Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
Andrew Gallagher <andrewg@andrewg.com> Wed, 01 March 2023 12:46 UTC
Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE0FC14F736 for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 04:46:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q-1Z_MuiKeYn for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 04:46:28 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B495C14F731 for <openpgp@ietf.org>; Wed, 1 Mar 2023 04:46:27 -0800 (PST)
Received: from [192.168.1.140] (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id F05AF5F4CF for <openpgp@ietf.org>; Wed, 1 Mar 2023 12:46:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677674784; bh=ru6rq7EsT2ghAx0IRG2aPwmFk+D08MGKNxihxYw8OZU=; h=Date:To:References:From:Subject:In-Reply-To:From; b=qeT4PuW3Sy47UcXpSECiiEn0+P1NYRmPyVgO2Eqv+kjes3qIWtfcRDtQSX9Ueo6bF 8/hOQC91ur1o5y25ji5kKOSeNQvi6LinnY0y1v4Rwtq+BuXdQiWlzYgHHsgZ17uL2A 3Esj3Fmc9P5ni/SRUhiXGL5IoUJF/Cclcos6CIU/ZYnJJz7JYubveHW8u++euGwk+L fLp8+BzrAEzyKv58NfTnSxoI/kIWpkryVx6PJd2FdMHNgReWMS0dmyNulE7+1+KKFi Ec4uuYEssjMqWeK8miIXGQlqxU2j5C6LTwJYpJgRk2rTX9Zba8cM3c5vheN5F5uUZG hWLsPbXhdjn/Q==
Message-ID: <3ed6c60b-bf60-ba53-dce5-b9e9469713ff@andrewg.com>
Date: Wed, 01 Mar 2023 12:46:22 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87wn41ru96.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/n6ypu5mkHrpAxHpZ11_d5uCbpeo>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 12:46:34 -0000
On 01/03/2023 04:05, Daniel Kahn Gillmor wrote: > Thanks for proposing text, Andrew. I'm trying to figure out what it > does, though, and why, and i'm struggling a bit. > > On Tue 2023-02-28 15:17:01 +0000, Andrew Gallagher proposed: > >> An implementation MAY accept v3 or v4 signatures where these octets >> don't match the computed hash but the signature is otherwise valid. > > If we're going to add the above sentence, i'd want some kind of clearer > explanation of why the carveout is in place. We could prefix it with: ``` RFC4880 did not specify that implementations must reject v3 or v4 signatures with incorrect prefix octets, and this allowed a significant number of apparently valid but malformed signatures to accumulate in the wild. ``` > Or we could just not say anything new about v3/v4 here, because this is > a doc largely aiming to define v6 in a way that doesn't cause the same > problems. That would be an option, but if we can't come to a consensus on a common treatment of malformed signatures, I would much prefer to actively record that lack of consensus. The background is that Hockeypuck received complaints that it was not serving certain (supposedly valid) keys. This was caused by a test of the prefix octets in protonmail/gopenpgp. I asked if that test could be (perhaps optionally) skipped but protonmail were reluctant to support it without the cover of spec, and I didn't want to cut and paste a large chunk of their code into Hockeypuck just so I could comment out three lines of it. If users of lenient implementations such as gnupg are happy to work with github's malformed but otherwise usable key, IMO the keyservers should get out of their way. So I'd prefer to actively permit implementations to drop this check. I'm relaxed about how this is done, but I would not be happy with either mandating rejection of these sigs or leaving the behaviour undefined. A
- [openpgp] Should signatures be rejected if the em… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Daniel Huigens
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Stephen Farrell
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Schaub
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher