Re: Signature calculation language
Jon Callas <jon@callas.org> Tue, 11 October 2005 20:57 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EPRBI-0004kj-BP for openpgp-archive@megatron.ietf.org; Tue, 11 Oct 2005 16:57:04 -0400
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA03725 for <openpgp-archive@lists.ietf.org>; Tue, 11 Oct 2005 16:57:00 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j9BKj3cm030937; Tue, 11 Oct 2005 13:45:03 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j9BKj3nj030936; Tue, 11 Oct 2005 13:45:03 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j9BKj2wc030930 for <ietf-openpgp@imc.org>; Tue, 11 Oct 2005 13:45:02 -0700 (PDT) (envelope-from jon@callas.org)
Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Tue, 11 Oct 2005 13:44:55 -0700
Received: from [216.102.208.14] ([216.102.208.14]) by keys.merrymeet.com (PGP Universal service); Tue, 11 Oct 2005 13:44:55 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Tue, 11 Oct 2005 13:44:55 -0700
In-Reply-To: <20051005211158.EEB1457EF9@finney.org>
References: <20051005211158.EEB1457EF9@finney.org>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <AEB5B24B-A49E-40F7-8BA3-6B5BB475EBFB@callas.org>
Cc: ietf-openpgp@imc.org
Content-Transfer-Encoding: 7bit
From: Jon Callas <jon@callas.org>
Subject: Re: Signature calculation language
Date: Tue, 11 Oct 2005 13:44:53 -0700
To: Hal Finney <hal@finney.org>
X-Mailer: Apple Mail (2.734)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
On 5 Oct 2005, at 2:11 PM, Hal Finney wrote: > > Some of the language in the draft about signature calculations is > confusing and misleading. The brief descriptions in 5.2.1 Signature > Types are contradicted by 5.2.4 Computing Signatures. > > We should make clear that 5.2.4 is authoritative. I suggest that > we add > to the beginning of 5.2.1, "See section 5.2.4 for detailed information > on how to compute and verify signatures of each type." > Added. > Particular problems: > > 0x18: Subkey Binding Signature > This signature is a statement by the top-level signing key > that > indicates that it owns the subkey. This signature is > calculated > directly on the subkey itself, not on any User ID or other > packets. A signature that binds a signing subkey also has an > embedded signature subpacket in this binding signature which > contains a 0x19 signature made by the signing subkey on the > primary key. > > The signature is actually calculated over both the primary key and > subkey packets, although here it says it is not calcualted over any > other packets. > > (A separate issue is that the last sentence here should have a SHOULD: > "A signature that binds a signing subkey SHOULD have an embedded...") > Done. > 0x19 Primary Key Binding Signature > This signature is a statement by a signing subkey, indicating > that it is owned by the primary key. This signature is > calculated directly on the primary key itself, and not on any > User ID or other packets. > > Same issue here, the signature is calculated over both the primary key > and the subkey packets. > > 0x28: Subkey revocation signature > The signature is calculated directly on the subkey being > revoked. A revoked subkey is not to be used. Only revocation > signatures by the top-level signature key that is bound to > this > subkey, or by an authorized revocation key, should be > considered > valid revocation signatures. > > This is actually correct, I guess (I don't think PGP supports > subpacket > revocation signatures). According to 5.2.4 the hash is over just the > subkey packet and does not include the primary key packet, unlike > ordinary > subkey signatures. That seems a little inconsistent to me - is > this how > other people have implemented it? > > A couple of comments on section 5.2.4: > > When a signature is made over a signature packet, the hash data > starts with the octet 0x88, followed by the four-octet length > of the > signature, and then the body of the signature packet. The unhashed > subpacket data of the signature packet being hashed is not > included > in the hash and the unhashed subpacket data length value is set to > zero. (Note that this is an old-style packet header for a > signature > packet with the length-of-length set to zero). > > The parenthetical note at the end should go after the first sentence. > Done. > For consistency with other descriptions in this section, we should > refer > explicitly here to the Third-Party Confirmation Signature, type 0x50, > which I think is the only one for which this description applies. > Done. > One thing that is missing in these two sections is a clear > statement that > certificate revocation signatures are calculated over the same data > as the > certificate being revoked. 5.2.1 just says: > > 0x30: Certification revocation signature > This signature revokes an earlier User ID certification > signature (signature class 0x10 through 0x13) or direct-key > signature (0x1F). It should be issued by the same key that > issued the revoked signature or an authorized revocation key. > The signature should have a later creation date than the > signature it revokes. > > with no comments about what it is computed over, and 5.2.4 doesn't > clearly > describe this case either. We could change that last sentence to say, > "The signature is computed over the same data as the certificate that > it revokes, and should have a later creation date than that > certificate." > Done. > I am also not in love with the classic description of document > signatures > in 5.2.4: > > The signature data is simple to compute for document signatures > (types 0x00 and 0x01), for which the document itself is the data. > > First, it is presumptuous and uninformative to say something is > simple. > "The document itself is the data" has a certain Zen koan quality > but does > not plainly say what it means. And this fails to distinguish between > text and binary signatures; for text signatures, the document > itself is > not the (hashed) data, but rather the canonicalized document. > > How about this: > > "For binary document signatures (type 0x00), the document data is > hashed > directly. For text document signatures (type 0x01), the document is > canonicalized by converting line endings to <CR><LF>, and the > resulting > data is hashed." Done. Jon
- Signature calculation language "Hal Finney"
- Re: Signature calculation language Daniel A. Nagy
- Re: Signature calculation language Jon Callas
- Re: Signature calculation language David Shaw
- Re: Signature calculation language "Hal Finney"
- Re: Signature calculation language Daniel A. Nagy
- Re: Signature calculation language David Shaw
- Re: Signature calculation language Werner Koch
- Re: Signature calculation language Jon Callas
- Re: Signature calculation language Jon Callas