Re: [openpgp] Deprecating SHA1

"Neal H. Walfield" <neal@walfield.org> Fri, 30 October 2020 09:51 UTC

Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC06D3A0D7E for <openpgp@ietfa.amsl.com>; Fri, 30 Oct 2020 02:51:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ud-CAAp8HwCl for <openpgp@ietfa.amsl.com>; Fri, 30 Oct 2020 02:51:05 -0700 (PDT)
Received: from mail.dasr.de (mail.dasr.de [217.69.77.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3336F3A0D7C for <openpgp@ietf.org>; Fri, 30 Oct 2020 02:51:02 -0700 (PDT)
Received: from pd9e79cc0.dip0.t-ipconnect.de ([217.231.156.192] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <neal@walfield.org>) id 1kYR3k-0005vm-5v for openpgp@ietf.org; Fri, 30 Oct 2020 09:51:00 +0000
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1kYR3j-0005ej-L6; Fri, 30 Oct 2020 10:50:59 +0100
Date: Fri, 30 Oct 2020 10:50:59 +0100
Message-ID: <87d010vy7w.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: "Neal H. Walfield" <neal@walfield.org>, openpgp@ietf.org
In-Reply-To: <20201025010343.GA1089002@fullerene.field.pennock-tech.net>
References: <87sga5xg03.wl-neal@walfield.org> <20201023192317.GA444398@fullerene.field.pennock-tech.net> <87lffvy6kf.wl-neal@walfield.org> <20201025010343.GA1089002@fullerene.field.pennock-tech.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 EasyPG/1.0.0 Emacs/26 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/lk7wJ3IAE2no7__3BN8Qp_d7Wtw>
Subject: Re: [openpgp] Deprecating SHA1
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2020 09:51:09 -0000

On Sun, 25 Oct 2020 02:03:43 +0100,
Phil Pennock wrote:
> For myself, even with the oldest key, using expiring subkeys and
> refreshing periodically with newer subkeys, everything _except_ the
> self-sig had updated automatically by the time I went looking.

Right.  User ID self signatures are the worse offenders, but subkey
binding signatures are also a problem.  I collected some statistics
about different projects.  You can find them here:

  https://gitlab.com/sequoia-pgp/sequoia/-/issues/595

It seems that there are 19 certificates in the Debian keyring that
have non-revoked, live signing-capable subkeys that rely on SHA-1 in
someway.  10 use SHA1 for the subkey binding signature, and 9 only use
it for the primary key binding signature (the backsig).  That's just
over 2% of the certificates in the Debian keyring.  Arch is about the
same (2 of 76 certificates).

Although it is possible to fix the subkey binding signature by
adjusting the subkey's expiration time, using gpg, this won't update
the backsig, see:

  https://dev.gnupg.org/T5110

> I think really we need some nice pgpkey-sanitycheck command-line tool,
> from any project, which looks purely at public key information, so
> doesn't need to care about internals (private keys, keyboxes, etc).
> 
> Such a tool might then report on outdated algorithms used in important
> places, while avoiding getting into the political mess of which
> algorithm order preferences should be included in a key.
> 
> Deprecating X without tools to make it _trivial_ for people to tell if
> they're affected by X is going to be frustrating.  In my previous email,
> I didn't mention the diagnostics I used to show people that their key
> was affected, but it involved `gpg --list-packets` and it was not
> pretty.

Indeed.  Unfortunately, `gpg --list-packets` doesn't show the content
of the backsig:

  $ gpg --export FPR | gpg --list-packets
  ...
  # off=806 ctb=89 tag=2 hlen=3 plen=346
  :signature packet: algo 1, keyid A23C95250F66162A
  	version 4, created 1603438577, md5len 0, sigclass 0x18
  	digest algo 10, begin of digest e9 34
  	hashed subpkt 27 len 1 (key flags: 02)
  	hashed subpkt 33 len 21 (issuer fpr v4 2...)
  	hashed subpkt 2 len 4 (sig created 2020-10-23)
  	hashed subpkt 9 len 4 (key expires after 3y0d0h5m)
**  	subpkt 32 len 156 (signature: v4, class 0x19, algo 1, digest algo 2)
  	subpkt 16 len 8 (issuer key ID A...)
  	data: [1024 bits]

For what it is worth, `pgpdump` `sq packet dump` (also at
https://dump.sequoia-pgp.org), and `rnp --list-packets` do show that
information.

> I held off on "asking others to write software for me" in the previous
> post, keeping it to "this exists now".  This time around, I'm throwing
> out a "Hey, pgpkey-sanitycheck would be a nice tool to have, folks" and
> running away.

The tool that I used to conduct my analysis is available here:

  https://gitlab.com/sequoia-pgp/keyring-linter

(Eventually we plan to integrate a linter into `sq`.)

Justus was nice enough to upload it to crates.io:

  https://crates.io/crates/sequoia-keyring-linter

So it should be just a `cargo install sequoia-keyring-linter` away.

And, if I understood dkg correctly, he is in the process of packaging
it for Debian.

:) Neal