8859-1" ; format="flowed" Content-Transfer-Encoding: quoted-printable We met on Tuesday afternoon, Mar 20th with the following agenda: =85 Agenda bashing =85 Pgp/MIME =85 Openpgp oven cooking competition =85 Pgp consortium =85 Charter review =85 Wg->fin_wait Rod Thayer took down the minutes. This message is derived from his notes. There were no changes to the agenda so we proceeded with the remaining items= =2E The PGP/MIME draft is ready for WG Last Call. The Chair expects the WG will be able to recommend the draft to the IESG within a month. John Noerenberg noticed a normative reference to the multiple signature draft. He recommended removing the reference, but formally adopting multiple signatures as an additional work item. The Chair is planning to sponsor an interoperability testing meeting in San Diego in late Spring or early Summer. There are notes on the mailing list regarding a general plan for the meeting. The principal goal of the meeting is to assess whether there are sufficiently interoperable implementations of RFC2440 to allow the WG to recommend RFC2440 advance to DRAFT status. The workshop will also provide the opportunity to test PGP/MIME implementations and transport and network protocols which use PGP encryption and authentication. The Chair announced that Phil Zimmerman is organizing a PGP Consortium for implementers and users. The url for the consortium is http://www.openpgp.org. Adopting multiple signatures as a work item will require a change to WG charter. The WG members in attendance did not express a strong opinion in either direction. [Because of activity on the mailing list the Chair plans to request the IESG allow modification of the charter to add this item.] Whether or not this item is added to our charter, we expect the WG to shut down by the next IETF meeting. That completed the business of the meeting, and we adjourned. -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------= - Peace of mind isn't at all superficial, really. It's the whole thing. That which produces it is good maintenance; that which disturbs it is poor maintenance. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 -------------------------------------------------------------------------= - --============_-1226886708==_ma============ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type=3D""><!-- blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 } --></style><title>OpenPGP minutes</title></head><body> <div><font color=3D"#000000">We met on Tuesday afternoon, Mar 20th with the following agenda:</font></div> <div><font color=3D"#000000"><br></font></div> <div><font face=3D"Charcoal" color=3D"#000000">=85</font><font color=3D"#000000"> Agenda bashing</font></div> <div><font face=3D"Charcoal" color=3D"#000000">=85</font><font color=3D"#000000"> Pgp/MIME</font></div> <div><font face=3D"Charcoal" color=3D"#000000">=85</font><font color=3D"#000000"> Openpgp oven cooking competition</font></div> <div><font face=3D"Charcoal" color=3D"#000000">=85</font><font color=3D"#000000"> Pgp consortium<br> <font face=3D"Charcoal">=85</font> Charter review<br> <font face=3D"Charcoal">=85</font> Wg->fin_wait</font><br> <font color=3D"#000000"></font></div> <div><font color=3D"#000000">Rod Thayer took down the minutes. This message is derived from his notes.</font></div> <div><font color=3D"#000000"><br></font></div> <div><font color=3D"#000000">There were no changes to the agenda so we proceeded with the remaining items.</font></div> <div><font color=3D"#000000"><br></font></div> <div><font color=3D"#000000">The PGP/MIME draft is ready for WG Last Call. The Chair expects the WG will be able to recommend the draft to the IESG within a month. John Noerenberg noticed a normative reference to the multiple signature draft. He recommended removing the reference, but formally adopting multiple signatures as an additional work item.</font></div> <div><font color=3D"#000000"><br></font></div> <div><font color=3D"#000000">The Chair is planning to sponsor an interoperability testing meeting in San Diego in late Spring or early Summer. There are notes on the mailing list regarding a general plan for the meeting. The principal goal of the meeting is to assess whether there are sufficiently interoperable implementations of RFC2440 to allow the WG to recommend RFC2440 advance to DRAFT status. The workshop will also provide the opportunity to test PGP/MIME implementations and transport and network protocols which use PGP encryption and authentication.</font></div> <div><font color=3D"#000000"><br></font></div> <div><font color=3D"#000000">The Chair announced that Phil Zimmerman is organizing a PGP Consortium for implementers and users. The url for the consortium is http://www.openpgp.org.</font></div> <div><font color=3D"#000000"><br></font></div> <div><font color=3D"#000000">Adopting multiple signatures as a work item will require a change to WG charter. The WG members in attendance did not express a strong opinion in either direction. [Because of activity on the mailing list the Chair plans to request the IESG allow modification of the charter to add this item.]</font></div> <div><font color=3D"#000000"><br></font></div> <div><font color=3D"#000000">Whether or not this item is added to our charter, we expect the WG to shut down by the next IETF meeting.</font></div> <div><font color=3D"#000000"><br></font></div> <div><font color=3D"#000000">That completed the business of the meeting, and we adjourned.</font></div> <div><tt><br></tt></div> <x-sigsep><pre> -- </pre></x-sigsep> <div><br> john noerenberg<br> jwn2@qualcomm.com<br> ---------------------------------------------------------------------<span ></span>-----<br> Peace of mind isn't at all superficial, really. It's the whole thing.<br> That which produces it is good maintenance; that which disturbs it<br> is poor maintenance.<br> -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974<br> ---------------------------------------------------------------------<span ></span>-----</div> </body> </html> --============_-1226886708==_ma============-- Received: by above.proper.com (8.9.3/8.9.3) id UAA23425 for ietf-openpgp-bks; Wed, 21 Mar 2001 20:36:21 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id UAA23419 for <ietf-openpgp@imc.org>; Wed, 21 Mar 2001 20:36:16 -0800 (PST) Received: from [135.222.66.224] (vpnap-g1-012097.qualcomm.com [10.13.12.97]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f2M4aCV14815; Wed, 21 Mar 2001 20:36:13 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com (Unverified) Message-Id: <a05100703b6df2800f5c5@[135.222.66.224]> In-Reply-To: <slrn9bh26b.i8.lutz@taranis.iks-jena.de> References: <slrn9bh26b.i8.lutz@taranis.iks-jena.de> X-Mailer: Eudora [Macintosh version 5.1-0319010029] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Wed, 21 Mar 2001 21:58:32 -0600 To: lutz@iks-jena.de (Lutz Donnerhacke) From: John W Noerenberg II <jwn2@qualcomm.com> Subject: Re: Bellcore Attack Cc: ietf-openpgp@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 10:59 AM +0000 3/21/01, Lutz Donnerhacke wrote: >According to the current Comp.Risks Digest, a Bellcore attack seems possible >due to the OpenPGP secret key format. Yes, Lutz. There has been a fair amount of discussion here in Minneapolis regarding the discovery by the Czech researchers. I'll leave the detailed analysis to others to publish, but at this point it appears this attack does not appear to pose a significant threat to the integrity of information encrypted with PGP. -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------- Peace of mind isn't at all superficial, really. It's the whole thing. That which produces it is good maintenance; that which disturbs it is poor maintenance. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 -------------------------------------------------------------------------- Received: by above.proper.com (8.9.3/8.9.3) id SAA19845 for ietf-openpgp-bks; Wed, 21 Mar 2001 18:27:13 -0800 (PST) Received: from acm.org ([192.88.122.192]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA19841 for <ietf-openpgp@imc.org>; Wed, 21 Mar 2001 18:27:12 -0800 (PST) Received: from acm.org (IDENT:jim@suitcase [127.0.0.1]) by acm.org (8.11.0/8.11.0) with ESMTP id f2M2Nt207631 for <ietf-openpgp@imc.org>; Wed, 21 Mar 2001 18:23:55 -0800 Message-ID: <3AB9623B.29CE77FE@acm.org> Date: Wed, 21 Mar 2001 18:23:55 -0800 From: Jim Gillogly <jim@acm.org> Organization: Banzai Institute X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.0-ac8 i686) X-Accept-Language: en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: Bellcore Attack References: <5.0.0.25.2.20010321175456.032d54d0@127.0.0.1> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Rodney Thayer wrote: > what is the reference to calling this a "Bellcore attack"? "On the importance of Checking Cryptographic Protocols for Faults" Dan Boneh, Richard A. DeMillo, Richard J. Lipton, Bellcore 1997. See http://citeseer.nj.nec.com/correct/21216, for example. They break RSA using one bogus signature and the Chinese Remainder Theorem. This was the inspiration for the whole field of differential fault analysis. -- Jim Gillogly Highday, 30 Rethe S.R. 2001, 02:18 12.19.8.1.5, 12 Chicchan 8 Cumku, Seventh Lord of Night Received: by above.proper.com (8.9.3/8.9.3) id SAA19624 for ietf-openpgp-bks; Wed, 21 Mar 2001 18:12:35 -0800 (PST) Received: from limbo.net (IDENT:root@meridian.limbo.net [209.209.9.8]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA19619 for <ietf-openpgp@imc.org>; Wed, 21 Mar 2001 18:12:32 -0800 (PST) Received: from opcenter2.tillerman.to (IDENT:root@module-two.rwthayer.com [216.240.42.201]) by limbo.net (8.9.3/8.9.0) with ESMTP id SAA01350; Wed, 21 Mar 2001 18:12:29 -0800 Message-Id: <5.0.0.25.2.20010321175456.032d54d0@127.0.0.1> X-Sender: rodney@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Wed, 21 Mar 2001 17:55:33 -0600 To: lutz@iks-jena.de (Lutz Donnerhacke) From: Rodney Thayer <rodney@tillerman.to> Subject: Re: Bellcore Attack Cc: ietf-openpgp@imc.org In-Reply-To: <slrn9bh26b.i8.lutz@taranis.iks-jena.de> Mime-Version: 1.0 Content-Type: text/plain Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 what is the reference to calling this a "Bellcore attack"? At 10:59 AM 3/21/01 +0000, you wrote: >According to the current Comp.Risks Digest, a Bellcore attack seems possible >due to the OpenPGP secret key format. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA+AwUBOrk/dT/0TyQ4fTjtEQJCAwCYs4tMm8AOn5tMs5W1BAzirS1nsgCeJ0MD LfPL6N1FmNMYXg9VeXNWM8A= =a4KE -----END PGP SIGNATURE----- Received: by above.proper.com (8.9.3/8.9.3) id QAA15422 for ietf-openpgp-bks; Wed, 21 Mar 2001 16:51:33 -0800 (PST) Received: from natasha.sj.counterpane.com (natasha.sj.counterpane.com [63.196.29.130]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA15418 for <ietf-openpgp@imc.org>; Wed, 21 Mar 2001 16:51:31 -0800 (PST) Received: from natasha.sj.counterpane.com (root@localhost) by natasha.sj.counterpane.com with ESMTP id QAA06408; Wed, 21 Mar 2001 16:51:34 -0800 (PST) Received: from [172.20.1.38] (eris.sj.counterpane.com [172.20.1.38]) by natasha.sj.counterpane.com with ESMTP id QAA06400; Wed, 21 Mar 2001 16:51:32 -0800 (PST) Mime-Version: 1.0 X-Sender: jon@63.73.97.162 Message-Id: <p04320401b6defa7ed7e3@[172.20.1.38]> In-Reply-To: <slrn9bh26b.i8.lutz@taranis.iks-jena.de> References: <slrn9bh26b.i8.lutz@taranis.iks-jena.de> Date: Wed, 21 Mar 2001 16:51:25 -0800 To: lutz@iks-jena.de (Lutz Donnerhacke), ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: Re: Bellcore Attack Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> You can see the press release at <http://www.i.cz/en/onas/tisk4.html>. There are also things in Czech on their web site. Supposedly, the details will be published tomorrow. The gist, as much as we know of it now is that they claim that they can write into a V3 secret key (the PGP 2.6 format) in such a way as to force you to make signatures that the attacker can then forge. We don't know the details yet. They only want to talk to reporters, not to technical people. All the details I have are ones I wheedled out of reporters. I sent mail to the contact on the press release yesterday who said that we have to wait like everyone else. Some mail today going directly to the cryptographers involved got a reply that said they'll publish tomorrow. So we'll see. Jon Received: by above.proper.com (8.9.3/8.9.3) id PAA12697 for ietf-openpgp-bks; Wed, 21 Mar 2001 15:57:41 -0800 (PST) Received: from computer (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.9.3/8.9.3) with SMTP id PAA12691 for <ietf-openpgp@imc.org>; Wed, 21 Mar 2001 15:57:38 -0800 (PST) From: hal@finney.org Received: (from hal@localhost) by finney.org (8.9.3/8.9.3) id PAA12957; Wed, 21 Mar 2001 15:54:04 -0800 Date: Wed, 21 Mar 2001 15:54:04 -0800 Message-Id: <200103212354.PAA12957@finney.org> To: Florian.Weimer@RUS.Uni-Stuttgart.DE, ietf-openpgp@imc.org Subject: Re: Algorithm Specific Fields for DSA secret keys Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> If you look at the whole section, it says, 5.5.3. Secret Key Packet Formats The Secret Key and Secret Subkey packets contain all the data of the Public Key and Public Subkey packets, with additional algorithm- specific secret key data appended, in encrypted form. The packet contains: - A Public Key or Public Subkey packet, as described above - One octet indicating string-to-key usage conventions. 0 indicates that the secret key data is not encrypted. 255 indicates that a string-to-key specifier is being given. Any other value is a symmetric-key encryption algorithm specifier. - [Optional] If string-to-key usage octet was 255, a one-octet symmetric encryption algorithm. - [Optional] If string-to-key usage octet was 255, a string-to-key specifier. The length of the string-to-key specifier is implied by its type, as described above. - [Optional] If secret data is encrypted, eight-octet Initial Vector (IV). - Encrypted multi-precision integers comprising the secret key data. These algorithm-specific fields are as described below. - Two-octet checksum of the plaintext of the algorithm-specific portion (sum of all octets, mod 65536). and then it goes on to explain the algorithm-specific fields mentioned in the second to last paragraph. But note that the very first entry is a whole Public Key packet. This has the p, q, g and y values. Then come the other entries: string-to-key usage octet, encryption octet, string-to-key specifier, iv, and then the algorithmic-specific private fields you saw. Finally a checksum. Hal Received: by above.proper.com (8.9.3/8.9.3) id PAA09774 for ietf-openpgp-bks; Wed, 21 Mar 2001 15:17:35 -0800 (PST) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA09769 for <ietf-openpgp@imc.org>; Wed, 21 Mar 2001 15:17:34 -0800 (PST) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.12 #4) id 14frqm-0004eh-00 for ietf-openpgp@imc.org; Thu, 22 Mar 2001 00:17:08 +0100 To: ietf-openpgp@imc.org Subject: Algorithm Specific Fields for DSA secret keys From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> Date: 22 Mar 2001 00:17:08 +0100 Message-ID: <tgd7baaf0r.fsf@mercury.rus.uni-stuttgart.de> Lines: 17 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> >From section 5.5.3: | Algorithm Specific Fields for DSA secret keys: | | - MPI of DSA secret exponent x. And that's it. As far as I can tell, implementations do not follow the RFC (GnuPG, for example, stores p, q, g, u, and finally x, in this order). Has anybody got an explanation? -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: by above.proper.com (8.9.3/8.9.3) id CAA13064 for ietf-openpgp-bks; Wed, 21 Mar 2001 02:59:20 -0800 (PST) Received: from grannus.iks-jena.de (root@grannus.iks-jena.de [217.17.192.68]) by above.proper.com (8.9.3/8.9.3) with ESMTP id CAA13058 for <ietf-openpgp@imc.org>; Wed, 21 Mar 2001 02:59:17 -0800 (PST) Received: (from news@localhost) by grannus.iks-jena.de (8.11.3/8.10.1) id f2LAxG915988 for ietf-openpgp@imc.org; Wed, 21 Mar 2001 11:59:16 +0100 To: ietf-openpgp@imc.org Path: lutz From: lutz@iks-jena.de (Lutz Donnerhacke) Newsgroups: iks.lists.ietf-open-pgp Subject: Bellcore Attack Date: 21 Mar 2001 10:59:16 GMT Organization: IKS GmbH Jena Lines: 2 Message-ID: <slrn9bh26b.i8.lutz@taranis.iks-jena.de> NNTP-Posting-Host: taranis.iks-jena.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: slrn/0.9.6.3 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> According to the current Comp.Risks Digest, a Bellcore attack seems possible due to the OpenPGP secret key format. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id XAA13985 for ietf-openpgp-bks; Tue, 20 Mar 2001 23:14:12 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA13977 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 23:14:11 -0800 (PST) Received: from [135.222.66.224] (vpnap-g1-012034.qualcomm.com [10.13.12.34]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f2L7E4V09165; Tue, 20 Mar 2001 23:14:06 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com (Unverified) Message-Id: <a05100600b6dd999e3551@[135.222.66.224]> In-Reply-To: <20010320145452.A11517@sobolev.does-not-exist.org> References: <20010320.221120.74171532.kazu@iijlab.net> <20010320145452.A11517@sobolev.does-not-exist.org> X-Mailer: Eudora [Macintosh version 5.1-0319010029] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Tue, 20 Mar 2001 22:11:06 -0600 To: Thomas Roessler <roessler@does-not-exist.org> From: John W Noerenberg II <jwn2@qualcomm.com> Subject: draft-ietf-openpgp-mime: normative reference to multiple signature draft Cc: ietf-openpgp@imc.org Content-Type: multipart/alternative; boundary="============_-1226963646==_ma============" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --============_-1226963646==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" There's a normative reference in Sec 5 to draft-ietf-multsig-00.txt. In order to advanced to PROPOSED, we'd either have to be ready to advance the multsig draft, or eliminate the reference. What I propose is that we eliminate the specific reference here, and advance multiple signatures independently. This way involves the fewest dependencies. Here's the specific text: To encapsulate multiple signatures with possibly different hash algorithms, the method specified in [8] should be used. [8] in the references is "draft-ietf-openpgp-multsig-02.txt". Probably simplest is to delete the sentence, and reference [8]. The multiple signatures draft looks pretty straight-forward. Unless I hear loud objections, I'll ask the IESG if we can modify our charter to include it in our work items. There hasn't been much discussion of this draft for some time. However, because it's not on our charter, we have to change the charter before I can submit it for consideration as PROPOSED, and I do want to allow some time for Last Call after it's on our charter. Because pgp/mime will be ready shortly to advance, I'd rather not have to wait for approval to change our charter before pgp/mime can advance. Once we have both multsig and pgp/mime at PROPOSED, if both are ready to advance to DRAFT, we can restore the reference in pgp/mime to multsig. -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------- Peace of mind isn't at all superficial, really. It's the whole thing. That which produces it is good maintenance; that which disturbs it is poor maintenance. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 -------------------------------------------------------------------------- --============_-1226963646==_ma============ Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type=""><!-- blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 } --></style><title>draft-ietf-openpgp-mime: normative reference to multip</title></head><body> <div>There's a normative reference in Sec 5 to draft-ietf-multsig-00.txt. In order to advanced to PROPOSED, we'd either have to be ready to advance the multsig draft, or eliminate the reference. What I propose is that we eliminate the specific reference here, and advance multiple signatures independently. This way involves the fewest dependencies.</div> <div><br></div> <div>Here's the specific text:</div> <div><br></div> <blockquote>To encapsulate multiple signatures with possibly different hash algorithms, the method specified in [8] should be used.</blockquote> <div><br></div> <div>[8] in the references is "draft-ietf-openpgp-multsig-02.txt". Probably simplest is to delete the sentence, and reference [8].</div> <div><br></div> <div>The multiple signatures draft looks pretty straight-forward. Unless I hear loud objections, I'll ask the IESG if we can modify our charter to include it in our work items. There hasn't been much discussion of this draft for some time. However, because it's not on our charter, we have to change the charter before I can submit it for consideration as PROPOSED, and I do want to allow some time for Last Call after it's on our charter.</div> <div><br></div> <div>Because pgp/mime will be ready shortly to advance, I'd rather not have to wait for approval to change our charter before pgp/mime can advance. Once we have both multsig and pgp/mime at PROPOSED, if both are ready to advance to DRAFT, we can restore the reference in pgp/mime to multsig.</div> <div><tt><br></tt></div> <div><tt><br></tt></div> <x-sigsep><pre> -- </pre></x-sigsep> <div><br> john noerenberg<br> jwn2@qualcomm.com<br> ---------------------------------------------------------------------<span ></span>-----<br> Peace of mind isn't at all superficial, really. It's the whole thing.<br> That which produces it is good maintenance; that which disturbs it<br> is poor maintenance.<br> -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974<br> ---------------------------------------------------------------------<span ></span>-----</div> </body> </html> --============_-1226963646==_ma============-- Received: by above.proper.com (8.9.3/8.9.3) id XAA13927 for ietf-openpgp-bks; Tue, 20 Mar 2001 23:13:58 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA13917 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 23:13:57 -0800 (PST) Received: from [135.222.66.224] (vpnap-g1-012034.qualcomm.com [10.13.12.34]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f2L7E0V09153 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 23:14:00 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com (Unverified) Message-Id: <a05100601b6ddd3bbb677@[135.222.66.224]> X-Mailer: Eudora [Macintosh version 5.1-0319010029] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Tue, 20 Mar 2001 21:55:34 -0600 To: ietf-openpgp@imc.org From: John W Noerenberg II <jwn2@qualcomm.com> Subject: WG Last Call - draft-ietf-openpgp-mime Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> This the Last Call for WG comments on draft-ietf-openpgp-mime. Please carefully review the current draft (-05), and provide comments to the editors if you detect any errors or omissions. I will end Last Call on April 3rd. If there are no substantial changes or objections to the draft, I will request our Area Directors submit -06 incorporating Last Call comments as soon as possible after that date for promotion to PROPROSED status. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id LAA11737 for ietf-openpgp-bks; Tue, 20 Mar 2001 11:53:28 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA11732 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 11:53:26 -0800 (PST) Received: from [135.222.66.224] (vpnap-g1-012064.qualcomm.com [10.13.12.64]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f2KJrQV23176 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 11:53:26 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com (Unverified) Message-Id: <a05100600b6dd5e177d4d@[135.222.66.224]> In-Reply-To: <20010320145452.A11517@sobolev.does-not-exist.org> References: <20010320.221120.74171532.kazu@iijlab.net> <20010320145452.A11517@sobolev.does-not-exist.org> X-Mailer: Eudora [Macintosh version 5.1-0319010029] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Tue, 20 Mar 2001 13:37:46 -0600 To: OpenPGP mailing list <ietf-openpgp@imc.org> From: John W Noerenberg II <jwn2@qualcomm.com> Subject: Today's agenda Content-Type: multipart/alternative; boundary="============_-1227004487==_ma============" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --============_-1227004487==_ma============ Content-Type: text/plain; charset="iso-8859-1" ; format="flowed" Content-Transfer-Encoding: quoted-printable Please pardon me for not publishing our agenda for today's meeting earlier. this is how I plan to spend our hour today: Agenda bashing (5 min) PGP/MIME Last Call (15 min) OpenPGP Oven Cooking Competition (10m) PGP Consortium (10 min) Charter review (0-15min) WG =C6 Fin_Wait (5 min) As I read the PGP/MIME draft, and looking at the comments on this mailing list, I don't see any serious obstacles to declaring WG Last Call for the draft (modulo my note below). But I'll allow a brief discussion to be sure I'm not misunderstanding consensus. The Oven Cooking Competition is the work we need to do to advance 2440 to DRAFT status. It will also enable us to do most of the verification work we'll need for DRAFT status on PGP/MIME (which is getting a little ahead of ourselves, but I don't think this is a big deal in this case). I promised Phil I would mention his idea about a PGP Consortium, and take the opportunity for those of us in Minneapolis to register an opinion. The charter review is necessary because our charter doesn't include milestones for PGP/MIME, curiously enough. Also we need to determine what to do about multiple signatures draft on which the PGP/MIME draft depends. PGP/MIME may not be able to advanced to PROPOSED status if it contains this reference. Updating the milestones to reflect where we stand on PGP/MIME is a no-brainer, but adding Multiple Sigs will require IESG approval to expand our scope. I'll be looking for a hum today on how desirable this is, as well as comments from the list. It's entirely possible we'll get through all of this in less than an hour. My apologies for not arranging for an MBone room to enable those not here to participate "live." best, -- john noerenberg jwn2@qualcomm.com ---------------------------------------------------------------------- Perfect authentication would mean that others know for certain all the facts about you. Happiness comes from others knowing a good deal less. -- Lawrence Lessig, "Code And Other Laws of Cyberspace", 1999 ---------------------------------------------------------------------- --============_-1227004487==_ma============ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type=3D""><!-- blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 } --></style><title>Today's agenda</title></head><body> <div>Please pardon me for not publishing our agenda for today's meeting earlier. this is how I plan to spend our hour today:</div> <div><br></div> <ul> <li>Agenda bashing (5 min) <li>PGP/MIME Last Call (15 min) <li>OpenPGP Oven Cooking Competition (10m) <li>PGP Consortium (10 min) <li>Charter review (0-15min) <li>WG<font face=3D"Charcoal"> =C6</font> Fin_Wait (5 min)</ul> <div><br></div> <div>As I read the PGP/MIME draft, and looking at the comments on this mailing list, I don't see any serious obstacles to declaring WG Last Call for the draft (modulo my note below). But I'll allow a brief discussion to be sure I'm not misunderstanding consensus.</div> <div><br></div> <div>The Oven Cooking Competition is the work we need to do to advance 2440 to DRAFT status. It will also enable us to do most of the verification work we'll need for DRAFT status on PGP/MIME (which is getting a little ahead of ourselves, but I don't think this is a big deal in this case).</div> <div><br></div> <div>I promised Phil I would mention his idea about a PGP Consortium, and take the opportunity for those of us in Minneapolis to register an opinion.</div> <div><br></div> <div>The charter review is necessary because our charter doesn't include milestones for PGP/MIME, curiously enough. Also we need to determine what to do about multiple signatures draft on which the PGP/MIME draft depends. PGP/MIME may not be able to advanced to PROPOSED status if it contains this reference. Updating the milestones to reflect where we stand on PGP/MIME is a no-brainer, but adding Multiple Sigs will require IESG approval to expand our scope. I'll be looking for a hum today on how desirable this is, as well as comments from the list.</div> <div><br></div> <div>It's entirely possible we'll get through all of this in less than an hour. My apologies for not arranging for an MBone room to enable those not here to participate "live."</div> <div><br></div> <div>best,</div> <div><tt><br></tt></div> <x-sigsep><pre> -- </pre></x-sigsep> <div><br> john noerenberg<br> jwn2@qualcomm.com<br> ----------------------------------------------------------------------<br > Perfect authentication would mean that others know for certain all the<br> facts about you. Happiness comes from others knowing a good deal less.<br> -- Lawrence Lessig, "Code And Other Laws of Cyberspace", 1999<br> ----------------------------------------------------------------------</div > </body> </html> --============_-1227004487==_ma============-- Received: by above.proper.com (8.9.3/8.9.3) id JAA05315 for ietf-openpgp-bks; Tue, 20 Mar 2001 09:33:19 -0800 (PST) Received: from hotmail.com (oe2.law14.hotmail.com [64.4.20.106]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA05309 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 09:33:18 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 20 Mar 2001 09:32:50 -0800 X-Originating-IP: [193.95.161.82] From: "Donald" <hare_donaldl@hotmail.com> To: <ietf-openpgp@imc.org> Subject: key flags and subkeys Date: Tue, 20 Mar 2001 17:36:35 -0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0043_01C0B164.4F463120" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: <OE2seCovH1xkt3Oq9yD00002cd4@hotmail.com> X-OriginalArrivalTime: 20 Mar 2001 17:32:50.0679 (UTC) FILETIME=[C97EE870:01C0B163] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> This is a multi-part message in MIME format. ------=_NextPart_000_0043_01C0B164.4F463120 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Nothing is said about whether the key flags of a certification is valid for that main key or for main key plus subkeys as an item. PGP don't even have a mechanism for doing any kind of certification of a subkey. I do know that a subkey may be exchanged/added at a later stage than the certification is made, and in particular is not input to a certification signature, but I still want to make a statement like: "The main key (that I sign) may be used for signature creation but not for further certification. All valid subkeys may be used for encryption of communication and storage" /Donald ------=_NextPart_000_0043_01C0B164.4F463120 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Nothing is said about whether the key = flags of a=20 certification<BR>is valid for that main key or for main key plus subkeys = as an=20 item.<BR>PGP don't even have a mechanism for doing any kind of=20 certification<BR>of a subkey.<BR><BR>I do know that a subkey may be=20 exchanged/added at a later stage than the<BR>certification is made, and = in=20 particular is not input to a certification<BR>signature, but I still = want to=20 make a statement like:<BR><BR>"The main key (that I sign) may be used = for=20 signature creation but<BR>not for further certification. All valid = subkeys may=20 be used for<BR>encryption of communication and=20 storage"<BR><BR><BR>/Donald</FONT></DIV></BODY></HTML> ------=_NextPart_000_0043_01C0B164.4F463120-- Received: by above.proper.com (8.9.3/8.9.3) id GAA16246 for ietf-openpgp-bks; Tue, 20 Mar 2001 06:03:58 -0800 (PST) Received: from smtp1.nikoma.de (smtp1.nikoma.de [212.122.128.19]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA16241 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 06:03:55 -0800 (PST) Received: from sobolev.does-not-exist.org (dialin172.pg11-nt.frankfurt.nikoma.de [213.54.42.172]) by smtp1.nikoma.de (8.9.3/8.9.3) with ESMTP id PAA95988 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 15:03:43 +0100 (CET) (envelope-from roessler@does-not-exist.org) Received: by sobolev.does-not-exist.org (Postfix, from userid 1000) id 32C122ED15; Tue, 20 Mar 2001 14:54:52 +0100 (CET) Date: Tue, 20 Mar 2001 14:54:52 +0100 From: Thomas Roessler <roessler@does-not-exist.org> To: ietf-openpgp@imc.org Subject: Re: editorial commnets for openpgp-mime-05 Message-ID: <20010320145452.A11517@sobolev.does-not-exist.org> Mail-Followup-To: ietf-openpgp@imc.org References: <20010320.221120.74171532.kazu@iijlab.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.16i In-Reply-To: <20010320.221120.74171532.kazu@iijlab.net>; from kazu@iijlab.net on Tue, Mar 20, 2001 at 10:11:20PM +0900 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 2001-03-20 22:11:20 +0900, Kazu Yamamoto wrote: > I read openpgp-mime-05 for the meeting today. I think this version > is quite reasonable. > Here are editorial commnets for openpgp-mime-05: Thanks. I fixed that in the version of the document which resides here. -- Thomas Roessler <roessler@does-not-exist.org> Received: by above.proper.com (8.9.3/8.9.3) id FAA14177 for ietf-openpgp-bks; Tue, 20 Mar 2001 05:11:21 -0800 (PST) Received: from mgo.iij.ad.jp (root@mgo.iij.ad.jp [202.232.15.6]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA14172 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 05:11:19 -0800 (PST) Received: from ns.iij.ad.jp (ns.iij.ad.jp [192.168.2.8]) by mgo.iij.ad.jp (8.8.8/MGO1.0) with ESMTP id WAA09052 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 22:11:19 +0900 (JST) Received: from fs.iij.ad.jp (root@fs.iij.ad.jp [192.168.2.9]) by ns.iij.ad.jp (8.8.5/3.5Wpl7) with ESMTP id WAA11262 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 22:11:19 +0900 (JST) Received: from localhost (mine.iij.ad.jp [192.168.4.209]) by fs.iij.ad.jp (8.8.5/3.5Wpl7) with ESMTP id WAA21917 for <ietf-openpgp@imc.org>; Tue, 20 Mar 2001 22:11:18 +0900 (JST) Date: Tue, 20 Mar 2001 22:11:20 +0900 (JST) Message-Id: <20010320.221120.74171532.kazu@iijlab.net> To: ietf-openpgp@imc.org Subject: editorial commnets for openpgp-mime-05 From: Kazu Yamamoto (=?iso-2022-jp?B?GyRCOzNLXE9CSScbKEI=?=) <kazu@iijlab.net> X-Mailer: Mew version 1.95b115 on Emacs 21.0 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hi all, I read openpgp-mime-05 for the meeting today. I think this version is quite reasonable. Here are editorial commnets for openpgp-mime-05: (1) page 3, note: Two "From" should be "From ". The last SPC is very important since MTAs don't convert a line started with "From" (not "From ") to ">From". (2) page 6 There are two item (4). (4) and (5) should be (5) and (6), respectively. --Kazu Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id WAA29417 for ietf-openpgp-bks; Mon, 19 Mar 2001 22:24:31 -0800 (PST) Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by above.proper.com (8.9.3/8.9.3) with ESMTP id WAA29412 for <ietf-openpgp@imc.org>; Mon, 19 Mar 2001 22:24:29 -0800 (PST) Received: from [192.168.1.102] ([64.230.35.74]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010320062401.TJGU24361.tomts7-srv.bellnexxia.net@[192.168.1.102]>; Tue, 20 Mar 2001 01:24:01 -0500 Date: Tue, 20 Mar 2001 01:23:17 -0500 From: Robert Guerra <rguerra@yahoo.com> To: John W Noerenberg II <jwn2@qualcomm.com> cc: ietf-openpgp@imc.org Subject: Re: Compatibility testing goals and planning Message-ID: <2417597.3194040197@[192.168.1.102]> In-Reply-To: <a05100603b6dc64969960@[135.222.66.224]> X-Mailer: Mulberry/2.0.8 (MacOS) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> John , Rodney & JON : I think this a wonderfull idea whose time has come. I'm involved in agreat deal of PGP training to english and non-english audiences and am particularly interested in how different implementations handle non USA ASCII text. If this aspect of testing might be of interest, please do let me know..as more than happy to help Regards, Robert ps. --On Monday, March 19, 2001 7:50 PM -0600 John W Noerenberg II <jwn2@qualcomm.com> wrote: > Earlier this month I proposed an interoperability testing meeting for > OpenPGP. A number of people have responded they are interested in > participating, and I've given some more thought to what we want to > accomplish. Rod Thayer and I had the opportunity to discuss it further > today, and a plan is beginning to take shape. > > The OpenPGP Oven-Cooking Competition (in deference to a local Minneapolis > company who feels another name impinges their reputation) is intended to > test compliance with 2440 in a variety of scenarios. I'll provide a > compliance matrix for the 2440 requirements that implementers can use as > a guide. The matrix will be reviewed both by Rod and by Jon Callas to > make sure I haven't missed anything important, or misstated anything. > And, of course, it will be published to this list as soon as possible for > your review. Uses of OpenPGP we anticipate testing are PGP/MIME, TLS > over OpenPGP, and IPSec over OpenPGP. We'll verify interoperation of key > generation, signing and verification. We're considering ways to verify > key server interoperability. However, there are no published protocols > for this. So I'm not sure what we can accomplish in this area. We'd > like to test implementations of the AES algorithms, as well as the > mandated algorithms in 2440. Execution speed isn't nearly as important > as correct execution of the protocols and underlying algorithms. But bear > in mind that I don't expect the meeting to last more than 2 days. <grin> > > Rod will create a more detailed test plan which we'll publish for > comments on the list. I'd like to aim at holding the Oven-Cooking > Competition sometime during June or July so that we can publish our > status on 2440 in time for the London meeting. Some people have > indicated they won't be able to participate in person, so one of the > things I'll arrange is a means for people to also test remotely. However, > I want to emphasize how valuable face-to-face meetings are for > interoperability testing. We'll be able to solve problems interactively, > and discover issues that otherwise may take a long time to surface. > > These are my general goals for the meeting. Please comment and offer > suggestions. That's the best way to insure this little confab serves > your needs as implementers and users of OpenPGP. > > -- > > john noerenberg > jwn2@qualcomm.com > > -------------------------------------------------------------------------- > Peace of mind isn't at all superficial, really. It's the whole thing. > That which produces it is good maintenance; that which disturbs it > is poor maintenance. > -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 > > -------------------------------------------------------------------------- Robert Guerra <rguerra@yahoo.com> WWW: http://www.geocities.com/rguerra/ Received: by above.proper.com (8.9.3/8.9.3) id RAA24786 for ietf-openpgp-bks; Mon, 19 Mar 2001 17:51:11 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA24782 for <ietf-openpgp@imc.org>; Mon, 19 Mar 2001 17:51:10 -0800 (PST) Received: from [135.222.66.224] (vpnap-g1-012029.qualcomm.com [10.13.12.29]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f2K1pCV07012 for <ietf-openpgp@imc.org>; Mon, 19 Mar 2001 17:51:12 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com Message-Id: <a05100603b6dc64969960@[135.222.66.224]> X-Mailer: Eudora [Macintosh version 5.1-0319010029] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Mon, 19 Mar 2001 19:50:49 -0600 To: OpenPGP mailing list <ietf-openpgp@imc.org> From: John W Noerenberg II <jwn2@qualcomm.com> Subject: Compatibility testing goals and planning Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Earlier this month I proposed an interoperability testing meeting for OpenPGP. A number of people have responded they are interested in participating, and I've given some more thought to what we want to accomplish. Rod Thayer and I had the opportunity to discuss it further today, and a plan is beginning to take shape. The OpenPGP Oven-Cooking Competition (in deference to a local Minneapolis company who feels another name impinges their reputation) is intended to test compliance with 2440 in a variety of scenarios. I'll provide a compliance matrix for the 2440 requirements that implementers can use as a guide. The matrix will be reviewed both by Rod and by Jon Callas to make sure I haven't missed anything important, or misstated anything. And, of course, it will be published to this list as soon as possible for your review. Uses of OpenPGP we anticipate testing are PGP/MIME, TLS over OpenPGP, and IPSec over OpenPGP. We'll verify interoperation of key generation, signing and verification. We're considering ways to verify key server interoperability. However, there are no published protocols for this. So I'm not sure what we can accomplish in this area. We'd like to test implementations of the AES algorithms, as well as the mandated algorithms in 2440. Execution speed isn't nearly as important as correct execution of the protocols and underlying algorithms. But bear in mind that I don't expect the meeting to last more than 2 days. <grin> Rod will create a more detailed test plan which we'll publish for comments on the list. I'd like to aim at holding the Oven-Cooking Competition sometime during June or July so that we can publish our status on 2440 in time for the London meeting. Some people have indicated they won't be able to participate in person, so one of the things I'll arrange is a means for people to also test remotely. However, I want to emphasize how valuable face-to-face meetings are for interoperability testing. We'll be able to solve problems interactively, and discover issues that otherwise may take a long time to surface. These are my general goals for the meeting. Please comment and offer suggestions. That's the best way to insure this little confab serves your needs as implementers and users of OpenPGP. -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------- Peace of mind isn't at all superficial, really. It's the whole thing. That which produces it is good maintenance; that which disturbs it is poor maintenance. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 -------------------------------------------------------------------------- Received: by above.proper.com (8.9.3/8.9.3) id BAA21919 for ietf-openpgp-bks; Mon, 19 Mar 2001 01:57:51 -0800 (PST) Received: from sheridan.uel.ac.uk (sheridan.uel.ac.uk [161.76.9.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id BAA21911 for <ietf-openpgp@imc.org>; Mon, 19 Mar 2001 01:57:49 -0800 (PST) Received: from bkstud1.uel.ac.uk (bkstud1.uel.ac.uk [161.76.88.9]) by sheridan.uel.ac.uk (8.9.3+Sun/8.9.3) with ESMTP id JAA20825 for <ietf-openpgp@imc.org>; Mon, 19 Mar 2001 09:57:47 GMT Message-Id: <200103190957.JAA20825@sheridan.uel.ac.uk> Received: from BKSTUD1/SpoolDir by bkstud1.uel.ac.uk (Mercury 1.48); 19 Mar 01 10:01:55 GMT0BST Received: from SpoolDir by BKSTUD1 (Mercury 1.48); 19 Mar 01 10:01:46 GMT0BST From: "Nalaka Thusitha Illuppella" <ill1370v@bkstud1.uel.ac.uk> Organization: University Of East London To: ietf-openpgp@imc.org Date: Mon, 19 Mar 2001 10:01:43 GMT0BST MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: tiger hash algorithm X-mailer: Pegasus Mail for Win32 (v3.12b) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Dear Sir, I am a M.Sc student, studying for University of East London, Please email me the tiger hash algorithm. Thanks Nalaka Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id TAA13467 for ietf-openpgp-bks; Mon, 12 Mar 2001 19:00:23 -0800 (PST) Received: from magicn.com ([210.123.89.142]) by above.proper.com (8.9.3/8.9.3) with ESMTP id TAA13455 for <ietf-openpgp@imc.org>; Mon, 12 Mar 2001 19:00:21 -0800 (PST) From: b4h443@arabia.com Received: from mail.eunet.sk ([63.24.177.98]) by magicn.com with Microsoft SMTPSVC(5.5.1877.537.53); Tue, 13 Mar 2001 11:55:31 +0900 Message-ID: <00000ba30d5b$000046c4$0000065d@mail.eunet.sk> To: <m6dspz3q371zz@telmex.net.mx> Subject: Tires of Cable TV raising there rates!!! Date: Mon, 12 Mar 2001 20:45:52 -0600 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal Reply-To: b4h443@arabia.com Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> <HTML> <BODY> <FONT face=3D"MS Sans Serif"> <FONT size=3D2> <FONT color=3D"#000000"> Tired of Cable TV raising their rates!!!<BR> Get Satellite TV<BR> YES ---YOU CAN WATCH DIFFERENT CHANNELS ON MULTIPLE TV'S<BR> YES ---YOU CAN GET LOCAL STATIONS<BR> Order Dish Network System with a one year plan, get FREE two receivers<= BR> and the 18" Dish with FREE basic professional installation.<BR> <BR> Why Bother? For $40.99 Get both receivers and the Top 100 Stations!<BR> With only one receiver and the Dish $35.99 Local Channels add $5.00<BR= > <BR> You will be charged a one time $49.99 fee when you order which includes= <BR> your first months service for FREE.<BR> THAT S IT!<BR> FLIP TO SATELLITE... ITS DIGITAL.. ITS GREAT...<BR> YOU'LL LOVE IT.<BR> Ready? Order by phone 1-888-235-5285 or e-mail us dishpeople@mail.com<B= R> <BR> REQUIREMENT- 1. One year service commitment.<BR> 2. Major credit Card<BR> 3. Southwest exposure to the sky.<BR> <BR> to be remove from future mailings e-mail us with the word "remove" in t= he subject lineat --- getmeoff@arabia.com<BR> <BR> Headquarters:<BR> 470 State Highway 10 West<BR> Ledgewood, New Jersey 07852-0338<BR> (973)252-9000<BR> www.1800technostores.com<BR> <BR> </FONT></FONT><p><p><p><p><p><p><p><p><p><p> <p><FONT face=3D"MS Sans Serif"><p><FONT size=3D2><p><FONT color=3D"#00000= 0"> Tired of Cable TV raising their rates!!!<BR><p> Get Satellite TV<BR>= <p><p><p><p><p><p><p></BODY></HTML> Received: by above.proper.com (8.9.3/8.9.3) id RAA09708 for ietf-openpgp-bks; Mon, 12 Mar 2001 17:10:29 -0800 (PST) Received: from mailserver.iwill.net (IDENT:root@mailserver.iwill.net [203.74.176.35]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA09704 for <ietf-openpgp@imc.org>; Mon, 12 Mar 2001 17:10:27 -0800 (PST) From: did342@arabia.com Received: from ns.opentec.com.mx (1Cust194.tnt34.dfw9.da.uu.net [63.62.253.194]) by mailserver.iwill.net (8.9.3/8.8.7) with SMTP id IAA19275; Tue, 13 Mar 2001 08:01:53 +0800 Message-ID: <000006ed3c2a$0000478e$00005e71@ns.opentec.com.mx> To: <lxtltpq0t7dtgjf5d@telmex.net.mx> Subject: Tired of Cable TV raising there rates!!!! Date: Mon, 12 Mar 2001 17:06:28 -0600 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal Reply-To: did342@arabia.com Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> <HTML> <BODY> <FONT face=3D"MS Sans Serif"> <FONT size=3D2> <FONT color=3D"#000000"> Tired of Cable TV raising their rates!!!<BR> Get Satellite TV<BR> YES ---YOU CAN WATCH DIFFERENT CHANNELS ON MULTIPLE TV'S<BR> YES ---YOU CAN GET LOCAL STATIONS<BR> Order Dish Network System with a one year plan, get FREE two receivers and= <BR> the 18" Dish with FREE basic professional installation.<BR> <BR> Why Bother? For $40.99 Get both receivers and the Top 100 Stations!<BR> With only one receiver and the Dish $35.99<BR> Local Channels add $5.00<BR> <BR> You will be charged a one time $49.99 fee when you order which includes yo= ur<BR> first months service for FREE.<BR> THAT S IT!<BR> FLIP TO SATELLITE... ITS DIGITAL.. ITS GREAT...<BR> YOU'LL LOVE IT.<BR> Ready? Order by phone 1-888-235-5285<BR> or e-mail us dishpeople@mail.com<BR> <BR> REQUIREMENT- 1. One year service commitment.<BR> 2. Major credit Card<BR> 3. Southwest exposure to the sky.<BR> <BR> to be remove from future mailings e-mail us with the word "remove" in the<= BR> subject line at ---- getmeoff@arabia.com <BR> <BR> Headquarters:<BR> 470 State Highway 10 West<BR> Ledgewood, New Jersey 07852-0338<BR> (973)252-9000<BR> www.1800technostores.com<BR> <BR> <BR> <BR> </FONT></FONT><p><p><p><p><p><p><p><p><p><p> <p><FONT face=3D"MS Sans Serif"><p><FONT size=3D2><p><FONT color=3D"#00000= 0"> Tired of Cable TV raising their rates!!!<BR><p>Get Satellite TV<BR><p>= YES ---YOU CAN WATCH DIFFERENT CHANNELS ON MULTIPLE TV'S<BR><p>YES ---YOU = CAN GET LOCAL STATIONS<BR><p>Order Dish Network System with a one year pla= n, get FREE two receivers and<BR><p><p><p><p><p><p></BODY></HTML> Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id RAA19311 for ietf-openpgp-bks; Tue, 6 Mar 2001 17:01:16 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA19307 for <ietf-openpgp@imc.org>; Tue, 6 Mar 2001 17:01:15 -0800 (PST) Received: from [129.46.77.86] (dhcp990305211402.qualcomm.com [129.46.77.86]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f2711Gx10409 for <ietf-openpgp@imc.org>; Tue, 6 Mar 2001 17:01:17 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com Message-Id: <a0510011cb6c9e29935b4@[129.46.77.86]> In-Reply-To: <a05100100b6c05c88332f@[199.106.117.178]> References: <20010125135932.L15272@alberti.gnupg.de> <tgae7vbtyb.fsf@mercury.rus.uni-stuttgart.de> <20010212105012.A27199@sobolev.does-not-exist.org> <20010212.191247.74718089.kazu@iijlab.net> <20010212120440.E1539@alberti.gnupg.de> <a05100100b6c05c88332f@[199.106.117.178]> X-Mailer: Eudora [Macintosh version 5.1-0306010811] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Tue, 6 Mar 2001 17:01:05 -0800 To: ietf-openpgp@imc.org From: John W Noerenberg II <jwn2@qualcomm.com> Subject: Re: Finalizing OpenPGP/MIME? - Mtg in Mpls Content-Type: multipart/alternative; boundary="============_-1228195617==_ma============" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --============_-1228195617==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 11:30 AM -0800 2/26/01, John W Noerenberg II wrote: >I'm gonna schedule an hour in Minneapolis for OpenPGP. Main thing >on the list is to deal with PGP/MIME. If not enough of us are going >to show, I'll cancel. But let's get on the agenda. 1415-1515 Afternoon Sessions II APP simple SIP for Instant Messaging and Presence Leveraging Extensions BOF INT multi6 How Should We Multihome In IPv6 BOF OPS hubmib Ethernet Interfaces and Hub MIB WG RTG idmr Inter-Domain Multicast Routing WG SEC openpgp An Open Specification for Pretty Good Privacy WG SEC hip Host Identity Payload BOF TSV ippm IP Performance WG We have our slot on Tuesday. I'm open to suggestions for our agenda, and for confirmations on whether you'll attend. --============_-1228195617==_ma============ Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type=""><!-- blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 } --></style><title>Re: Finalizing OpenPGP/MIME? - Mtg in Mpls</title></head><body> <div>At 11:30 AM -0800 2/26/01, John W Noerenberg II wrote:</div> <blockquote type="" cite>I'm gonna schedule an hour in Minneapolis for OpenPGP. Main thing on the list is to deal with PGP/MIME. If not enough of us are going to show, I'll cancel. But let's get on the agenda.</blockquote> <div><br></div> <div><br></div> <div>1415-1515 Afternoon Sessions II<br> APP simple SIP for Instant Messaging and Presence Leveraging Extensions BOF<br> INT multi6 How Should We Multihome In IPv6 BOF<br> OPS hubmib Ethernet Interfaces and Hub MIB WG<br> RTG idmr Inter-Domain Multicast Routing WG<br> SEC openpgp An Open Specification for Pretty Good Privacy WG<br> SEC hip Host Identity Payload BOF</div> <div>TSV ippm IP Performance WG</div> <div><font face="Charcoal" color="#000000"><br></font></div> <div>We have our slot on Tuesday. I'm open to suggestions for our agenda, and for confirmations on whether you'll attend.</div> </body> </html> --============_-1228195617==_ma============-- Received: by above.proper.com (8.9.3/8.9.3) id LAA16932 for ietf-openpgp-bks; Mon, 5 Mar 2001 11:42:29 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA16927 for <ietf-openpgp@imc.org>; Mon, 5 Mar 2001 11:42:28 -0800 (PST) Received: from [129.46.77.86] (dhcp990305211402.qualcomm.com [129.46.77.86]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f25JgS020060; Mon, 5 Mar 2001 11:42:28 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com Message-Id: <a05100109b6c996ce6701@[129.46.77.86]> X-Mailer: Eudora [Macintosh version 5.1-030401] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Mon, 5 Mar 2001 11:38:51 -0800 To: OpenPGP mailing list <ietf-openpgp@imc.org> From: John W Noerenberg II <jwn2@qualcomm.com> Subject: interoperability testing of OpenPGP Cc: "Philip R. Zimmermann" <prz@pgp.com> Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I'm investigating the possibility of hosting an openpgp interoperability testing workshop (there's another name for this, but Pillsbury seems to think it is improper for other organizations to use it) at Qualcomm in our San Diego facilities. I'd like to know how many people would be interested in participating, particularly those willing to come in person. Please respond to me personally (rather than litter the mailing list). I'll summarize and report back. Phil Zimmerman and I have discussed this, and it would be in connection with the OpenPGP Consortium he is organizing. This has particular value for this WG, since it will help us assess where we stand w/r/t DRAFT status for rfc2440. I am hopeful there will be several willing and able to participate! best, -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------- Peace of mind isn't at all superficial, really. It's the whole thing. That which produces it is good maintenance; that which disturbs it is poor maintenance. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 -------------------------------------------------------------------------- Received: by above.proper.com (8.9.3/8.9.3) id LAA16286 for ietf-openpgp-bks; Mon, 5 Mar 2001 11:28:55 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA16281 for <ietf-openpgp@imc.org>; Mon, 5 Mar 2001 11:28:54 -0800 (PST) Received: from [129.46.77.86] (dhcp990305211402.qualcomm.com [129.46.77.86]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f25JSp016412; Mon, 5 Mar 2001 11:28:51 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com Message-Id: <a05100108b6c996bc62e7@[129.46.77.86]> In-Reply-To: <20010305191608.A25672@sobolev.does-not-exist.org> References: <200102132359.PAA03769@finney.org> <a05100100b6c97a5db888@[199.106.106.131]> <20010305191608.A25672@sobolev.does-not-exist.org> X-Mailer: Eudora [Macintosh version 5.1-030401] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Mon, 5 Mar 2001 11:17:25 -0800 To: Thomas Roessler <roessler@does-not-exist.org> From: John W Noerenberg II <jwn2@qualcomm.com> Subject: Re: PGP/MIME implementors: text mode vs. binary mode? Cc: ietf-openpgp@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 7:16 PM +0100 3/5/01, Thomas Roessler wrote: > >That's perfectly compatible with draft-05: Trailing white space will >be protected by the quoted-printable encoding of the flowed text, so >there is _no_ trailing whitespace in the signed material as the hash >algorithm sees it. Well done. Received: by above.proper.com (8.9.3/8.9.3) id KAA12967 for ietf-openpgp-bks; Mon, 5 Mar 2001 10:17:36 -0800 (PST) Received: from smtp2.nikoma.de (smtp2.nikoma.de [212.122.128.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA12963 for <ietf-openpgp@imc.org>; Mon, 5 Mar 2001 10:17:33 -0800 (PST) Received: from sobolev.does-not-exist.org (dialin4.pg5-nt.frankfurt.nikoma.de [213.54.36.4]) by smtp2.nikoma.de (8.9.3/8.9.3) with ESMTP id TAA52030 for <ietf-openpgp@imc.org>; Mon, 5 Mar 2001 19:17:22 +0100 (CET) (envelope-from roessler@does-not-exist.org) Received: by sobolev.does-not-exist.org (Postfix, from userid 1000) id 33EB82ED15; Mon, 5 Mar 2001 19:16:08 +0100 (CET) Date: Mon, 5 Mar 2001 19:16:08 +0100 From: Thomas Roessler <roessler@does-not-exist.org> To: ietf-openpgp@imc.org Subject: Re: PGP/MIME implementors: text mode vs. binary mode? Message-ID: <20010305191608.A25672@sobolev.does-not-exist.org> Mail-Followup-To: ietf-openpgp@imc.org References: <200102132359.PAA03769@finney.org> <a05100100b6c97a5db888@[199.106.106.131]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.16i In-Reply-To: <a05100100b6c97a5db888@[199.106.106.131]>; from jwn2@qualcomm.com on Mon, Mar 05, 2001 at 09:28:14AM -0800 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 2001-03-05 09:28:14 -0800, John W Noerenberg II wrote: > Have you considered the implications of format=flowed (rfc2646)? > Specifically: > 4.6. Digital Signatures and Encryption > > If a message is digitally signed or encrypted it is important that > cryptographic processing use the on-the-wire Format=Flowed format. > That is, during generation the message SHOULD be prepared for > transmission, including addition of soft line breaks, space-stuffing, > and [Quoted-Printable] encoding (to protect soft line breaks) before > being digitally signed or encrypted; similarly, on receipt the > message SHOULD have the signature verified or be decrypted before > [Quoted-Printable] decoding and removal of stuffed spaces, soft line > breaks and quote marks, and reflowing. That's perfectly compatible with draft-05: Trailing white space will be protected by the quoted-printable encoding of the flowed text, so there is _no_ trailing whitespace in the signed material as the hash algorithm sees it. -- Thomas Roessler <roessler@does-not-exist.org> This message may have been certified to be possibly virus-free. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id JAA10568 for ietf-openpgp-bks; Mon, 5 Mar 2001 09:29:38 -0800 (PST) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA10562 for <ietf-openpgp@imc.org>; Mon, 5 Mar 2001 09:29:37 -0800 (PST) Received: from [129.46.77.86] (dhcp990305211402.qualcomm.com [129.46.77.86]) by mage.qualcomm.com (8.11.2/8.11.2/1.0) with ESMTP id f25HTC009843; Mon, 5 Mar 2001 09:29:12 -0800 (PST) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com Message-Id: <a05100100b6c97a5db888@[199.106.106.131]> In-Reply-To: <200102132359.PAA03769@finney.org> References: <200102132359.PAA03769@finney.org> X-Mailer: Eudora [Macintosh version 5.1-030401] X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Mon, 5 Mar 2001 09:28:14 -0800 To: hal@finney.org From: John W Noerenberg II <jwn2@qualcomm.com> Subject: Re: PGP/MIME implementors: text mode vs. binary mode? Cc: roessler@does-not-exist.org, warlord@mit.edu, hal@finney.org, ietf-openpgp@imc.org Content-Type: multipart/alternative; boundary="============_-1228309142==_ma============" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --============_-1228309142==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 3:59 PM -0800 2/13/01, hal@finney.org wrote: >Isn't the real, operational issue here a question of whether trailing >white space should be hashed? The choices are to say yes, or no, or it >depends on the type byte in the signature. Have you considered the implications of format=flowed (rfc2646)? Specifically: 4.6. Digital Signatures and Encryption If a message is digitally signed or encrypted it is important that cryptographic processing use the on-the-wire Format=Flowed format. That is, during generation the message SHOULD be prepared for transmission, including addition of soft line breaks, space-stuffing, and [Quoted-Printable] encoding (to protect soft line breaks) before being digitally signed or encrypted; similarly, on receipt the message SHOULD have the signature verified or be decrypted before [Quoted-Printable] decoding and removal of stuffed spaces, soft line breaks and quote marks, and reflowing. -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------- Peace of mind isn't at all superficial, really. It's the whole thing. That which produces it is good maintenance; that which disturbs it is poor maintenance. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 -------------------------------------------------------------------------- --============_-1228309142==_ma============ Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type=""><!-- blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 } --></style><title>Re: PGP/MIME implementors: text mode vs. binary mode?</title></head><body> <div>At 3:59 PM -0800 2/13/01, hal@finney.org wrote:</div> <blockquote type="" cite>Isn't the real, operational issue here a question of whether trailing<br> white space should be hashed? The choices are to say yes, or no, or it<br> depends on the type byte in the signature.</blockquote> <div><br></div> <div>Have you considered the implications of format=flowed (rfc2646)? Specifically:</div> <div><br></div> <blockquote>4.6. Digital Signatures and Encryption</blockquote> <blockquote><br></blockquote> <blockquote> If a message is digitally signed or encrypted it is important that</blockquote> <blockquote> cryptographic processing use the on-the-wire Format=Flowed format.</blockquote> <blockquote> That is, during generation the message SHOULD be prepared for</blockquote> <blockquote> transmission, including addition of soft line breaks, space-stuffing,</blockquote> <blockquote> and [Quoted-Printable] encoding (to protect soft line breaks) before</blockquote> <blockquote> being digitally signed or encrypted; similarly, on receipt the</blockquote> <blockquote> message SHOULD have the signature verified or be decrypted before</blockquote> <blockquote> [Quoted-Printable] decoding and removal of stuffed spaces, soft line</blockquote> <blockquote> breaks and quote marks, and reflowing.</blockquote> <div><br></div> <div><tt><br></tt></div> <x-sigsep><pre> -- </pre></x-sigsep> <div><br> john noerenberg<br> jwn2@qualcomm.com<br> ---------------------------------------------------------------------<span ></span>-----<br> Peace of mind isn't at all superficial, really. It's the whole thing.<br> That which produces it is good maintenance; that which disturbs it<br> is poor maintenance.<br> -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974<br> ---------------------------------------------------------------------<span ></span>-----</div> </body> </html> --============_-1228309142==_ma============-- Received: by above.proper.com (8.9.3/8.9.3) id KAA23381 for ietf-openpgp-bks; Sat, 3 Mar 2001 10:28:33 -0800 (PST) Received: from mail.kelyan.it (mail.kelyan.it [213.26.197.120]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA23371 for <ietf-openpgp@imc.org>; Sat, 3 Mar 2001 10:28:32 -0800 (PST) From: did342@arabia.com Received: from mailhost.ggtech.com ([206.216.141.97] unverified) by mail.kelyan.it with Microsoft SMTPSVC(5.0.2195.1600); Sat, 3 Mar 2001 19:15:11 +0100 Message-ID: <000019f63781$0000332a$0000386c@mail.aisco.com> To: <j0vz7c8y@psd.co.ae> Subject: Brand New Email Pager FR-EE 1203 Date: Sat, 03 Mar 2001 12:04:53 -0600 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal Reply-To: did342@arabia.com X-OriginalArrivalTime: 03 Mar 2001 18:15:11.0734 (UTC) FILETIME=[E30F6160:01C0A40D] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> <HTML> <BODY> <FONT face=3D"MS Sans Serif"> <FONT size=3D2> <FONT color=3D"#000000"> Brand New Pager for FR-EE!<BR> <BR> No long term contract<BR> No big prepayment of airtime<BR> No credit check<BR> <BR> Put Free pagers on your kids - Give one to your loved ones - For FR-EE<BR> <BR> Here at Paging America we are excited to be offering you this exclusive, t= op of the line, full featured pager in your choice<BR> of color for FR-EE. This side viewable display pager is one of the smalles= t and lightest pagers on the market today.<BR> <BR> <BR> Call 877-699-8545 to be Guaranteed Your FR-EE Pager Today<BR> <BR> <BR> Your pager will hold up to 20 numeric messages. It has 9 musi alerts and s= ilent vibration. New FLEX technology provides three<BR> times the battery life. Also, message time and date stamping and smart ala= rm so you can set a daily or weekly reminder.<BR> This pager comes in black, teal and blue. <BR> <BR> To receive your free pager all we ask is that you allow us to provide you = with the monthly airtime cancelable at any time.<BR> There is no long term contract.<BR> Just call the toll free number and we'll ship your Free pager to you imme= diately in your choice of color already programmed with<BR> a local telephone number for your town. <BR> <BR> Make this easy phone call and we will deliver your pager immediately.<BR> <BR> <BR> Call 877-699-8545 to get in on this exciting offer today<BR> <BR> <BR> </FONT></FONT><p><p><p><p><p><p><p><p><p><p> <p><FONT face=3D"MS Sans Serif"><p><p><p><p><p><p><p><p><p><p></BODY></HTML> Received: by above.proper.com (8.9.3/8.9.3) id DAA24641 for ietf-openpgp-bks; Fri, 2 Mar 2001 03:46:06 -0800 (PST) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA24637 for <ietf-openpgp@imc.org>; Fri, 2 Mar 2001 03:46:04 -0800 (PST) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA25605; Fri, 2 Mar 2001 06:46:03 -0500 (EST) Message-Id: <200103021146.GAA25605@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-openpgp@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-openpgp-mime-05.txt Date: Fri, 02 Mar 2001 06:46:03 -0500 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the An Open Specification for Pretty Good Privacy Working Group of the IETF. Title : MIME Security with OpenPGP Author(s) : M. Elkins, D. Del Torto, R. Levien, T. Roessler Filename : draft-ietf-openpgp-mime-05.txt Pages : 13 Date : 01-Mar-01 This document describes how the OpenPGP Message Format [1] can be used to provide privacy and authentication using the Multipurpose Internet Mail Extensions (MIME) security content types described in RFC1847 [2]. This draft is being discussed on the 'ietf-openpgp' mailing list. To join the list, send a message to <ietf-openpgp-request@imc.org> with the single word 'subscribe' in the subject. An archive of the working group's list is located at <http://www.imc.org/ietf-openpgp>. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-openpgp-mime-05.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-openpgp-mime-05.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-openpgp-mime-05.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010301141254.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-openpgp-mime-05.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-openpgp-mime-05.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010301141254.I-D@ietf.org> --OtherAccess-- --NextPart--
- Date fields Jacques Exelrud
- Re: Date fields hal
- Re: Date fields Michael Young