An Open Specification for Pretty Good Privacy (openpgp)

Michael Young | 1 Dec 2000 20:04

Re: Encoding of hash in El-Gamal signatures


The specification already mentions precautions in ElGamal
signature handling, and provides a reference.

The original question is still valid, though, and I'd also
be interested in seeing clarification.  If the specification
includes ElGamal signatures, it should provide sufficient
definition to achieve interoperability.  For other
algorithms, there is a discussion of how the hash is padded
(where applicable) and what the algorithm-specific fields in
the signature should be.  One might guess that the same
PKCS-1 padding scheme should be used, and that the MPIs
should be the "r" (=g^k mod p) and "s" (=(h-r*x)/k mod p)
values, in that order.  Is that right?  Yes, I could use the
GnuPG source as the specification, but that shouldn't be
necessary.

If you want to argue that OpenPGP shouldn't support this
algorithm, and that it should be removed from the
specification entirely, I wouldn't object.

Marc Horowitz | 8 Dec 2000 06:51

Picon

rfc2440bis-02 comments

Many of these comments come from notes I took on rfc2440, so I may
have some section numbers wrong.  I did compare these notes to the
I-D, and I believe all of them are still relevant.

1. Section 5.2 is vague about how to compute signature types 0x30 and
   0x40.  The document should specify over what data to compute the
   hash to be signed.  There was also a comment in the list archives
   about the description of signature type 0x18, which says

	This signature is calculated directly on the subkey itself,
	not on any User ID or other packets.

   This is tremendously misleading, since the signature is actually
   computed on a hash over a prefix, the key packet, the subkey
   packet, and a trailer.  Section 5.2.4 gives a more detailed
   description of how to compute a subkey binding signature.

2. Section 5.2.4 contains another error.  It states

	Key revocation signatures (types 0x20 and 0x28) hash only the
	key being revoked.

   However, analysis of existing implementations indicates that this
   is incorrect for subkey revocation signatures (type 0x28); like
   type 0x18, both the primary key and the subkey are included in the
   hash.

3. Subpacket 23 (key server preferences) is specified to be "found
   only on a self-signature".  It should say if that means a direct
   key signature (which makes the most sense to me), or something

(Continue reading)

Werner Koch | 8 Dec 2000 13:04

Picon

Re: rfc2440bis-02 comments

On Fri, 8 Dec 2000, Marc Horowitz wrote:

> 3. Subpacket 23 (key server preferences) is specified to be "found
>    only on a self-signature".  It should say if that means a direct
>    key signature (which makes the most sense to me), or something

As with many other subpackets there is no clear definition on what
to do and it is left to the implementor to decide this.  From my
understanding it does make sense to handle such things this way:

  * If it is on any direct key signature, use this one (or exactly
    the one on the latest direct key signure.

  * Otherwise take it from the latest self-signature.  

(I have worked out some more rules and checked them with Hal.
Currently I can't access them - please ask me next week, if you are
interested)

> 4. The document is vague on what constitures "advisory information" in
>    a signature subpacket (section 5.2.3).  I believe that unhashed
>    signature subpackets were a mistake (I can expound on this if

No, they make sense.  It may happen that you need to store some meta
information about a signature which you have to calculate after
signature creation. 

However, a big warning about unhashed stuff should be present.

> 5. There should be a note that the critical bit MUST be ignored on

(Continue reading)

David M. Balenson | 11 Dec 2000 23:59

ANNOUNCE: ISOC Netw. & Distr. Sys. Security Symp. (NDSS'01)


                   R E G I S T E R   N O W ! !

THE INTERNET SOCIETY'S
2001 NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS'01) 
February 8-9, 2001
Catamaran Resort Hotel, San Diego, California
General Chair:   Steve Welke, Trusted Computer Solutions
Program Chairs:  Avi Rubin, AT&T Labs - Research
                 Paul Van Oorschot, Entrust Technologies

ONLINE INFORMATION AND REGISTRATION:  http://www.isoc.org/ndss01
EARLY REGISTRATION DISCOUNT DEADLINE:  January 11, 2001

The 8th annual NDSS Symposium brings together researchers,
implementers, and users of network and distributed system security
technologies to discuss today's important security issues and
challenges.  The Symposium provides a mix of technical papers and
panel presentations that describe promising new approaches to
security problems that are practical and, to the extent possible,
have been implemented.  NDSS fosters the exchange of technical
information and encourages the Internet community to deploy available
security technologies and develop new solutions to unsolved problems.

THIS YEAR'S TOPICS INCLUDE:
* IP Traceback
* Authenticating Streamed Data
* ATM Encryption
* Source Authentication for Multicast
* Distributed Certified E-Mail

(Continue reading)

Ian Bell | 12 Dec 2000 11:23

Dash-escaping and the Usenet sig convention


It has been suggested that our mail/news client offer an option to "fix
up" the Usenet sig separator in clear-signed messages to
newsgroups/mailing lists - the problem being that the "-- " gets stuffed
to "- -- " with the result that recipients' clients will no longer
recognize and strip the personal signature in response messages.

The dash-escaping leads to complaints about clear-signed messages to
some groups and some users have taken to removing the dash-escaping by
hand. Although this breaks RFC2440, (NAI)PGP clients still seem to
correctly "de-escape" the message and verify the PGP signature.

The question is, how do openPGP clients cope with such messages and what
do other client vendors think about this? Since [open]PGP clients only
need to be able to correctly parse nested ASCII-armored header lines,
and these all begin with five hyphens, it would be possible to make an
exception for lines such as "-- " when doing the dash-escaping.

Munging the "- -- " back to "-- " does seem to yield benefits in inter-
operability (for the sig-sep convention) and acceptability of PGP-signed
messages, but it is important that it doesn't break inter-operability
between PGP clients.

Should RFC2440bis be updated to mention this? Do any existing clients
fall over by spotting that some lines are escaped at the "wrong" depth?

--

-- 
Ian Bell                                           T U R N P I K E

(Continue reading)

Werner Koch | 12 Dec 2000 13:53

Picon

Re: Dash-escaping and the Usenet sig convention

On Tue, 12 Dec 2000, Ian Bell wrote:

> newsgroups/mailing lists - the problem being that the "-- " gets stuffed
> to "- -- " with the result that recipients' clients will no longer

The preferred way to encapsulate OpenPGP messages in mail is by using
MIME as defined in RFC2015.  No need for the old fashioned cleartext
signing.

> The question is, how do openPGP clients cope with such messages and what

It is a matter of the MUA to handle this right.  Mutt for example
does remove the dash escaping even when it does not verify the
signature.

  Werner

Jon Callas | 12 Dec 2000 17:06

Re: Dash-escaping and the Usenet sig convention

In our last episode ("Re: Dash-escaping and the Usenet sig convention",
shown on 12/12/00), Werner Koch said:

>The preferred way to encapsulate OpenPGP messages in mail is by using
>MIME as defined in RFC2015.  No need for the old fashioned cleartext
>signing.
>

I disagree completely. The correct way to encapsulate messages is with
cleartext. I often delete PGP-MIME messages without reading them because
it's such a pain to deal with them. I commonly use five different mail
readers on four different OSes, and none of them do PGP-MIME reliably.
That's Eudora on Mac and Windows, Outlook on Windows, Netscape and Pine on
Linux and OSX. The biggest pain is on Windows, where it's hard to scrape up
the attachment to put it in a text editor.

>> The question is, how do openPGP clients cope with such messages and what
>
>It is a matter of the MUA to handle this right.  Mutt for example
>does remove the dash escaping even when it does not verify the
>signature.

I agree that this is a MUA and newsreader issue. They should parse out the
quoting. The dash-escape may be ugly, but it's been a part of PGP since day
2, if not day 1.

	Jon

Ian Bell | 12 Dec 2000 17:42

Re: Dash-escaping and the Usenet sig convention


On Tue, 12 Dec 2000, Werner Koch <wk <at> gnupg.org> wrote:
>On Tue, 12 Dec 2000, Ian Bell wrote:
>
>> newsgroups/mailing lists - the problem being that the "-- " gets stuffed
>> to "- -- " with the result that recipients' clients will no longer
>
>The preferred way to encapsulate OpenPGP messages in mail is by using
>MIME as defined in RFC2015.

In an ideal world, PGP/MIME would be the only way anyone would send PGP
in email...

>  No need for the old fashioned cleartext
>signing.

...however, the reality is that most clients (in terms of numbers
deployed) seem not to be able to cope.

We have been asked to munge the dash-stuffed clear text as in practice
the use of PGP/MIME signed messages causes more complaints than clear-
signed messages, but clear-signing messages causes complaints about
broken sig-seps 

>> The question is, how do openPGP clients cope with such messages and what
>
>It is a matter of the MUA to handle this right.  Mutt for example
>does remove the dash escaping even when it does not verify the
>signature.

(Continue reading)

L. Sassaman | 15 Dec 2000 12:11

Re: rfc2440bis-02 comments


Marc mentioned 5.2.3.17 (Key server preferences) and that reminded me of a
suggestion I wanted to make.

One of the major complaints I hear about PGP key servers is the inability
to delete keys once they are sent to the server. I'd like to request the
addition of two new flags for subpacket 23:

    0x40 = Disabled
    the key holder requests that this key not be returned upon
    a search of the key server.

    0x60 = Enabled
    the key holder requests that this key be returned upon a
    search of the key server.

Keys bearing the disabled flag would either reside on the key server and
never be returned in a search (except perhaps to the administrator), or
they would be immediately deleted upon receipt by the key server.

(The reason for the enabled flag is to reverse the effects of the disabled
flag at a later date. And of course, if neither the disabled not the
enabled flags are set, keys are implicitly enabled.)

__

L. Sassaman

Security Architect             |  "The world's gone crazy,
Technology Consultant          |   and it makes no sense..."

(Continue reading)

Dave Del Torto | 15 Dec 2000 23:22

Re: rfc2440bis-02 comments

At 3:11 am -0800 2000-12-15, L. Sassaman wrote:
>One of the major complaints I hear about PGP key servers is the inability
>to delete keys once they are sent to the server. I'd like to request the
>addition of two new flags for subpacket 23:
>
>     0x40 = Disabled
>     the key holder requests that this key not be returned upon
>     a search of the key server.
>
>     0x60 = Enabled
>     the key holder requests that this key be returned upon a
>     search of the key server.
>
>Keys bearing the disabled flag would either reside on the key server and
>never be returned in a search (except perhaps to the administrator), or
>they would be immediately deleted upon receipt by the key server.

Len,

I'm intrigued by your idea of "disabling" keys as a solution to this
problem. I think it could be a useful addition, even with the
questions it raises.

If the intent is to allow a Alice to effectively Remove her public
key -- even if the keyserver's policy/software doesn't allow her to
Delete it -- then I think this is useful. Of course, this presumes
that Alice still retains her ability to modify the public key.

However, if the intent is to "mask" the presence of Bob's key on the
keyserver in lieu of Deleting it, it's hard to see what sort of

(Continue reading)

Group

gmane.ietf.openpgp.

Search Archive

Page

1 | 2 | 3 | 4

Articles in period: 34

December 2000

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Timestamping (3 May 2013)
OpenPGPv5 wish list (29 Apr 2013)
Biggest Fake Conference in Computer Science (27 Apr 2013)
primary key binding signatures (0x19) for non-signing subkeys (12 Mar 2013)
marking subkeys as constrained for specific use -- new key usage flags (5 Mar 2013)
keyserver protocol (3 Jan 2013)
Secret key checksum (3 Jan 2013)
Fingerprints and their collisions resistance (3 Jan 2013)
Last call for ECC in OpenPGP (13 Mar 2012)
Review of draft-ecc-09 (18 Feb 2012)
MIME media type literal packet in OpenPGP (11 Mar 2011)
DEADBEEF vs SHA1 (17 Feb 2011)
Support RSA-PSS? (31 Aug 2010)
SERPENT in OpenPGP? (26 Aug 2010)
Certification/self-signatures (14 Aug 2010)
ElGamal, EME-PKCS1-v1_5 (24 Jun 2010)
S2K Question (1 Apr 2010)
Question about verifying signatures (30 Mar 2010)
Better S2K functions for OpenPGP? (13 Dec 2009)
Better S2K functions for OpenPGP? (9 Dec 2009)
openpgplint: encouraging best practices for OpenPGP keys today (12 Jun 2009)

Archives

9	May 2013
6	April 2013
11	March 2013
43	January 2013
5	March 2012
5	February 2012
5	March 2011
13	February 2011
30	January 2011
4	September 2010
25	August 2010
4	June 2010
1	April 2010
5	March 2010
14	December 2009
3	October 2009
11	June 2009
60	May 2009
8	April 2009
2	March 2009
62	February 2009
52	January 2009
1	December 2008
1	September 2008
20	August 2008
16	July 2008
14	June 2008
31	May 2008
40	April 2008
68	March 2008
22	February 2008
41	January 2008
1	December 2007
72	November 2007
26	October 2007
1	September 2007
6	July 2007
1	June 2007
26	May 2007
52	April 2007
34	March 2007
1	February 2007
17	January 2007
4	December 2006
7	October 2006
20	September 2006
11	August 2006
32	July 2006
10	June 2006
13	May 2006
23	April 2006
64	March 2006
49	February 2006
32	January 2006
68	December 2005
47	November 2005
63	October 2005
102	September 2005
100	August 2005
49	July 2005
13	June 2005
53	May 2005
47	April 2005
36	March 2005
101	February 2005
73	January 2005
6	December 2004
4	November 2004
51	October 2004
1	September 2004
17	August 2004
2	June 2004
13	May 2004
36	April 2004
101	March 2004
23	February 2004
38	January 2004
41	December 2003
16	November 2003
54	October 2003
3	September 2003
31	August 2003
66	July 2003
72	June 2003
51	May 2003
30	April 2003
121	March 2003
7	February 2003
39	January 2003
1	December 2002
11	November 2002
11	October 2002
81	September 2002
57	August 2002
16	July 2002
5	June 2002
75	May 2002
154	April 2002
6	March 2002
46	February 2002
51	January 2002
26	December 2001
37	November 2001
19	October 2001
50	September 2001
131	August 2001
42	July 2001
7	June 2001
17	May 2001
53	April 2001
62	March 2001
47	February 2001
48	January 2001
34	December 2000
25	November 2000
45	October 2000
13	September 2000
29	August 2000
78	July 2000
65	June 2000
56	May 2000
18	April 2000
30	March 2000
9	February 2000
55	January 2000
26	December 1999
15	November 1999
25	October 1999
11	September 1999
11	August 1999
58	July 1999
37	June 1999
58	May 1999
105	April 1999
47	March 1999
34	February 1999
37	January 1999
23	December 1998
10	November 1998
16	October 1998
96	September 1998
10	August 1998
157	July 1998
121	June 1998
110	May 1998
94	April 1998
201	March 1998
30	February 1998
62	January 1998
136	December 1997
372	November 1997
363	October 1997
127	September 1997
71	August 1997
12	July 1997
1	February 1997

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template