Re: [openpgp] subkey revocation signatures -- RFC compliance?

David Shaw <dshaw@jabberwocky.com> Fri, 27 July 2012 12:53 UTC

Return-Path: <dshaw@jabberwocky.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0F9821F865A for <openpgp@ietfa.amsl.com>; Fri, 27 Jul 2012 05:53:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MausXVQQYnxG for <openpgp@ietfa.amsl.com>; Fri, 27 Jul 2012 05:53:57 -0700 (PDT)
Received: from walrus.jabberwocky.com (walrus.jabberwocky.com [173.9.29.57]) by ietfa.amsl.com (Postfix) with ESMTP id F41A921F8667 for <openpgp@ietf.org>; Fri, 27 Jul 2012 05:53:56 -0700 (PDT)
Received: from grover.home.jabberwocky.com (grover.home.jabberwocky.com [172.24.84.28]) (authenticated bits=0) by walrus.jabberwocky.com (8.14.4/8.14.4) with ESMTP id q6RCrs0x004073 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 27 Jul 2012 08:53:55 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=us-ascii
From: David Shaw <dshaw@jabberwocky.com>
In-Reply-To: <87ehnxg6lj.fsf@pip.fifthhorseman.net>
Date: Fri, 27 Jul 2012 08:53:54 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <23DE1DDA-670B-4BDB-84C4-71BAF63AA928@jabberwocky.com>
References: <87ehnxg6lj.fsf@pip.fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailer: Apple Mail (2.1278)
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] subkey revocation signatures -- RFC compliance?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2012 12:53:57 -0000

On Jul 27, 2012, at 12:39 AM, Daniel Kahn Gillmor wrote:

> Hi folks--
> 
> I think i'm seeing a discrepancy between packets generated by a popular
> OpenPGP implementation (GnuPG) and RFC 4880.  I'm wondering if anyone
> can help clarify my understanding of the RFC.
> 
> https://tools.ietf.org/html/rfc4880#section-5.2.4 says:
> 
> [...]
>   When a signature is made over a key, the hash data starts with the
>   octet 0x99, followed by a two-octet length of the key, and then body
>   of the key packet.  (Note that this is an old-style packet header for
>   a key packet with two-octet length.)  A subkey binding signature
>   (type 0x18) or primary key binding signature (type 0x19) then hashes
>   the subkey using the same format as the main key (also using 0x99 as
>   the first octet).  Key revocation signatures (types 0x20 and 0x28)
>   hash only the key being revoked.
> [...]
> 
> Note that 0x28 is a subkey revocation signature.
> 
> The subkey revocation packet generated by GnuPG 1.4.12 appears to be
> made over a digest that includes both the primary key and the subkey.
> 
> This seems to be in contrast to the idea that it "revocation signatures
> hash only the key being revoked."

Interesting.  Digging around a bit, it seems that this was noticed by Marc Horowitz in 2000 (see http://www.mhonarc.org/archive/html/ietf-openpgp/2000-12/msg00001.html ), but for one reason or another it wasn't resolved before publication.

Nice catch!  I think this would be a good errata item for the RFC.  http://www.rfc-editor.org/how_to_report.html

David