headers
Nickolay L. | 11 Oct 2006 12:21
Favicon

Multiple signatures over a document


Hi!

I cannot resolve, how to correctly calculate multiple signatures over
the document. I'm hashing entire document body + beginning of
signature (as described in 2440), and everything is ok.
But, when I'm producing two old-style signatures :
1) GnuPG checks only the first one, and says that it's ok
2) PGP 8.1 checks both, but says that first one is invalid, and the
second is ok

Producing two new-style signatures (with one-pass signature packets),
getting :
1) GnuPG checks both, and says that they're correct.
2) PGP 8.1 checks both, and says that first is invalid, and second one
is valid.

It seems, that PGP calculates the signature over the whole document +
bodies of other signatures.

But from 2440 it seems, that signed hash must not include other
signatures.

Please, anybody can clearly describe, what behavior is correct?

And, maybe, such situation must be described in 2440?

--
  Best regards,Nickolay mailto:<ni4 <at> ukr.net>
(Continue reading)

Permalink | Reply | 3 comments |
headers
Jon Callas | 11 Oct 2006 21:42
Gravatar

Re: Multiple signatures over a document


> I cannot resolve, how to correctly calculate multiple signatures over
> the document. I'm hashing entire document body + beginning of
> signature (as described in 2440), and everything is ok.
> But, when I'm producing two old-style signatures :
> 1) GnuPG checks only the first one, and says that it's ok
> 2) PGP 8.1 checks both, but says that first one is invalid, and the
> second is ok
>
> Producing two new-style signatures (with one-pass signature packets),
> getting :
> 1) GnuPG checks both, and says that they're correct.
> 2) PGP 8.1 checks both, and says that first is invalid, and second one
> is valid.
>
> It seems, that PGP calculates the signature over the whole document +
> bodies of other signatures.
>
> But from 2440 it seems, that signed hash must not include other
> signatures.
>
> Please, anybody can clearly describe, what behavior is correct?
>
> And, maybe, such situation must be described in 2440?

Could you provide a sample document to show the issue?

	Jon
(Continue reading)

Permalink | Reply | 2 comments |
headers
Nickolay L. | 12 Oct 2006 17:53
Favicon

Re[2]: Multiple signatures over a document


Hello Jon,

JC> Could you provide a sample document to show the issue?

I've sent it privately. Do you have any ideas 'bout?

--
  Best regards,Nickolay mailto:<ni4 <at> ukr.net>
Permalink | Reply | 0 comments |
headers
Nickolay L. | 13 Oct 2006 10:51
Favicon

Re[2]: Multiple signatures over a document


Hello Jon,

JC> Could you provide a sample document to show the issue?
Hm, i've sent files as soon as you sent first request.
Maybe, there were some problems with mail server.
Here is second attempt :

1) two example keypairs (password for both is 'password').
2) encrypted and signed file without one-pass entities
3) encrypted and signed file with one-pass entities

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

lQHNBEOedR4RBAC6bfed3ULzOwVF/BouyO8kfs8wkOmk3vaMF6+6JyeEJqyImaVh
pVhU7lst6QtXTyAF734FtClM/9Dq9Dn7GDoO3E9+nGVO7wJ1OT+X4lgkoiM68WWG
eioT958Hg0zq0KquHUBFM+Kldc+nr0e0Q6uCgwIYM7oH60/WX8e2WnvycwCgzba0
kRzxNtmw9w9IEQUk9pa2CK8D/2FjRxtEDN6nY7/l1wUrkMjI/uXYnsNWwrIAbwHp
qhUZQYst27XpwNplAmI6YuS+3O+L4vgURj1hVcnNG+2bZXjbt4Fg3RLhrTV/jiuL
ohBayAAdZZ4+72Cja1+18xp700GVTF96jYc8dIoxNx1AgHzQUffj3GnscAzo7ud3
HyYHA/9sI6Gijh/ubr1qTzHwZPdilDjfnEyQwR6+forUUegwCO0YawsC2lG6F7MG
q3RHnJSwI3DiH/gY5bYk3XxhinkKxqk54DiL6vrHIw/E9J6RazY+ocicLRZ+6XjO
JPXpK8s2v64pH5gyrsfANwSTTyECPx/hp2G+0BW/mtMU+JqFPP8DAwKvgRN08aTW
1WAW5/ak/URD4OAOT6OXlyg4YwhaJodb9vfwck4V8bnNLVNhbXBsZSBTZWN1cmVC
bGFja2JveCBQR1Aga2V5PGluZm9AZWxkb3MuY29tPp0DJgRDnnWkEAgAxIwIsmEC
mLGfQMH6GfNqn8XG9/bvT/nL/m7TjUVv1JGrKDASbASsPlYLnDel4opyp24Azu5x
nQ0/QlsOifmXjINcWzNtWcJkW3rBamP1Vw6ZhxN8e1ARRrxwOn42V/yn/HoMFH0O
Hhm2M5r8W/rOxo4dPdKPmRPdMaPVMndgM8WcOGPJ6TbMb4g9hphb+E4o3glI6fhP
41GZy57wWdKY9DnQ3W2PGoFaFAlQdyAtekzOmixp2/jXpq4+br9Yd088Unp2sw4Z
(Continue reading)

Permalink | Reply | 0 comments |
headers
Sam Hartman | 17 Oct 2006 20:40
Picon
Favicon

Re: OpenPGP question


Hi.

I'm sorry it has taken me so long to get back to this.  I wanted to
make sure I thoroughly understood the MDC in 2440bis and also wanted
to talk with Russ and other security experts.

I've convinced myself that the MDC's use of sha-1 is probably OK.
However algorithm agility is an absolute requirement.  The document
needs to clearly articulate a strategy for upgrading the algorithm
used by the MDC and to explain how clients can detect support for this
algorithm if asymmetric keys are involved.  I was going to ask for the
ability to include multiple MDC packets to support phased upgrades,
but Russ convinced me that this is not necessary.

Also, I would like to ask you to submit the section of your document
describing the MDC to the CFRG for their review.  I suspect they are
not going to like it much, but we need to give them a chance to find
any huge show stoppers.

So, I'm asking for the following specific actions:

1) Document your algorithm upgrade strategy.

2) Ask for a CFRG review 

--Sam
Permalink | Reply | 0 comments |
headers
vedaal | 19 Oct 2006 19:10

Re: Multiple signatures over a document


On Wed, 11 Oct 2006 06:21:50 -0400 "Nickolay L." <ni4 <at> ukr.net> 
wrote:

>I cannot resolve, how to correctly calculate multiple signatures 
>over
>the document. I'm hashing entire document body + beginning of
>signature (as described in 2440), and everything is ok.
>But, when I'm producing two old-style signatures :
>1) GnuPG checks only the first one, and says that it's ok
>2) PGP 8.1 checks both, but says that first one is invalid, and 
>the
>second is ok
>
>Producing two new-style signatures (with one-pass signature 
>packets),
>getting :
>1) GnuPG checks both, and says that they're correct.
>2) PGP 8.1 checks both, and says that first is invalid, and second 

>one
>is valid.
>
>It seems, that PGP calculates the signature over the whole 
>document +
>bodies of other signatures.
>
>But from 2440 it seems, that signed hash must not include other
>signatures.
>
(Continue reading)

Permalink | Reply | 13 comments |
headers
Nickolay L. | 19 Oct 2006 20:09
Favicon

Re[2]: Multiple signatures over a document


Hello vedaal,

vhc> do not know what is 'correct',
vhc> but do know what is *compatible*

vhc> using the sample keypairs that were posted here,
vhc> here is an example of a message signed by both sample keys, and 
vhc> encrypted to one of them,
vhc> with both signatures verifiable as 'good'
vhc> by both gnupg and pgp :

Thank you for your investigations, i'll look over the resulting file with our
implementation (SBB).

vhc> afaik,
vhc> gnupg is the only open-pgp implementation that can produce multiple 
vhc> simultaneous signatures

vhc> in order for other implementations to do so too,
vhc> there should be some clear directions in rfc 2440 as to how to do 
vhc> so in a way that would be compatible to all open-pgp programs
Yes, i also think that this situation must be reviewed in 2440.

--
  Best regards,Nickolay mailto:<ni4 <at> ukr.net>
Permalink | Reply | 0 comments |

Gmane