Re: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 28 May 2023 14:50 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB6AAC14CE27 for <openpgp@ietfa.amsl.com>; Sun, 28 May 2023 07:50:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="vjTcgrVL"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="4ivjWHJO"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rrNLs-mk6utC for <openpgp@ietfa.amsl.com>; Sun, 28 May 2023 07:50:29 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F4A8C14CE25 for <openpgp@ietf.org>; Sun, 28 May 2023 07:50:28 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1685285426; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=zEvx7d4xtge+ori/1xCDqpwL4YZ7WEbKvtekPSm7Zek=; b=vjTcgrVLI1mNKdCVJk1N03sUYp2Lta9I3ez2Y/xcDnuvXzVK1I6PahQtvy3jYT6mCEGbI vG7hxG0TXCbDx/nCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1685285426; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=zEvx7d4xtge+ori/1xCDqpwL4YZ7WEbKvtekPSm7Zek=; b=4ivjWHJOzgAdQGDqtkmPvfy3XQVRl/sKbu81F+j19GcdOFe/34kM6SbQKtbMeFLqsIcTs gPQP7zS9OmTRrpEnhtHMEfrsbho9AYNpBBdiSg2blKFg9zGJMfJ4b/KuySRACm/5QfO599D 6YTdNSlqzERIDStgO4+hCTP2yI6sznVScfNL/J4Rnw3RHUyeIzyw7RGuqzEcQIVMoQc0z2e UoRTbrtWN6JGVWJAt3q2YzHvW2OQjJmNCEYwaH6DtVtekyyR5gM+vx9tdSWoPVuLvuoBEY0 KugaDMJOF2d7mUQbxLOSDWYrzyOSoZwRpbdCeRCanbIbOD+D53XlOWx9JAJA==
Received: from fifthhorseman.net (unknown [88.239.15.192]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 82425F9AD; Sun, 28 May 2023 10:50:26 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 8E9D12055E; Sun, 28 May 2023 10:50:21 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Vincent Breitmoser <look@my.amazin.horse>, openpgp@ietf.org
In-Reply-To: <7c9f97df-f06b-6f87-3776-8f351289cb31@my.amazin.horse>
References: <LaSdaOASqnixctT3XuZHNIeldK2IPqJvHbqo_qkFjdrMBOQ4SKhiWl_76xq2P6l2Wts9rJ6MTTRLfpj9sqyG4_F4etjNcgEt6pmmtuyfsBY=@protonmail.com> <87h6s2hezc.fsf@fifthhorseman.net> <7c9f97df-f06b-6f87-3776-8f351289cb31@my.amazin.horse>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Sun, 28 May 2023 16:50:20 +0200
Message-ID: <87ilcc5x3n.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/mPJDRqK8798In5cTvYzG6Lo_h5o>
Subject: Re: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 May 2023 14:50:34 -0000
On Wed 2023-05-24 15:40:11 +0200, Vincent Breitmoser wrote: > # Drop CSF headers altogether Thanks for this proposal, Vincent. I think it is mostly equivalent to the "Drop SaltedHash" proposal, with the added benefit of mildly discouraging the Hash: header itself (we can't say "MUST NOT generate" absolutely because implementations want legacy clients to be able to validate). I was initially quite wary of this approach, but seeing the discussion on-list and thinking through all the options, i think it's the best one. We'd basically be telling interpreting implementations that they should ignore any Hash header (otherwise we'd break interoperability with CSF messages from old clients), and telling generating implementations that they need not emit a Hash header at all for messages with v4 signatures. Another way of framing this argument is that CSF is designed for data that a human will look at and make sense of directly. if the CSF message itself is too large to fit into RAM, it is certainly too large for a human to hold in their understand or hold in their mind as well, which means it's a poor candidate for CSF in the first place. So a streaming interface shouldn't be necessary. RFC 4880 said that previous clearsigned messages without a Hash: header used MD5 (this appears to be historical RFC 1991 mechanism). Since we're already saying that signatures made over MD5 shouldn't be validated due to the weakness of the digest, there isn't even a semantic collision. Furthermore, existing implementations are brittle even about the Hash: header itself. For example, many implementations will reject a CSF message that indicates that one of the embedded signatures uses a novel hash algorithm (you can try this by swapping out "Hash: SHA256" for "Hash: SHA256,Bananas", or even "Hash: SHA256,SHA3_256" for an implementation that doesn't yet know about SHA3. So the "Hash:" armor header: - Appears to be valuable only in providing a streaming interface for CSF verifiers - Is brittle in existing implementations - Is distracting/confusing to humans who try to read a message in its plaintext form Seems like a good reason to drop it. > https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/313 This proposal is a reasonable implementation of this approach. I've added a few comments there, in particular suggesting: - That we indicate that the Hash: header is deprecated. - That we describe the circumstances where an implementation might want to actually emit a Hash: header (when the CSF message contains a v4 sig over a sha2 digest) - That we direct validators to ignore any Hash: header in a CSF message if folks think any of these concrete recommendations are problematic, please speak up. --dkg
- [openpgp] Backwards compatibility vs streaming ve… Daniel Huigens
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Huigens
- Re: [openpgp] Backwards compatibility vs streamin… Justus Winter
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Vincent Breitmoser
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor
- Re: [openpgp] Backwards compatibility vs streamin… Andrew Gallagher
- Re: [openpgp] Backwards compatibility vs streamin… Paul Wouters
- Re: [openpgp] Backwards compatibility vs streamin… iang
- Re: [openpgp] Backwards compatibility vs streamin… vedaal
- Re: [openpgp] Backwards compatibility vs streamin… Justus Winter
- Re: [openpgp] Backwards compatibility vs streamin… Vincent Breitmoser
- Re: [openpgp] Backwards compatibility vs streamin… Paul Wouters
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Huigens
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor
- Re: [openpgp] Backwards compatibility vs streamin… Daniel Kahn Gillmor