IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Andrew Gallagher <andrewg@andrewg.com> Thu, 02 March 2023 10:15 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A12DC15152E for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 02:15:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sUEHccek2vBI for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 02:15:24 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45409C14CE22 for <openpgp@ietf.org>; Thu, 2 Mar 2023 02:15:23 -0800 (PST)
Received: from [192.168.1.140] (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 740D35F4E1 for <openpgp@ietf.org>; Thu, 2 Mar 2023 10:15:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677752119; bh=UNNhTYCh4I3WSyst5gen355vn8lYRJmyTi3llAnWuZU=; h=Date:To:References:From:Subject:In-Reply-To:From; b=T/wemDhuQsw6cLfQlXPxOnIXbISzghcvgcHWKsMdmkgZ+v4+GqizbltD44jFK4h6i hqwY2NEQx11Kx2TU9OG+Q2RVJ6HJOTc2pcn9CS6d7fEt3zull3TEJ95+H+WC63YjTp ux81On1/0t/f652Sbh2TaLheeVrXexoIy3Jw4LFHCkvIvU5u+lBse+S6muhDaktVC1 HrhEGORbh33IcaJ+ma0VelMByZQrt4D0j6uiaIuEPSyqatR1f+ISS0SKAAa5Gx+Y45 QBUPjcAhj69xmLVkaAZHoKjJHZylXdKkOtklrPLF42mXOB3CdKyaYfRggL8w1S1nBX yTvaT2WzJK8qQ==
Message-ID: <5ba74a57-c039-5ab8-45bc-30ae681bc8c8@andrewg.com>
Date: Thu, 02 Mar 2023 10:15:18 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan> <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com> <87lekgs64c.fsf@fifthhorseman.net> <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com> <87a60vbi7n.fsf@europ.lan>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87a60vbi7n.fsf@europ.lan>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/u_Dr0GZjSMGFlL0Gql554j_coE8>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 10:15:29 -0000

On 02/03/2023 09:44, Justus Winter wrote:
> I don't think either warrants a clarification for v4 (let alone v3)
> signatures.

I was erring on the side of caution. However, in the interests of moving 
this along, I withdraw the last sentence of my proposed text.

It now reads:

```
RFC4880 did not specify that implementations must reject v3 or v4 
signatures with incorrect prefix octets, and this allowed a significant 
number of apparently valid but malformed signatures to accumulate in the 
wild.
An implementation MAY accept v3 or v4 signatures where these octets 
don't match the computed hash but the signature is otherwise valid.
```

A

v2.23.0 | Report a Bug | By Email