IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Andrew Gallagher <andrewg@andrewg.com> Wed, 01 March 2023 12:46 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE0FC14F736 for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 04:46:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q-1Z_MuiKeYn for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 04:46:28 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B495C14F731 for <openpgp@ietf.org>; Wed, 1 Mar 2023 04:46:27 -0800 (PST)
Received: from [192.168.1.140] (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id F05AF5F4CF for <openpgp@ietf.org>; Wed, 1 Mar 2023 12:46:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677674784; bh=ru6rq7EsT2ghAx0IRG2aPwmFk+D08MGKNxihxYw8OZU=; h=Date:To:References:From:Subject:In-Reply-To:From; b=qeT4PuW3Sy47UcXpSECiiEn0+P1NYRmPyVgO2Eqv+kjes3qIWtfcRDtQSX9Ueo6bF 8/hOQC91ur1o5y25ji5kKOSeNQvi6LinnY0y1v4Rwtq+BuXdQiWlzYgHHsgZ17uL2A 3Esj3Fmc9P5ni/SRUhiXGL5IoUJF/Cclcos6CIU/ZYnJJz7JYubveHW8u++euGwk+L fLp8+BzrAEzyKv58NfTnSxoI/kIWpkryVx6PJd2FdMHNgReWMS0dmyNulE7+1+KKFi Ec4uuYEssjMqWeK8miIXGQlqxU2j5C6LTwJYpJgRk2rTX9Zba8cM3c5vheN5F5uUZG hWLsPbXhdjn/Q==
Message-ID: <3ed6c60b-bf60-ba53-dce5-b9e9469713ff@andrewg.com>
Date: Wed, 01 Mar 2023 12:46:22 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87wn41ru96.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/n6ypu5mkHrpAxHpZ11_d5uCbpeo>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 12:46:34 -0000

On 01/03/2023 04:05, Daniel Kahn Gillmor wrote:
> Thanks for proposing text, Andrew.  I'm trying to figure out what it
> does, though, and why, and i'm struggling a bit.
> 
> On Tue 2023-02-28 15:17:01 +0000, Andrew Gallagher proposed:
> 
>> An implementation MAY accept v3 or v4 signatures where these octets
>> don't match the computed hash but the signature is otherwise valid.
> 
> If we're going to add the above sentence, i'd want some kind of clearer
> explanation of why the carveout is in place.

We could prefix it with:

```
RFC4880 did not specify that implementations must reject v3 or v4 
signatures with incorrect prefix octets, and this allowed a significant 
number of apparently valid but malformed signatures to accumulate in the 
wild.
```

> Or we could just not say anything new about v3/v4 here, because this is
> a doc largely aiming to define v6 in a way that doesn't cause the same
> problems.

That would be an option, but if we can't come to a consensus on a common 
treatment of malformed signatures, I would much prefer to actively 
record that lack of consensus.

The background is that Hockeypuck received complaints that it was not 
serving certain (supposedly valid) keys. This was caused by a test of 
the prefix octets in protonmail/gopenpgp. I asked if that test could be 
(perhaps optionally) skipped but protonmail were reluctant to support it 
without the cover of spec, and I didn't want to cut and paste a large 
chunk of their code into Hockeypuck just so I could comment out three 
lines of it.

If users of lenient implementations such as gnupg are happy to work with 
github's malformed but otherwise usable key, IMO the keyservers should 
get out of their way. So I'd prefer to actively permit implementations 
to drop this check. I'm relaxed about how this is done, but I would not 
be happy with either mandating rejection of these sigs or leaving the 
behaviour undefined.

A

v2.23.0 | Report a Bug | By Email