From owner-ietf-openpgp@mail.imc.org Fri Aug 1 11:47:05 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA27094 for ; Fri, 1 Aug 2003 11:47:05 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71FQNqt006694 for ; Fri, 1 Aug 2003 08:26:23 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h71FQNqu006693 for ietf-openpgp-bks; Fri, 1 Aug 2003 08:26:23 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailhost.transarc.ibm.com (bi-03pt1.bluebird.ibm.com [129.42.208.172]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71FQLqt006686 for ; Fri, 1 Aug 2003 08:26:21 -0700 (PDT) (envelope-from mwy-opgp97@the-youngs.org) Received: from mwyoung (dhcp-197-42.transarc.ibm.com [9.38.197.42]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id LAA19268 for ; Fri, 1 Aug 2003 11:26:20 -0400 (EDT) Message-ID: <000701c35841$01833380$2ac52609@transarc.ibm.com> From: "Michael Young" To: References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> Subject: Re: Clarification needed on compressed messages Date: Fri, 1 Aug 2003 11:24:30 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Derek Atkins wrote: > I believe it is the intent, and in the SIG+(COMPRESSED(LITERAL) the > SIG should be issued over the COMPRESSED(LITERAL). The only special > case that I know of is SIG+LITERAL, where the SIG is over the data > inside the literal and doesn't include the literal packet itself. to which "David Shaw" responds: > This sounds very reasonable to me. I think a word or two to make that > clear in the draft would be helpful: something that indicates that I have mixed feelings about Derek's interpretation, but if that's the intent, then I agree with David that this must be made clear in the draft. There is definitely a special case here. Why mixed feelings? On the one hand, I don't like special cases. I also find it surprising that one would want to sign the COMPRESSED packet. (It's less to hash, but that hardly seems meaningful.) On the other hand, it is a little disturbing that the LITERAL packet headers are ignored, and including them in the signature (by way of hashing the entire COMPRESSED packet) would overcome that deficiency. Note that both of my concerns could be addressed by a different rule that has no special case: the signature hash is computed over the CONTENTS of the FOLLOWING packet (*not* recursively). In the original PGP case, this would be the contents of the literal packet. In the COMPRESSED(LITERAL(x)) case, it would be the LITERAL(x). [One could use an "uncompressed" COMPRESSED packet to intentionally capture the LITERAL header information.] Whatever we do, I expect that ONEPASS COMPRESSED(LITERAL(x)) SIGNATURE would be treated the same as OLD-SIG COMPRESSED(LITERAL(x)) Reasonable? Of course, adopting the "be liberal in what you accept" principle, an implementation *could* do parallel hashes against all of these possibilities, and report what got signed :-). Before passing final judgement, I'd be curious to know what the known implementation that uses SIG+COMPRESSED(LITERAL(x)) did with the construct? What did it sign? -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBPyqGHec3iHYL8FknEQLQKgCg9eogHTyrFk+G2/eov95/ThLCit0An3ce UflAjBQJLf3j45hrL8wfA9yx =Clak -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Fri Aug 1 13:12:19 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA00645 for ; Fri, 1 Aug 2003 13:12:18 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71Gq5qt010851 for ; Fri, 1 Aug 2003 09:52:05 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h71Gq4Nd010850 for ietf-openpgp-bks; Fri, 1 Aug 2003 09:52:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71Gq3qt010839 for ; Fri, 1 Aug 2003 09:52:04 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h71Gpxv01059 for ietf-openpgp@imc.org; Fri, 1 Aug 2003 12:51:59 -0400 Date: Fri, 1 Aug 2003 12:51:59 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Clarification needed on compressed messages Message-ID: <20030801165159.GI27440@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> <000701c35841$01833380$2ac52609@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <000701c35841$01833380$2ac52609@transarc.ibm.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (10% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Aug 01, 2003 at 11:24:30AM -0400, Michael Young wrote: > Derek Atkins wrote: > > I believe it is the intent, and in the SIG+(COMPRESSED(LITERAL) the > > SIG should be issued over the COMPRESSED(LITERAL). The only special > > case that I know of is SIG+LITERAL, where the SIG is over the data > > inside the literal and doesn't include the literal packet itself. > > to which "David Shaw" responds: > > This sounds very reasonable to me. I think a word or two to make that > > clear in the draft would be helpful: something that indicates that > > I have mixed feelings about Derek's interpretation, but if that's > the intent, then I agree with David that this must be made clear > in the draft. There is definitely a special case here. > > Why mixed feelings? On the one hand, I don't like special cases. I > also find it surprising that one would want to sign the COMPRESSED > packet. (It's less to hash, but that hardly seems meaningful.) It's not just signing the COMPRESSED packet. Using Derek's interpretation, you can also do possibly useful things as sign-encrypt-sign or encrypt-sign-encrypt a message and have the parser handle it automatically. The special case (and I agree it is a special case) doesn't bother me too much. I agree it would have been nice if the signature had always been over the complete literal packet, headers and all, but history ruled otherwise. It is not terribly complicated to say "always hash the complete OpenPGP object unless it is a literal packet, in which case hash the contents". As you point out, if an implementation wanted to force signing the complete literal packet, it could just encapsulate the literal packet into a compressed data packet. > On the other hand, it is a little disturbing that the LITERAL > packet headers are ignored, and including them in the signature (by > way of hashing the entire COMPRESSED packet) would overcome that > deficiency. > > Note that both of my concerns could be addressed by a different rule > that has no special case: the signature hash is computed over the > CONTENTS of the FOLLOWING packet (*not* recursively). In the original > PGP case, this would be the contents of the literal packet. In the > COMPRESSED(LITERAL(x)) case, it would be the LITERAL(x). [One could > use an "uncompressed" COMPRESSED packet to intentionally capture the > LITERAL header information.] This seems a bit like simplifying the hashing rule by adding complexity somewhere else. For starters, we would lose the current ability to do encrypt-sign-encrypt (the signature would become effectively a detached signature over the encrypted data) and sign-encrypt-sign (the outer signature would become a notary signature in effect). I suppose the user could create LITERAL(SIGN(ENCRYPT(SIGN(LITERAL(x))))) or LITERAL(ENCRYPT(SIGN(ENCRYPT(LITERAL(x))))) and sign that, but we're getting complex again since the parser shouldn't be looking inside a *literal* packet for more OpenPGP data to parse. > Whatever we do, I expect that > ONEPASS COMPRESSED(LITERAL(x)) SIGNATURE > would be treated the same as > OLD-SIG COMPRESSED(LITERAL(x)) > Reasonable? I agree, but on the subject of the SIG+LITERAL (or SIG+OPENPGPOBJECT) format, I'd actually like to see it deprecated (in the "understand this, but please don't generate it" sense). The ONEPASS signature method is far superior, and we can at least start the slow process of getting all implementations to use it. The ONEPASS method can also easily handle such constructions as ONEPASS+OBJECT+OBJECT+OBJECT+SIG, which SIG+OBJECT cannot. > Before passing final judgement, I'd be curious to know what the > known implementation that uses SIG+COMPRESSED(LITERAL(x)) did > with the construct? What did it sign? It signed COMPRESSED(LITERAL(x)) - the whole packet. Note also that PGP can correctly verify such a message, so Derek's interpretation is supported by working code... though possibly because Derek worked on the PGP parser at one point. ;) David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8qmq8ACgkQ4mZch0nhy8lMvQCgpWjFDvsaBIuDtyNGu/zeFQXI 7wkAn3995O7VDr4SnG1M9IneUfpGgRe6 =GGO2 -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Fri Aug 1 14:09:04 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA02832 for ; Fri, 1 Aug 2003 14:09:03 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71HkIqt012821 for ; Fri, 1 Aug 2003 10:46:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h71HkI0g012820 for ietf-openpgp-bks; Fri, 1 Aug 2003 10:46:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailhost.transarc.ibm.com (bi-03pt1.bluebird.ibm.com [129.42.208.172]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71HkGqt012808 for ; Fri, 1 Aug 2003 10:46:16 -0700 (PDT) (envelope-from mwy-opgp97@the-youngs.org) Received: from mwyoung (dhcp-197-42.transarc.ibm.com [9.38.197.42]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id NAA19378 for ; Fri, 1 Aug 2003 13:46:12 -0400 (EDT) Message-ID: <001a01c35854$53754f80$2ac52609@transarc.ibm.com> From: "Michael Young" To: References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> <000701c35841$01833380$2ac52609@transarc.ibm.com> <20030801165159.GI27440@jabberwocky.com> Subject: Re: Clarification needed on compressed messages Date: Fri, 1 Aug 2003 13:42:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "David Shaw" writes: > It's not just signing the COMPRESSED packet. Using Derek's > interpretation, you can also do possibly useful things as > sign-encrypt-sign or encrypt-sign-encrypt a message and have the > parser handle it automatically. ... > I suppose the user could create > LITERAL(SIGN(ENCRYPT(SIGN(LITERAL(x))))) or > LITERAL(ENCRYPT(SIGN(ENCRYPT(LITERAL(x))))) and sign that, but we're > getting complex again since the parser shouldn't be looking inside a > *literal* packet for more OpenPGP data to parse. I'd use COMPRESSED (with no compression) here instead, which generally are parsed for other packets. But, I agree that this looks messy for SES or ESE applications. I can live with the special case. (The fact that the new implementation conformed to Derek's rule provides further persuasion.) > I agree, but on the subject of the SIG+LITERAL (or SIG+OPENPGPOBJECT) > format, I'd actually like to see it deprecated (in the "understand > this, but please don't generate it" sense). The ONEPASS signature > method is far superior, and we can at least start the slow process of > getting all implementations to use it. I concur. > The ONEPASS method can also easily handle such constructions as > ONEPASS+OBJECT+OBJECT+OBJECT+SIG, which SIG+OBJECT cannot. Only for non-signature OBJECTs. I'd rather not complicate the rules any further to allow this construction. (It is not permitted now.) -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBPyqmjuc3iHYL8FknEQJq/gCcD7g29C4DxhPxYL2T8R1wRyrH/w0AnAl9 I9Pmkrp6sXv4nq8gU0XstLVX =D06R -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Fri Aug 1 15:51:40 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09373 for ; Fri, 1 Aug 2003 15:51:39 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71JRYqt018680 for ; Fri, 1 Aug 2003 12:27:34 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h71JRYLY018679 for ietf-openpgp-bks; Fri, 1 Aug 2003 12:27:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71JRWqt018636 for ; Fri, 1 Aug 2003 12:27:33 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h71JRTj02897; Fri, 1 Aug 2003 15:27:29 -0400 Date: Fri, 1 Aug 2003 15:27:29 -0400 From: David Shaw To: ietf-openpgp@imc.org Cc: Michael Young Subject: Re: Clarification needed on compressed messages Message-ID: <20030801192728.GK27440@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org, Michael Young References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> <000701c35841$01833380$2ac52609@transarc.ibm.com> <20030801165159.GI27440@jabberwocky.com> <001a01c35854$53754f80$2ac52609@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <001a01c35854$53754f80$2ac52609@transarc.ibm.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (10% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Aug 01, 2003 at 01:42:47PM -0400, Michael Young wrote: > > The ONEPASS method can also easily handle such constructions as > > ONEPASS+OBJECT+OBJECT+OBJECT+SIG, which SIG+OBJECT cannot. > > Only for non-signature OBJECTs. True. There would have to be some encapsulation in that case, perhaps using your compressed packet suggestion: ONEPASS+COMPRESSED(SIG)+SIG. > I'd rather not complicate the rules any further to allow this > construction. (It is not permitted now.) It's not clear whether it is permitted now or not. The general question of multiple packets (whether in a one-pass signature, compressed data packet, or encrypted data packet) is somewhat hazy in the draft. Speaking only about literal packets for now, sections 5.6, 5.7, and 5.13 all say yes (using the plural "literal data packets"). Section 10.2 says no. I actually requested a clarification whether LITERAL+LITERAL was valid a few weeks ago: http://www.imc.org/ietf-openpgp/mail-archive/msg05537.html The reason why I was thinking about LITERAL+LITERAL in the first place was Jon Callas' comments about OpenPGP as an archival primitive. It would be Very Useful to be able to store more than one file into a single OpenPGP message. I don't think OpenPGP should be setting out to replace tar or zip, but it's handy nonetheless. An archive program with strong encryption whose results can be de-archived with any OpenPGP program is compelling. Note that both PGP and GnuPG already do the right thing with ENCRYPTED(LITERAL+LITERAL) messages. Google says Hal Finney argued for this interpretation in 2000: http://cert.uni-stuttgart.de/archive/ietf-openpgp/2000/05/msg00032.html All that said, I think that LITERAL+LITERAL should probably be legal, but either way, the draft shouldn't say both yes and no. Come to think, your suggestion of using a compressed data packet to encapsulate could be useful here as well: ENCRYPTED(COMPRESSED(LITERAL+LITERAL)). David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8qvyAACgkQ4mZch0nhy8mQHgCdGDPXUDnlZqvzdH6eqg0/IhUP LFIAn27XCXC/+sxIFjQgesBpX2h57Pmf =53vx -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Fri Aug 1 17:25:58 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA13006 for ; Fri, 1 Aug 2003 17:25:58 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71L0wqt026112 for ; Fri, 1 Aug 2003 14:00:58 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h71L0weH026111 for ietf-openpgp-bks; Fri, 1 Aug 2003 14:00:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71L0vqt026102 for ; Fri, 1 Aug 2003 14:00:58 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h71L0sb03814 for ietf-openpgp@imc.org; Fri, 1 Aug 2003 17:00:54 -0400 Date: Fri, 1 Aug 2003 17:00:54 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Location of 'key expiration time' signature subpacket Message-ID: <20030801210054.GN27440@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <127733008.1058276254@ABC1234567890> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <127733008.1058276254@ABC1234567890> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (10% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jul 15, 2003 at 01:37:34PM -0400, Edwin Woudt wrote: > > While implementing key expiration, I noticed that the 'key expiration time' > signature subpacket (#9) is put in self certification signatures instead of > in (self signed) direct key signature. > > Why is that? > > I find it more logical to put it in a direct key signature, as it says > nothing about the user id that is self signed. In fact, given multiple user > id's, putting it in self certification signatures could even result in > conflicting information. It is legal to put the key expiration in a direct key signature, but I'm not sure why it isn't regularly done that way. Possibly because it was done that way a long time ago and there was no dramatic reason to change. In any event, GnuPG does accept a key expiration set from a direct key signature. I'm not sure about PGP. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8q1QYACgkQ4mZch0nhy8kIQgCfdej18CmdSGvoe82yZNZsfny+ Y+AAn3zfIA/EREHN9yjjg2ouRvG4qh8G =S29u -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Sat Aug 2 17:06:56 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA22220 for ; Sat, 2 Aug 2003 17:06:55 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h72KfQqt035062 for ; Sat, 2 Aug 2003 13:41:26 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h72KfQ3X035061 for ietf-openpgp-bks; Sat, 2 Aug 2003 13:41:26 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mta5.adelphia.net (mta5.adelphia.net [64.8.50.187]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h72KfOqt035055 for ; Sat, 2 Aug 2003 13:41:25 -0700 (PDT) (envelope-from mwy-opgp97@the-youngs.org) Received: from mwyoung ([24.48.48.86]) by mta5.adelphia.net (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP id <20030802204121.MSOJ12687.mta5.adelphia.net@mwyoung> for ; Sat, 2 Aug 2003 16:41:21 -0400 Message-ID: <000c01c35936$2ce33660$c801a8c0@transarc.ibm.com> From: "Michael Young" To: References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> <000701c35841$01833380$2ac52609@transarc.ibm.com> <20030801165159.GI27440@jabberwocky.com> <001a01c35854$53754f80$2ac52609@transarc.ibm.com> <20030801192728.GK27440@jabberwocky.com> Subject: Re: Clarification needed on compressed messages Date: Sat, 2 Aug 2003 16:39:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "David Shaw" writes: > > > The ONEPASS method can also easily handle such constructions as > > > ONEPASS+OBJECT+OBJECT+OBJECT+SIG, which SIG+OBJECT cannot. ... [to which I replied, and then he replied again:] > It's not clear whether it is permitted now or not. ... > The general question of multiple packets (whether in a one-pass > signature, compressed data packet, or encrypted data packet) is > somewhat hazy in the draft. Speaking only about literal packets for > now, sections 5.6, 5.7, and 5.13 all say yes (using the plural > "literal data packets"). Section 10.2 says no. Those sections refer to sequences inside compressed and the two flavors of encrypted data packets (respectively), not signatures. My claim that this is not allowed for signatures was based on the grammar in 10.2. ... > Come to think, your suggestion of using a compressed data packet to > encapsulate could be useful here as well: > ENCRYPTED(COMPRESSED(LITERAL+LITERAL)). Yes, it's pretty clear that this is legal. The grammar doesn't cover the contents of compressed packets, so the language in section 5.6 would seem to govern. (Curiously, that section suggests that COMPRESSED packets might live directly in signatures, which is what kicked off this whole discussion.) I don't really think that sequences of LITERAL packets are a good thing. I really don't like them for general archiving, as they don't carry nearly enough information. I also see no reason to avoid using an external archiver (tar, zip, or any of many others). I was going to argue against allowing sequences of LITERAL because they complicate decryption: implementations will likely want to provide a user interface to control which LITERALs should be processed. But then, David pointed out that we already have this problem inside COMPRESSED packets. I'd be happy to withdraw that ability, but I'm sure others will object, so I'll admit defeat in advance. [Note that one can always encrypt each file separately, and if you're worried about the public-key encryption cost, your implementation could reuse the session key (but not IV) during multiple-file encryption, and recognize that case on decryption. I'm not advocating this -- I prefer using a real (external) archiver instead -- but simply pointing out an option that would be "conservative in what you generate".] -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBPywhaec3iHYL8FknEQK7KgCg+o9TKREgePvovRFhSNYP+Uze1IsAn0hW yHRBYP/QoAZHfEFayhrg1iqm =lgjq -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Sat Aug 2 18:04:11 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA22968 for ; Sat, 2 Aug 2003 18:04:10 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h72Lcwqt036363 for ; Sat, 2 Aug 2003 14:38:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h72LcwDK036362 for ietf-openpgp-bks; Sat, 2 Aug 2003 14:38:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from s-utl01-lanoc.stsn.com (p11.n-lapop01.stsn.com [12.129.240.11]) by above.proper.com (8.12.9/8.12.8) with SMTP id h72Lcwqt036356 for ; Sat, 2 Aug 2003 14:38:58 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from claude.jabberwocky.com ([63.240.218.56]) by s-utl01-lanoc.stsn.com (NAVGW 2.5.2.9) with SMTP id M2003080214381503483 for ; Sat, 02 Aug 2003 14:38:15 -0700 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h72LbrL03045; Sat, 2 Aug 2003 17:37:53 -0400 Date: Sat, 2 Aug 2003 17:37:53 -0400 From: David Shaw To: ietf-openpgp@imc.org Cc: Michael Young Subject: Re: Clarification needed on compressed messages Message-ID: <20030802213753.GC1916@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org, Michael Young References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> <000701c35841$01833380$2ac52609@transarc.ibm.com> <20030801165159.GI27440@jabberwocky.com> <001a01c35854$53754f80$2ac52609@transarc.ibm.com> <20030801192728.GK27440@jabberwocky.com> <000c01c35936$2ce33660$c801a8c0@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <000c01c35936$2ce33660$c801a8c0@transarc.ibm.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (22% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Aug 02, 2003 at 04:39:26PM -0400, Michael Young wrote: > > Come to think, your suggestion of using a compressed data packet to > > encapsulate could be useful here as well: > > ENCRYPTED(COMPRESSED(LITERAL+LITERAL)). > > Yes, it's pretty clear that this is legal. The grammar doesn't > cover the contents of compressed packets, so the language in > section 5.6 would seem to govern. (Curiously, that section > suggests that COMPRESSED packets might live directly in > signatures, which is what kicked off this whole discussion.) Well, I agree with your end result, but I'm not quite sure I agree with the path you took to get there. In fact, the grammar *does* cover the contents of compressed and encrypted packets: In addition, decrypting a Symmetrically Encrypted Data Packet or a Symmetrically Encrypted Integrity Protected Data Packet as well as decompressing a Compressed Data packet must yield a valid OpenPGP Message. Thus, COMPRESSED(LITERAL+LITERAL) is valid only if LITERAL+LITERAL is valid. So what this all comes down to is that 5.6 says that COMPRESSED(LITERAL+LITERAL) is a valid construction. 10.2 says that LITERAL+LITERAL isn't a valid construction. Conflict: they can't both be right. Repeat as needed for section 5.7 and 5.13 - the problem is identical. This is why I have been suggesting a minor change to 10.2 to make it match 5.6, 5.7 and 5.13: The current draft says: Literal Message :- Literal Data Packet. I'd like to change that to: Literal Message :- Literal Data Packet | Literal Message, Literal Data Packet. The draft, as it stands now, is internally inconsistent. I'd like to fix that. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8sLzEACgkQ4mZch0nhy8nF2ACcCGxT6zaF+RWSKIy4eW51J5Q/ WssAoMRmxE8K+gr9f77ZN/5RgqV/9HwD =riai -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Aug 4 18:08:15 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA13479 for ; Mon, 4 Aug 2003 18:08:15 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h74LfPqt039266 for ; Mon, 4 Aug 2003 14:41:25 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h74LfPNq039265 for ietf-openpgp-bks; Mon, 4 Aug 2003 14:41:25 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.33]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h74LfOqt039257 for ; Mon, 4 Aug 2003 14:41:24 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver3.hushmail.com (mailserver3.hushmail.com [65.39.178.45]) by smtp3.hushmail.com (Postfix) with ESMTP id 2FF606FF9 for ; Mon, 4 Aug 2003 14:41:19 -0700 (PDT) Received: from mailserver3.hushmail.com (localhost [127.0.0.1]) by mailserver3.hushmail.com (8.12.6/8.12.3) with ESMTP id h74LfIvo041087 for ; Mon, 4 Aug 2003 14:41:18 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver3.hushmail.com (8.12.6/8.12.3/Submit) id h74LfIsZ041086 for ietf-openpgp@imc.org; Mon, 4 Aug 2003 14:41:18 -0700 (PDT) Message-Id: <200308042141.h74LfIsZ041086@mailserver3.hushmail.com> Date: Mon, 4 Aug 2003 14:41:18 -0700 To: ietf-openpgp@imc.org Subject: multiple signature packets From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: have recently received a clearsigned PGP message that was signed simultaneously with two different PGP keys, but it caused 6.5.8ckt (build 8) to crash the double signed messages can easily be generated from gnupg (command line only), but (afaik) not from pgp, even from the command line (2.x or 6.x) have put up examples here: http://www.angelfire.com/pr/pgpf/dspm.html have found that the double signed messages were not a problem in pgp 8 under any circumstances, and were not a problem for 6.5.8 as long as they weren't clearsigned would like to request confirmation of this from anyone who uses 6.5.8 or 7.x the double signed message can be very useful in the following specific situation: if someone wants to sign and encrypt to two different people, but, for whatever reason, exchanged one key with one recipient and another key with another, and doesn't want to have the keys uploaded to a server, then, by double signing, the sender can have the message verified independently with different keys for different receivers {sort of cool, actually, i wish it could be done from pgp ;-) } are multiple simultaneous signatures acceptable Open PGP behavior ? tia, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From owner-ietf-openpgp@mail.imc.org Mon Aug 4 20:19:31 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA16119 for ; Mon, 4 Aug 2003 20:19:30 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75026qt048309 for ; Mon, 4 Aug 2003 17:02:06 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h75026ax048308 for ietf-openpgp-bks; Mon, 4 Aug 2003 17:02:06 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75025qt048302 for ; Mon, 4 Aug 2003 17:02:05 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.181] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2.1); Mon, 4 Aug 2003 17:02:04 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Mon, 04 Aug 2003 17:02:07 -0700 Subject: Re: multiple signature packets From: Jon Callas To: , OpenPGP Message-ID: In-Reply-To: <200308042141.h74LfIsZ041086@mailserver3.hushmail.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 8/4/03 2:41 PM, "vedaal@hush.com" wrote: > are multiple simultaneous signatures acceptable Open PGP behavior ? I almost said no. However, the grammar says yes. OpenPGP Message :- Encrypted Message | Signed Message | Compressed Message | Literal Message. Compressed Message :- Compressed Data Packet. Literal Message :- Literal Data Packet. ESK :- Public Key Encrypted Session Key Packet | Symmetric-Key Encrypted Session Key Packet. ESK Sequence :- ESK | ESK Sequence, ESK. Encrypted Data :- Symmetrically Encrypted Data Packet | Symmetrically Encrypted Integrity Protected Data Packet Encrypted Message :- Encrypted Data | ESK Sequence, Encrypted Data. One-Pass Signed Message :- One-Pass Signature Packet, OpenPGP Message, Corresponding Signature Packet. Signed Message :- Signature Packet, OpenPGP Message | One-Pass Signed Message. Jon From owner-ietf-openpgp@mail.imc.org Mon Aug 4 20:20:22 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA16171 for ; Mon, 4 Aug 2003 20:20:22 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75042qt048409 for ; Mon, 4 Aug 2003 17:04:02 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h75042ch048407 for ietf-openpgp-bks; Mon, 4 Aug 2003 17:04:02 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75040qt048398 for ; Mon, 4 Aug 2003 17:04:01 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h7503vi02844 for ietf-openpgp@imc.org; Mon, 4 Aug 2003 20:03:57 -0400 Date: Mon, 4 Aug 2003 20:03:57 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: multiple signature packets Message-ID: <20030805000357.GA1246@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200308042141.h74LfIsZ041086@mailserver3.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200308042141.h74LfIsZ041086@mailserver3.hushmail.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (46% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Aug 04, 2003 at 02:41:18PM -0700, vedaal@hush.com wrote: > > > have recently received a clearsigned PGP message that was signed > simultaneously with two different PGP keys, > but it caused 6.5.8ckt (build 8) to crash > > the double signed messages can easily be generated from gnupg (command > line only), > but (afaik) not from pgp, even from the command line (2.x or 6.x) > > have put up examples here: > http://www.angelfire.com/pr/pgpf/dspm.html > > have found that the double signed messages were not a problem in pgp > 8 under any circumstances, and were not a problem for 6.5.8 as long > as they weren't clearsigned [..] > {sort of cool, actually, i wish it could be done from pgp ;-) } > > are multiple simultaneous signatures acceptable Open PGP behavior ? The first example you gave was of a nested one-pass signature, and the second example was a clearsigned message with two signatures after it. While it is unfortunate that 6.5.8 can't handle them, both of these constructions are legal in OpenPGP (as per sections 5.4 and 7). David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8u9G0ACgkQ4mZch0nhy8n9AQCfQgBmYrp9w+XVRr6w1itT95K5 jA8AnjslYItmndfDO4dJOmtK+H8S5XAZ =C1wB -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Aug 4 21:02:59 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id VAA16997 for ; Mon, 4 Aug 2003 21:02:59 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h750jFqt049689 for ; Mon, 4 Aug 2003 17:45:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h750jEuL049688 for ietf-openpgp-bks; Mon, 4 Aug 2003 17:45:14 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h750jDqt049682 for ; Mon, 4 Aug 2003 17:45:14 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.181] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2.1); Mon, 4 Aug 2003 17:45:15 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Mon, 04 Aug 2003 17:45:19 -0700 Subject: Re: Clarification needed on compressed messages From: Jon Callas To: David Shaw , OpenPGP CC: Michael Young Message-ID: In-Reply-To: <20030802213753.GC1916@jabberwocky.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 8/2/03 2:37 PM, "David Shaw" wrote: > I'd like to change that to: > > Literal Message :- Literal Data Packet | > Literal Message, Literal Data Packet. > > The draft, as it stands now, is internally inconsistent. I'd like to > fix that. Changed. Jon From owner-ietf-openpgp@mail.imc.org Tue Aug 5 11:51:58 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA16877 for ; Tue, 5 Aug 2003 11:51:57 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75EQBqt013151 for ; Tue, 5 Aug 2003 07:26:11 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h75EQBvT013150 for ietf-openpgp-bks; Tue, 5 Aug 2003 07:26:11 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.33]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75EQAqt013144 for ; Tue, 5 Aug 2003 07:26:10 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver2.hushmail.com (mailserver2.hushmail.com [65.39.178.21]) by smtp3.hushmail.com (Postfix) with ESMTP id 8316484BA for ; Tue, 5 Aug 2003 07:26:04 -0700 (PDT) Received: from mailserver2.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver2.hushmail.com (8.12.6/8.12.3) with ESMTP id h75EQ4Ks047598 for ; Tue, 5 Aug 2003 07:26:04 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver2.hushmail.com (8.12.6/8.12.3/Submit) id h75EQ4Qv047597 for ietf-openpgp@imc.org; Tue, 5 Aug 2003 07:26:04 -0700 (PDT) Message-Id: <200308051426.h75EQ4Qv047597@mailserver2.hushmail.com> Date: Tue, 5 Aug 2003 07:26:04 -0700 To: ietf-openpgp@imc.org Subject: Re: multiple signature packets From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Mon, 04 Aug 2003 17:03:57 -0700 David Shaw wrote: [...] >> are multiple simultaneous signatures acceptable Open PGP behavior >? > >The first example you gave was of a nested one-pass signature, and >the >second example was a clearsigned message with two signatures after >it. > >While it is unfortunate that 6.5.8 can't handle them, both of these >constructions are legal in OpenPGP (as per sections 5.4 and 7). 6.5.8 can handle all except the clearsigned messages (btw, 7.xx acts like 8, and handles everything) is there a gnupg command syntax that would allow for a nested one pass signature during clearsigning ? {not suggesting it, as 6.5.8 can handle the armored signing, so it is compatible enough, but am curious if it could somehow be done) tia, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From owner-ietf-openpgp@mail.imc.org Tue Aug 5 19:32:32 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA03145 for ; Tue, 5 Aug 2003 19:32:31 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75N5uqt044363 for ; Tue, 5 Aug 2003 16:05:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h75N5u0q044362 for ietf-openpgp-bks; Tue, 5 Aug 2003 16:05:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75N5tqt044354 for ; Tue, 5 Aug 2003 16:05:56 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h75N5q914250 for ietf-openpgp@imc.org; Tue, 5 Aug 2003 19:05:52 -0400 Date: Tue, 5 Aug 2003 19:05:52 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: multiple signature packets Message-ID: <20030805230552.GA14127@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200308051426.h75EQ4Qv047597@mailserver2.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200308051426.h75EQ4Qv047597@mailserver2.hushmail.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Gibbous (57% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Aug 05, 2003 at 07:26:04AM -0700, vedaal@hush.com wrote: > On Mon, 04 Aug 2003 17:03:57 -0700 David Shaw > wrote: > > [...] > > >> are multiple simultaneous signatures acceptable Open PGP behavior > >? > > > >The first example you gave was of a nested one-pass signature, and > >the > >second example was a clearsigned message with two signatures after > >it. > > > >While it is unfortunate that 6.5.8 can't handle them, both of these > >constructions are legal in OpenPGP (as per sections 5.4 and 7). > > 6.5.8 can handle all except the clearsigned messages > (btw, 7.xx acts like 8, and handles everything) > > is there a gnupg command syntax that would allow for a nested one > pass signature during clearsigning ? There is no such concept. All clear signatures by their nature (being a signature that can be processed in one pass, by specifying the hash before the data begins) are one pass. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8wOFAACgkQ4mZch0nhy8lJswCg4H3jOkLMfA19pIXP9kukC6FG v1QAn2pO8kwtkgPaWy5+fFUXB1vjMkw3 =n8Hu -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Fri Aug 8 12:14:56 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA16402 for ; Fri, 8 Aug 2003 12:14:56 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h78Fl5qt037066 for ; Fri, 8 Aug 2003 08:47:05 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h78Fl5CP037065 for ietf-openpgp-bks; Fri, 8 Aug 2003 08:47:05 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp1.kodak.com (smtp1.kodak.com [192.232.121.200]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h78Fl4qt037060 for ; Fri, 8 Aug 2003 08:47:04 -0700 (PDT) (envelope-from john.dlugosz@kodak.com) Received: from knotes2.kodak.com (ko-knotes2.ekc1.ekc.kodak.com [150.221.122.53]) by smtp1.kodak.com (8.11.3/8.11.1) with ESMTP id h78Fl1P13705; Fri, 8 Aug 2003 11:47:01 -0400 (EDT) Subject: Re: signature woes and reconciliation, examples appreciated To: hal@finney.org Cc: ietf-openpgp@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: From: john.dlugosz@kodak.com Date: Fri, 8 Aug 2003 10:46:59 -0500 X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.11 |July 24, 2002) at 08/08/2003 11:47:01 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Adding "...in the same hash context" would probably be enough, as hash contexts are explained in the key stretching section. Of course, adding pseudocode would not hurt. "Hal Finney" To: ietf-openpgp@imc.org, poiboy@SAFe-mail.net Sent by: cc: owner-ietf-openpgp@m Subject: Re: signature woes and reconciliation, examples appreciated ail.imc.org 07/31/2003 07:15 PM > From: poiboy@SAFe-mail.net > I recently ran into trouble trying to calculate the hash needed to > verify a GnuPG (1.2.2) v3 DSA one-pass signature with my pet Python > hopeful-implementation-to-be. I've had someone else run into the same problem interpreting this part of the spec. The language about "first you hash this, then you hash that, then you hash this other thing" seems very natural to me (I wrote much of it after all), working with a programming interface where you pass data incrementally into a hash context object. But other people interpret it as you did, that you produce a hash of the first part, then a hash of the second part, then a hash of the third part, and somehow combine these hashes together to get the final signature. Hal Finney From owner-ietf-openpgp@mail.imc.org Mon Aug 11 00:27:26 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA23620 for ; Mon, 11 Aug 2003 00:27:25 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7B457qt079865 for ; Sun, 10 Aug 2003 21:05:07 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7B457Tk079864 for ietf-openpgp-bks; Sun, 10 Aug 2003 21:05:07 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sea.h2np.net (sea.h2np.net [220.110.1.194]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7B455qt079851 for ; Sun, 10 Aug 2003 21:05:05 -0700 (PDT) (envelope-from hironobu@h2np.net) Received: from lax.h2np.net ([220.110.1.195] helo=mail.h2np.net) by sea.h2np.net with esmtp (H2NP Email Service (Exim 3.35)) id 19m3vZ-0008Vh-00; Mon, 11 Aug 2003 13:05:01 +0900 From: Hironobu SUZUKI To: ietf-openpgp@imc.org cc: pgp-keyserver-folk@flame.org, keysignings@alt.org, gnupg-users@gnupg.org, pgp-users@pgp.iijlab.net Reply-To: hironobu@h2np.net Subject: OpenPGP BOF at CRYPTO 2003 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit Date: Mon, 11 Aug 2003 13:04:58 +0900 Message-Id: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit Hi, OpenPGP BOF and PGP Keysigning will be hold at CRYPTO 2003 Tuesday afternoon (14:00-15:30 Tuesday August 19, 2003). I hope to see you soon. See more details: CRYPTO 2003 http://www.iacr.org/conferences/crypto2003/ OpenPGP BOF and PGP Keysigning http://www.iacr.org/conferences/crypto2003/content.html ---- * Hironobu SUZUKI , OpenPGP BOF I'm an auther of OpenPGP public keyserver, a.k.a OpenPKSD. Sometime, I'd like to ask to PGP, GPG and other public keyserver developers about their activities because keyserver have to work with other keyserver implementations, PGP/GPG tools and etc. Also I'd like to discuss ideas about OpenPGP and keyserver. Informal face-to-face meeting of OpenPGP in CRYPTO 2003 is a good change to know what is going on around OpenPGP. If you have idea or/and proposal for OpenPGP BOF, feel free to contact to . * PGP Keysigning After the OpenPGP BOF, in the same room, will be a PGP keysigning gathering, where PGP users can identify themselves and take away verified PGP key fingerprints for subsequent signing, enhancing the PGP Web of Trust. --- --- Hironobu SUZUKI E-Mail: hironobu@h2np.net URL: http://h2np.net From owner-ietf-openpgp@mail.imc.org Thu Aug 21 14:23:42 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA19366 for ; Thu, 21 Aug 2003 14:23:41 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LHv4qt045410 for ; Thu, 21 Aug 2003 10:57:04 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7LHv4DI045409 for ietf-openpgp-bks; Thu, 21 Aug 2003 10:57:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.33]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LHv2qt045401 for ; Thu, 21 Aug 2003 10:57:02 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver1.hushmail.com (mailserver1.hushmail.com [65.39.178.20]) by smtp3.hushmail.com (Postfix) with ESMTP id 3D5A710E77E for ; Thu, 21 Aug 2003 10:55:53 -0700 (PDT) Received: from mailserver1.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver1.hushmail.com (8.12.6/8.12.3) with ESMTP id h7LHtrK8018064 for ; Thu, 21 Aug 2003 10:55:53 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver1.hushmail.com (8.12.6/8.12.3/Submit) id h7LHtrZe018063 for ietf-openpgp@imc.org; Thu, 21 Aug 2003 10:55:53 -0700 (PDT) Message-Id: <200308211755.h7LHtrZe018063@mailserver1.hushmail.com> Date: Thu, 21 Aug 2003 10:55:53 -0700 To: ietf-openpgp@imc.org Subject: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: have been able to separate a signed and encrypted message into a freestanding verifiable clearsigned message have put up the example here: http://www.angelfire.com/pr/pgpf/sclsf.html (the keys and messages are in 3des, idea is not necessary ) would like to ask: [1] is there any way to distinguish the composite reconstruction forgery from a 'real' de novo clearsigned message ? [2] is there a difference between GnuPG and PGP in the way a message is clearsigned, as opposed to signed and encrypted, that might distinguish the forged composite, from a real clearsigned message? while the Davis paper describes separating and re-encrypting, it doesn't deal with separating into a freestanding clearsigned message. tia, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From owner-ietf-openpgp@mail.imc.org Thu Aug 21 16:33:46 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA28687 for ; Thu, 21 Aug 2003 16:33:46 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LKFeqt054898 for ; Thu, 21 Aug 2003 13:15:40 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7LKFePf054897 for ietf-openpgp-bks; Thu, 21 Aug 2003 13:15:40 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LKFdqt054892 for ; Thu, 21 Aug 2003 13:15:39 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h7LKEPH04252; Thu, 21 Aug 2003 13:14:25 -0700 Date: Thu, 21 Aug 2003 13:14:25 -0700 From: "Hal Finney" Message-Id: <200308212014.h7LKEPH04252@finney.org> To: ietf-openpgp@imc.org, vedaal@hush.com Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Vedaal writes: > have been able to separate a signed and encrypted message into a freestanding > verifiable clearsigned message > > have put up the example here: > http://www.angelfire.com/pr/pgpf/sclsf.html Makes sense, signed messages are signed messages. > would like to ask: > > [1] is there any way to distinguish the composite reconstruction forgery > from a 'real' de novo clearsigned message ? I disagree that this is a forgery. Rather, it is a reformatting (plus you have stripped off an encryption layer). Generally, the hashing rules for text-mode signed messages (as you have in your encrypted and signed message) and clearsigned messages are the same. However some (older?) versions of PGP don't follow the spec and don't ignore trailing whitespace for text-mode signed messages, while they do ignore it for clearsigned messages. So if you had a message with trailing whitespace and created a text-mode signed message (or a signed and encrypted message) using such a version of PGP, it would not verify when converted to a clearsigned message. However such messages would tend to have verification difficulties anyway due to this variation from the spec. > [2] is there a difference between GnuPG and PGP in the way a message > is clearsigned, as opposed to signed and encrypted, > that might distinguish the forged composite, from a real clearsigned > message? Again I would say "reformatted" rather than "forged". These are just two different formats for signed messages. Except for the variation I mentioned above I think that the two are hashed the same for GPG and PGP. > while the Davis paper describes separating and re-encrypting, > it doesn't deal with separating into a freestanding clearsigned message. I saw some code to do this somewhere a while back. It's trivial, once you strip off the encryption layer and leave the text-mode signed message, to convert it to a clearsigned message. Just wrap the literal payload in the appropriate BEGIN PGP headers, and base64 encode the signature packet. Hal From owner-ietf-openpgp@mail.imc.org Thu Aug 21 17:36:44 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA01847 for ; Thu, 21 Aug 2003 17:36:43 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LL9Iqt057234 for ; Thu, 21 Aug 2003 14:09:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7LL9IAT057233 for ietf-openpgp-bks; Thu, 21 Aug 2003 14:09:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.33]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LL9Gqt057219 for ; Thu, 21 Aug 2003 14:09:17 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver1.hushmail.com (mailserver1.hushmail.com [65.39.178.20]) by smtp3.hushmail.com (Postfix) with ESMTP id 4EAE310E567 for ; Thu, 21 Aug 2003 14:09:12 -0700 (PDT) Received: from mailserver1.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver1.hushmail.com (8.12.6/8.12.3) with ESMTP id h7LL9CK8035601 for ; Thu, 21 Aug 2003 14:09:12 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver1.hushmail.com (8.12.6/8.12.3/Submit) id h7LL9CaG035600 for ietf-openpgp@imc.org; Thu, 21 Aug 2003 14:09:12 -0700 (PDT) Message-Id: <200308212109.h7LL9CaG035600@mailserver1.hushmail.com> Date: Thu, 21 Aug 2003 14:09:12 -0700 To: ietf-openpgp@imc.org Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Thu, 21 Aug 2003 13:14:25 -0700 Hal Finney wrote: [...] >> [1] is there any way to distinguish the composite reconstruction >forgery >> from a 'real' de novo clearsigned message ? > >I disagree that this is a forgery. Rather, it is a reformatting [...] it is a forgery only in the sense, that if it were, for example, posted anonymously by someone else, then there could be circumstances where people viewing it might be upset that such a message that should have been (and was) encrypted, was posted as a public clearsigned message. the term 'forgery' was meant to imply, that the message could be changed in a way that did not reflect the intent of the sender, who would never think of posting it unencrypted. in a sense, it is the same as the Davis re-encryption, which also does not reflect the intent of the sender to send it to the third party but, in the case of re-encryption to another receiver, the sender can take pre-cautions of addressing the 'real' intended receiver by name in the message plaintext. while in the case of the clearsigned reconstruction, there is no such precaution to demonstrate that the sender never intended sending an open message (short of the E,(S&E) solution) vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From owner-ietf-openpgp@mail.imc.org Fri Aug 22 05:18:05 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA12487 for ; Fri, 22 Aug 2003 05:18:04 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7M8ncqt011759 for ; Fri, 22 Aug 2003 01:49:38 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7M8ncWt011758 for ietf-openpgp-bks; Fri, 22 Aug 2003 01:49:38 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.granitsoft.ch (zux221-024-146.adsl.green.ch [81.221.24.146]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7M8naqt011746 for ; Fri, 22 Aug 2003 01:49:37 -0700 (PDT) (envelope-from avbidder@fortytwo.ch) Received: from ogo.granitsoft.ch (unknown [192.168.0.69]) by mail.granitsoft.ch (Postfix) with ESMTP id 90F32222EEE for ; Fri, 22 Aug 2003 10:49:39 +0200 (CEST) From: Adrian von Bidder Organization: granitsoft.ch To: ietf-openpgp@imc.org Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages Date: Fri, 22 Aug 2003 10:49:23 +0200 User-Agent: KMail/1.5.3 References: <200308212109.h7LL9CaG035600@mailserver1.hushmail.com> In-Reply-To: <200308212109.h7LL9CaG035600@mailserver1.hushmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_XkdR/FXlJ4cCxll"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200308221049.27927.avbidder@fortytwo.ch> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --Boundary-02=_XkdR/FXlJ4cCxll Content-Type: text/plain; charset="iso-8859-1" Content-Description: signed data Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [People, why can't you use a sensible mailer who produces In-Reply-To or=20 References header?] =2E.. vedaal: > that did not reflect the intent of the sender, who would never think > of posting it unencrypted. If you send sensible content to somebody you can't trust to keep it secret,= =20 there's no technical solution to solve that problem. Don't send that person= =20 any sensible content - encrypted or not. If you S/E/S the message, you can still stripp the outer signature and the= =20 encryption and get a perfectly readable signed message. True, there could b= e=20 some indication that the inner signature was part of a S/E/S message - but = in=20 the original case, the sender could put a notice 'this is a confidential=20 message and was sent encrypted' in the message text. IIRC E/S/E had some other significant drawback, somebody will certainly poi= nt=20 it out here, but it would "solve" that particular problem. But I don't thin= k=20 that it does achieve more than putting 'this is a confidential message' in= =20 the signed body: The recipient can publish the E/S/E message without the outer encryption=20 layer. Then he publishes the decrypted message and his public key. Everybod= y=20 can the generate the encrypted message and, with the signature, verify that= =20 it is the same message. So this "solution" falls apart, too. cheers =2D- vbi =2D-=20 featured link: http://fortytwo.ch/gpg/subkeys --Boundary-02=_XkdR/FXlJ4cCxll Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iKcEABECAGcFAj9F2RdgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw NzFiMjVlYjcwMDZkYTNlAAoJECqqZti935l6p24AoInzgHwRdZZNdF+9VMVlB/b5 k7DnAKC1cuLE/l7e9j/uW8ZIpRdt1qAcbQ== =SewE -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.5&md5sum=5dff868d11843276071b25eb7006da3e --Boundary-02=_XkdR/FXlJ4cCxll-- From owner-ietf-openpgp@mail.imc.org Fri Aug 22 11:08:44 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA01785 for ; Fri, 22 Aug 2003 11:08:44 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MEguqt038282 for ; Fri, 22 Aug 2003 07:42:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7MEguRC038281 for ietf-openpgp-bks; Fri, 22 Aug 2003 07:42:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.33]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MEgtqt038274 for ; Fri, 22 Aug 2003 07:42:55 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver1.hushmail.com (mailserver1.hushmail.com [65.39.178.20]) by smtp3.hushmail.com (Postfix) with ESMTP id 0C8E610E684; Fri, 22 Aug 2003 07:42:50 -0700 (PDT) Received: from mailserver1.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver1.hushmail.com (8.12.6/8.12.3) with ESMTP id h7MEgoK8004463; Fri, 22 Aug 2003 07:42:50 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver1.hushmail.com (8.12.6/8.12.3/Submit) id h7MEgniM004462; Fri, 22 Aug 2003 07:42:49 -0700 (PDT) Message-Id: <200308221442.h7MEgniM004462@mailserver1.hushmail.com> Date: Fri, 22 Aug 2003 07:42:49 -0700 To: ietf-openpgp@imc.org Cc: don@mit.edu Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Fri, 22 Aug 2003 01:49:23 -0700 Adrian von Bidder [...] >vedaal: >> that did not reflect the intent of the sender, who would never >think >> of posting it unencrypted. > >If you send sensible content to somebody you can't trust to keep >it secret, >there's no technical solution to solve that problem. Don't send >that person >any sensible content - encrypted or not. consider the case of a high-ranking corporate employee who left a company on unfriendly terms, or a pt./dr/ communication where, at a later date, the pt. is suing the dr. the content of the communication was perfectly appropriate in encrypted form, at the time it was communicated but, if it is (maliciously, anonymously) posted by the receiver, the reciver can claim that the dr. violated medical privacy issues, and someone in the corporation can claim that the sender 'leaked' sensitive material to a public forum of course, the sender can counter: "i didn't do it ! it was a malious reconstruction of the message by the receiver into clearsigned form!" but this still leaves some doubt ... [...] >The recipient can publish the E/S/E message without the outer encryption >> >layer. Then he publishes the decrypted message and his public key. >Everybody >can the generate the encrypted message and, with the signature, >verify that >it is the same message. So this "solution" falls apart, too. no it doesn't, if the sender doesn't routinely encrypt to self, then even if the receiver publishes the session key, then the 'leak' can unequivocally be shown to be the receiver the point is, can there be an additonal packet feature that somehow distinguishes a signed and encrypted message, from a clearsigned one (which could be done in backward compatible form, where older versions might not 'recognize/be able to interpret' the new packet, but could decrypt anyway, while newer versions could be used to distinguish the signature/message type.) with Respect, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From owner-ietf-openpgp@mail.imc.org Fri Aug 22 12:30:45 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA05780 for ; Fri, 22 Aug 2003 12:30:44 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MFwwqt045554 for ; Fri, 22 Aug 2003 08:58:58 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7MFwwJh045552 for ietf-openpgp-bks; Fri, 22 Aug 2003 08:58:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MFwvqt045546 for ; Fri, 22 Aug 2003 08:58:57 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h7MFvfm08601; Fri, 22 Aug 2003 08:57:41 -0700 Date: Fri, 22 Aug 2003 08:57:41 -0700 From: "Hal Finney" Message-Id: <200308221557.h7MFvfm08601@finney.org> To: avbidder@fortytwo.ch, ietf-openpgp@imc.org Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I agree that combinations of sign and encrypt don't really solve the problem that the sender can have his plaintext revealed in a way that cryptographically binds him to it via his signature. At best we can make it clear that this was done without his intention, but as Adrian von Bidder points out this could be done equally well by a notation "this is intended to be private mail from Alice to Bob" at the top of the message. One addition: it is not necessary for the receiver to reveal his secret key in order to prove a signature over plaintext on an E/S/E (or S/E) message (i.e. encrypt and then sign the encryption). He can reveal the session key (which is used once per message and then thrown away) and then prove it valid. I have seen some software to do that. I can't deny that these facts may be contrary to (some) users' expectations, since users here have explicitly stated that these are surprising to them. Nevertheless these are the cryptographic realities, and the solution is to try to improve the users' understandings of the issue. Now, there are cryptographic mechanisms by which Alice can send to Bob a message which could equally have been signed by either Alice or Bob. Bob can't then show this around and bind it to Alice because he could have created it as a forgery. These are the "group", "ring" or perhaps "designated verifier" signatures. We discussed the possibility of incorporating them into a (future? addendum?) spec at some point. If people really want to send signed messages which can't be further revealed to others, this is something we might pursue. Hal Finney From owner-ietf-openpgp@mail.imc.org Fri Aug 22 14:34:10 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA12365 for ; Fri, 22 Aug 2003 14:34:09 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MI4aqt051239 for ; Fri, 22 Aug 2003 11:04:36 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7MI4apY051238 for ietf-openpgp-bks; Fri, 22 Aug 2003 11:04:36 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MI4Yqt051231 for ; Fri, 22 Aug 2003 11:04:35 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (localhost [127.0.0.1]) by mx1.cryptohill.net (Postfix) with ESMTP id 968691C8A1; Fri, 22 Aug 2003 14:04:33 -0400 (EDT) Message-ID: <3F465A7A.A3B7C277@systemics.com> Date: Fri, 22 Aug 2003 14:01:30 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: ietf-openpgp@imc.org Cc: vedaal@hush.com Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages References: <200308221442.h7MEgniM004462@mailserver1.hushmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit vedaal@hush.com wrote: > the point is, > > can there be an additonal packet feature that somehow distinguishes > a signed and encrypted message, from a clearsigned one Signed is signed, regardless of how it was then later transmitted. What you appear to be asking for is a recipient-based signature. That is, Alice and Bob can sign messages to each other, knowing that each can verify the signatures, but they can't reliably prove this to others. Hence, leakages reduce to the same status as made up claims. (I believe this is done relatively easily with MACs based on previous key exchanges ... but the more crypto-cogniscenti will know.) My essential point is that it appears that you are trying to overload a minor formatting feature with a high level signature meaning and purpose distinction? Yes, sure, this could be done, but it's not the right place for it, I would have thought. Let's map out the meaning of this signature first, and then think about a) whether it is useful, and b) how to do it. -- iang From owner-ietf-openpgp@mail.imc.org Fri Aug 22 21:55:04 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA02643 for ; Fri, 22 Aug 2003 21:55:03 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7N1Guqt065212 for ; Fri, 22 Aug 2003 18:16:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7N1Gs7H065209 for ietf-openpgp-bks; Fri, 22 Aug 2003 18:16:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7N1Grqt065202 for ; Fri, 22 Aug 2003 18:16:53 -0700 (PDT) (envelope-from jon@callas.org) Received: from [192.168.2.235] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2.1); Fri, 22 Aug 2003 18:16:55 -0700 User-Agent: Microsoft-Entourage/10.1.4.030702.0 Date: Fri, 22 Aug 2003 18:16:56 -0700 Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages From: Jon Callas To: , OpenPGP Message-ID: In-Reply-To: <200308211755.h7LHtrZe018063@mailserver1.hushmail.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit I just want to make sure I understand this. The problem is this: Alice sends Bob an encrypted and signed message. Bob decrypts the message, and then does byte-surgery to construct a plaintext clearsigned message that the signature verifies, and anyone in the world can read. This is the "attack," right? Jon From owner-ietf-openpgp@mail.imc.org Sat Aug 23 06:11:33 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA00680 for ; Sat, 23 Aug 2003 06:11:33 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7N9Ztqt012093 for ; Sat, 23 Aug 2003 02:35:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7N9ZtUi012092 for ietf-openpgp-bks; Sat, 23 Aug 2003 02:35:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h7N9Zsqt012087 for ; Sat, 23 Aug 2003 02:35:54 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-96-104.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Sat, 23 Aug 2003 10:35:49 +0100 From: Ian Brown To: iang , ietf-openpgp Subject: RE: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages Date: Sat, 23 Aug 2003 10:35:45 +0100 Message-ID: <007b01c36959$ee6e2eb0$68602352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <3F465A7A.A3B7C277@systemics.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit > What you appear to be asking for is a recipient-based signature. Adam Back and I proposed a way to do this in OpenPGP a few years ago... http://www.cs.ucl.ac.uk/staff/I.Brown/nts.htm From owner-ietf-openpgp@mail.imc.org Sat Aug 23 11:38:05 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA14296 for ; Sat, 23 Aug 2003 11:38:04 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7NF9Uqt044826 for ; Sat, 23 Aug 2003 08:09:30 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7NF9U4Y044825 for ietf-openpgp-bks; Sat, 23 Aug 2003 08:09:30 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7NF9Rqt044818 for ; Sat, 23 Aug 2003 08:09:28 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19qZtC-0006I1-00 for ; Sat, 23 Aug 2003 17:01:14 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19qZyk-0006A7-00; Sat, 23 Aug 2003 17:06:58 +0200 To: Don Davis Cc: , ietf-openpgp@imc.org Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages References: <200308221442.h7MEgniM004462@mailserver1.hushmail.com> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Sat, 23 Aug 2003 17:06:58 +0200 In-Reply-To: (Don Davis's message of "Fri, 22 Aug 2003 22:18:55 -0400") Message-ID: <87k7942z1p.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Fri, 22 Aug 2003 22:18:55 -0400, Don Davis said: > * a signed-&-encrypted message would include > the recipient's ID under the signature. I came later to the conclusion that it is not gpg's task to construct the notation data but that of a MUA. This is because a MUA has far better information on who are the intended recipients and a MUA can also much better check and display such notation data. This is similar to the good practice to warn when a reply is about to send to someone else than the orginal sender as indicated by the signature. Adding this to GnuPG would overload it with functions out of its domain. GnuPG also does no MIME encoding and other stuff a MUA can do better. Salam-Shalom, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From owner-ietf-openpgp@mail.imc.org Tue Aug 26 15:37:50 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA29671 for ; Tue, 26 Aug 2003 15:37:49 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7QJ2Pgc080042 for ; Tue, 26 Aug 2003 12:02:25 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7QJ2PKn080041 for ietf-openpgp-bks; Tue, 26 Aug 2003 12:02:25 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from web80710.mail.yahoo.com (web80710.mail.yahoo.com [66.163.170.67]) by above.proper.com (8.12.9/8.12.8) with SMTP id h7QJ2Ogc080033 for ; Tue, 26 Aug 2003 12:02:24 -0700 (PDT) (envelope-from markkwilliams2000@yahoo.com) Message-ID: <20030826190226.32097.qmail@web80710.mail.yahoo.com> Received: from [168.143.113.102] by web80710.mail.yahoo.com via HTTP; Tue, 26 Aug 2003 12:02:26 PDT Date: Tue, 26 Aug 2003 12:02:26 -0700 (PDT) From: Mark Williams Subject: Signature extensions? To: openpgp MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I am working on some software where I am planning on using OpenPGP signature formats but with some custom extension subpackets. Would this group be interested in seeing these extensions documented, perhaps in a draft informational RFC? Is there any chance that the extensions might eventually be adopted into a future version of the OpenPGP specification? What would that procedure be? Thanks for your help. Mark K. Williams markkwilliams2000@yahoo.com __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From owner-ietf-openpgp@mail.imc.org Fri Aug 29 23:27:01 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA04946 for ; Fri, 29 Aug 2003 23:27:00 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7U32Fgc025102 for ; Fri, 29 Aug 2003 20:02:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7U32F0G025101 for ietf-openpgp-bks; Fri, 29 Aug 2003 20:02:15 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7U32Egc025094 for ; Fri, 29 Aug 2003 20:02:14 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h7U326t12216 for ietf-openpgp@imc.org; Fri, 29 Aug 2003 23:02:06 -0400 Date: Fri, 29 Aug 2003 23:02:06 -0400 From: David Shaw To: openpgp Subject: Re: Signature extensions? Message-ID: <20030830030206.GA11925@jabberwocky.com> Mail-Followup-To: openpgp References: <20030826190226.32097.qmail@web80710.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20030826190226.32097.qmail@web80710.mail.yahoo.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (7% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Aug 26, 2003 at 12:02:26PM -0700, Mark Williams wrote: > > Hi, I am working on some software where I am planning > on using OpenPGP signature formats but with some > custom extension subpackets. Would this group be > interested in seeing these extensions documented, > perhaps in a draft informational RFC? Hard to say without knowing what you are extending, how you are extending it, and why ;) David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj9QE64qGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJWgcAnRlRH3l2cVmmgA8IKPlVg7BtTbnwAKCX 6Im+30q9Yvpl/ob34R87/Q3apw== =FfVE -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Sat Aug 30 00:15:41 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA04944 for ; Fri, 29 Aug 2003 23:26:59 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7U37Egc025246 for ; Fri, 29 Aug 2003 20:07:14 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7U37ECY025245 for ietf-openpgp-bks; Fri, 29 Aug 2003 20:07:14 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7U37Dgc025240 for ; Fri, 29 Aug 2003 20:07:13 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h7U37Bp12262 for ietf-openpgp@imc.org; Fri, 29 Aug 2003 23:07:11 -0400 Date: Fri, 29 Aug 2003 23:07:10 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Trailing whitespace (was Re: Davis paper revisited) Message-ID: <20030830030710.GB11925@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200308212014.h7LKEPH04252@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200308212014.h7LKEPH04252@finney.org> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (7% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Aug 21, 2003 at 01:14:25PM -0700, Hal Finney wrote: > However some (older?) versions of PGP don't follow the spec and don't > ignore trailing whitespace for text-mode signed messages, while they > do ignore it for clearsigned messages. As far as I recall, no version of PGP ignores trailing whitespace for textmode signed messages. There is also a little gotcha in clearsigned messages, as the tab character is not counted as whitespace in PGP, while it is counted as whitespace in 2440. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj9QFN4qGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJIA0AoJF04cF9pdFy7oiJM+8ykwRI8AbjAKCe rmK4/3xhlChaXqOpRXSoKFwr9Q== =cq5e -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7U37Egc025246 for ; Fri, 29 Aug 2003 20:07:14 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7U37ECY025245 for ietf-openpgp-bks; Fri, 29 Aug 2003 20:07:14 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7U37Dgc025240 for ; Fri, 29 Aug 2003 20:07:13 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h7U37Bp12262 for ietf-openpgp@imc.org; Fri, 29 Aug 2003 23:07:11 -0400 Date: Fri, 29 Aug 2003 23:07:10 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Trailing whitespace (was Re: Davis paper revisited) Message-ID: <20030830030710.GB11925@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200308212014.h7LKEPH04252@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200308212014.h7LKEPH04252@finney.org> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (7% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Aug 21, 2003 at 01:14:25PM -0700, Hal Finney wrote: > However some (older?) versions of PGP don't follow the spec and don't > ignore trailing whitespace for text-mode signed messages, while they > do ignore it for clearsigned messages. As far as I recall, no version of PGP ignores trailing whitespace for textmode signed messages. There is also a little gotcha in clearsigned messages, as the tab character is not counted as whitespace in PGP, while it is counted as whitespace in 2440. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj9QFN4qGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJIA0AoJF04cF9pdFy7oiJM+8ykwRI8AbjAKCe rmK4/3xhlChaXqOpRXSoKFwr9Q== =cq5e -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7U32Fgc025102 for ; Fri, 29 Aug 2003 20:02:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7U32F0G025101 for ietf-openpgp-bks; Fri, 29 Aug 2003 20:02:15 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7U32Egc025094 for ; Fri, 29 Aug 2003 20:02:14 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h7U326t12216 for ietf-openpgp@imc.org; Fri, 29 Aug 2003 23:02:06 -0400 Date: Fri, 29 Aug 2003 23:02:06 -0400 From: David Shaw To: openpgp Subject: Re: Signature extensions? Message-ID: <20030830030206.GA11925@jabberwocky.com> Mail-Followup-To: openpgp References: <20030826190226.32097.qmail@web80710.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20030826190226.32097.qmail@web80710.mail.yahoo.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (7% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Aug 26, 2003 at 12:02:26PM -0700, Mark Williams wrote: > > Hi, I am working on some software where I am planning > on using OpenPGP signature formats but with some > custom extension subpackets. Would this group be > interested in seeing these extensions documented, > perhaps in a draft informational RFC? Hard to say without knowing what you are extending, how you are extending it, and why ;) David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj9QE64qGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJWgcAnRlRH3l2cVmmgA8IKPlVg7BtTbnwAKCX 6Im+30q9Yvpl/ob34R87/Q3apw== =FfVE -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7QJ2Pgc080042 for ; Tue, 26 Aug 2003 12:02:25 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7QJ2PKn080041 for ietf-openpgp-bks; Tue, 26 Aug 2003 12:02:25 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from web80710.mail.yahoo.com (web80710.mail.yahoo.com [66.163.170.67]) by above.proper.com (8.12.9/8.12.8) with SMTP id h7QJ2Ogc080033 for ; Tue, 26 Aug 2003 12:02:24 -0700 (PDT) (envelope-from markkwilliams2000@yahoo.com) Message-ID: <20030826190226.32097.qmail@web80710.mail.yahoo.com> Received: from [168.143.113.102] by web80710.mail.yahoo.com via HTTP; Tue, 26 Aug 2003 12:02:26 PDT Date: Tue, 26 Aug 2003 12:02:26 -0700 (PDT) From: Mark Williams Subject: Signature extensions? To: openpgp MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I am working on some software where I am planning on using OpenPGP signature formats but with some custom extension subpackets. Would this group be interested in seeing these extensions documented, perhaps in a draft informational RFC? Is there any chance that the extensions might eventually be adopted into a future version of the OpenPGP specification? What would that procedure be? Thanks for your help. Mark K. Williams markkwilliams2000@yahoo.com __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7NF9Uqt044826 for ; Sat, 23 Aug 2003 08:09:30 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7NF9U4Y044825 for ietf-openpgp-bks; Sat, 23 Aug 2003 08:09:30 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7NF9Rqt044818 for ; Sat, 23 Aug 2003 08:09:28 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19qZtC-0006I1-00 for ; Sat, 23 Aug 2003 17:01:14 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19qZyk-0006A7-00; Sat, 23 Aug 2003 17:06:58 +0200 To: Don Davis Cc: , ietf-openpgp@imc.org Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages References: <200308221442.h7MEgniM004462@mailserver1.hushmail.com> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Sat, 23 Aug 2003 17:06:58 +0200 In-Reply-To: (Don Davis's message of "Fri, 22 Aug 2003 22:18:55 -0400") Message-ID: <87k7942z1p.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Fri, 22 Aug 2003 22:18:55 -0400, Don Davis said: > * a signed-&-encrypted message would include > the recipient's ID under the signature. I came later to the conclusion that it is not gpg's task to construct the notation data but that of a MUA. This is because a MUA has far better information on who are the intended recipients and a MUA can also much better check and display such notation data. This is similar to the good practice to warn when a reply is about to send to someone else than the orginal sender as indicated by the signature. Adding this to GnuPG would overload it with functions out of its domain. GnuPG also does no MIME encoding and other stuff a MUA can do better. Salam-Shalom, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7N9Ztqt012093 for ; Sat, 23 Aug 2003 02:35:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7N9ZtUi012092 for ietf-openpgp-bks; Sat, 23 Aug 2003 02:35:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h7N9Zsqt012087 for ; Sat, 23 Aug 2003 02:35:54 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-96-104.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Sat, 23 Aug 2003 10:35:49 +0100 From: Ian Brown To: iang , ietf-openpgp Subject: RE: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages Date: Sat, 23 Aug 2003 10:35:45 +0100 Message-ID: <007b01c36959$ee6e2eb0$68602352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <3F465A7A.A3B7C277@systemics.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > What you appear to be asking for is a recipient-based signature. Adam Back and I proposed a way to do this in OpenPGP a few years ago... http://www.cs.ucl.ac.uk/staff/I.Brown/nts.htm Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7N1Guqt065212 for ; Fri, 22 Aug 2003 18:16:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7N1Gs7H065209 for ietf-openpgp-bks; Fri, 22 Aug 2003 18:16:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7N1Grqt065202 for ; Fri, 22 Aug 2003 18:16:53 -0700 (PDT) (envelope-from jon@callas.org) Received: from [192.168.2.235] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2.1); Fri, 22 Aug 2003 18:16:55 -0700 User-Agent: Microsoft-Entourage/10.1.4.030702.0 Date: Fri, 22 Aug 2003 18:16:56 -0700 Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages From: Jon Callas To: , OpenPGP Message-ID: In-Reply-To: <200308211755.h7LHtrZe018063@mailserver1.hushmail.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I just want to make sure I understand this. The problem is this: Alice sends Bob an encrypted and signed message. Bob decrypts the message, and then does byte-surgery to construct a plaintext clearsigned message that the signature verifies, and anyone in the world can read. This is the "attack," right? Jon Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MI4aqt051239 for ; Fri, 22 Aug 2003 11:04:36 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7MI4apY051238 for ietf-openpgp-bks; Fri, 22 Aug 2003 11:04:36 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MI4Yqt051231 for ; Fri, 22 Aug 2003 11:04:35 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (localhost [127.0.0.1]) by mx1.cryptohill.net (Postfix) with ESMTP id 968691C8A1; Fri, 22 Aug 2003 14:04:33 -0400 (EDT) Message-ID: <3F465A7A.A3B7C277@systemics.com> Date: Fri, 22 Aug 2003 14:01:30 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: ietf-openpgp@imc.org Cc: vedaal@hush.com Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages References: <200308221442.h7MEgniM004462@mailserver1.hushmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: vedaal@hush.com wrote: > the point is, > > can there be an additonal packet feature that somehow distinguishes > a signed and encrypted message, from a clearsigned one Signed is signed, regardless of how it was then later transmitted. What you appear to be asking for is a recipient-based signature. That is, Alice and Bob can sign messages to each other, knowing that each can verify the signatures, but they can't reliably prove this to others. Hence, leakages reduce to the same status as made up claims. (I believe this is done relatively easily with MACs based on previous key exchanges ... but the more crypto-cogniscenti will know.) My essential point is that it appears that you are trying to overload a minor formatting feature with a high level signature meaning and purpose distinction? Yes, sure, this could be done, but it's not the right place for it, I would have thought. Let's map out the meaning of this signature first, and then think about a) whether it is useful, and b) how to do it. -- iang Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MFwwqt045554 for ; Fri, 22 Aug 2003 08:58:58 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7MFwwJh045552 for ietf-openpgp-bks; Fri, 22 Aug 2003 08:58:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MFwvqt045546 for ; Fri, 22 Aug 2003 08:58:57 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h7MFvfm08601; Fri, 22 Aug 2003 08:57:41 -0700 Date: Fri, 22 Aug 2003 08:57:41 -0700 From: "Hal Finney" Message-Id: <200308221557.h7MFvfm08601@finney.org> To: avbidder@fortytwo.ch, ietf-openpgp@imc.org Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I agree that combinations of sign and encrypt don't really solve the problem that the sender can have his plaintext revealed in a way that cryptographically binds him to it via his signature. At best we can make it clear that this was done without his intention, but as Adrian von Bidder points out this could be done equally well by a notation "this is intended to be private mail from Alice to Bob" at the top of the message. One addition: it is not necessary for the receiver to reveal his secret key in order to prove a signature over plaintext on an E/S/E (or S/E) message (i.e. encrypt and then sign the encryption). He can reveal the session key (which is used once per message and then thrown away) and then prove it valid. I have seen some software to do that. I can't deny that these facts may be contrary to (some) users' expectations, since users here have explicitly stated that these are surprising to them. Nevertheless these are the cryptographic realities, and the solution is to try to improve the users' understandings of the issue. Now, there are cryptographic mechanisms by which Alice can send to Bob a message which could equally have been signed by either Alice or Bob. Bob can't then show this around and bind it to Alice because he could have created it as a forgery. These are the "group", "ring" or perhaps "designated verifier" signatures. We discussed the possibility of incorporating them into a (future? addendum?) spec at some point. If people really want to send signed messages which can't be further revealed to others, this is something we might pursue. Hal Finney Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MEguqt038282 for ; Fri, 22 Aug 2003 07:42:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7MEguRC038281 for ietf-openpgp-bks; Fri, 22 Aug 2003 07:42:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.33]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7MEgtqt038274 for ; Fri, 22 Aug 2003 07:42:55 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver1.hushmail.com (mailserver1.hushmail.com [65.39.178.20]) by smtp3.hushmail.com (Postfix) with ESMTP id 0C8E610E684; Fri, 22 Aug 2003 07:42:50 -0700 (PDT) Received: from mailserver1.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver1.hushmail.com (8.12.6/8.12.3) with ESMTP id h7MEgoK8004463; Fri, 22 Aug 2003 07:42:50 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver1.hushmail.com (8.12.6/8.12.3/Submit) id h7MEgniM004462; Fri, 22 Aug 2003 07:42:49 -0700 (PDT) Message-Id: <200308221442.h7MEgniM004462@mailserver1.hushmail.com> Date: Fri, 22 Aug 2003 07:42:49 -0700 To: ietf-openpgp@imc.org Cc: don@mit.edu Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Fri, 22 Aug 2003 01:49:23 -0700 Adrian von Bidder [...] >vedaal: >> that did not reflect the intent of the sender, who would never >think >> of posting it unencrypted. > >If you send sensible content to somebody you can't trust to keep >it secret, >there's no technical solution to solve that problem. Don't send >that person >any sensible content - encrypted or not. consider the case of a high-ranking corporate employee who left a company on unfriendly terms, or a pt./dr/ communication where, at a later date, the pt. is suing the dr. the content of the communication was perfectly appropriate in encrypted form, at the time it was communicated but, if it is (maliciously, anonymously) posted by the receiver, the reciver can claim that the dr. violated medical privacy issues, and someone in the corporation can claim that the sender 'leaked' sensitive material to a public forum of course, the sender can counter: "i didn't do it ! it was a malious reconstruction of the message by the receiver into clearsigned form!" but this still leaves some doubt ... [...] >The recipient can publish the E/S/E message without the outer encryption >> >layer. Then he publishes the decrypted message and his public key. >Everybody >can the generate the encrypted message and, with the signature, >verify that >it is the same message. So this "solution" falls apart, too. no it doesn't, if the sender doesn't routinely encrypt to self, then even if the receiver publishes the session key, then the 'leak' can unequivocally be shown to be the receiver the point is, can there be an additonal packet feature that somehow distinguishes a signed and encrypted message, from a clearsigned one (which could be done in backward compatible form, where older versions might not 'recognize/be able to interpret' the new packet, but could decrypt anyway, while newer versions could be used to distinguish the signature/message type.) with Respect, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7M8ncqt011759 for ; Fri, 22 Aug 2003 01:49:38 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7M8ncWt011758 for ietf-openpgp-bks; Fri, 22 Aug 2003 01:49:38 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.granitsoft.ch (zux221-024-146.adsl.green.ch [81.221.24.146]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7M8naqt011746 for ; Fri, 22 Aug 2003 01:49:37 -0700 (PDT) (envelope-from avbidder@fortytwo.ch) Received: from ogo.granitsoft.ch (unknown [192.168.0.69]) by mail.granitsoft.ch (Postfix) with ESMTP id 90F32222EEE for ; Fri, 22 Aug 2003 10:49:39 +0200 (CEST) From: Adrian von Bidder Organization: granitsoft.ch To: ietf-openpgp@imc.org Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages Date: Fri, 22 Aug 2003 10:49:23 +0200 User-Agent: KMail/1.5.3 References: <200308212109.h7LL9CaG035600@mailserver1.hushmail.com> In-Reply-To: <200308212109.h7LL9CaG035600@mailserver1.hushmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_XkdR/FXlJ4cCxll"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200308221049.27927.avbidder@fortytwo.ch> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --Boundary-02=_XkdR/FXlJ4cCxll Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline [People, why can't you use a sensible mailer who produces In-Reply-To or=20 References header?] =2E.. vedaal: > that did not reflect the intent of the sender, who would never think > of posting it unencrypted. If you send sensible content to somebody you can't trust to keep it secret,= =20 there's no technical solution to solve that problem. Don't send that person= =20 any sensible content - encrypted or not. If you S/E/S the message, you can still stripp the outer signature and the= =20 encryption and get a perfectly readable signed message. True, there could b= e=20 some indication that the inner signature was part of a S/E/S message - but = in=20 the original case, the sender could put a notice 'this is a confidential=20 message and was sent encrypted' in the message text. IIRC E/S/E had some other significant drawback, somebody will certainly poi= nt=20 it out here, but it would "solve" that particular problem. But I don't thin= k=20 that it does achieve more than putting 'this is a confidential message' in= =20 the signed body: The recipient can publish the E/S/E message without the outer encryption=20 layer. Then he publishes the decrypted message and his public key. Everybod= y=20 can the generate the encrypted message and, with the signature, verify that= =20 it is the same message. So this "solution" falls apart, too. cheers =2D- vbi =2D-=20 featured link: http://fortytwo.ch/gpg/subkeys --Boundary-02=_XkdR/FXlJ4cCxll Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iKcEABECAGcFAj9F2RdgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw NzFiMjVlYjcwMDZkYTNlAAoJECqqZti935l6p24AoInzgHwRdZZNdF+9VMVlB/b5 k7DnAKC1cuLE/l7e9j/uW8ZIpRdt1qAcbQ== =SewE -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.5&md5sum=5dff868d11843276071b25eb7006da3e --Boundary-02=_XkdR/FXlJ4cCxll-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LL9Iqt057234 for ; Thu, 21 Aug 2003 14:09:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7LL9IAT057233 for ietf-openpgp-bks; Thu, 21 Aug 2003 14:09:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.33]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LL9Gqt057219 for ; Thu, 21 Aug 2003 14:09:17 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver1.hushmail.com (mailserver1.hushmail.com [65.39.178.20]) by smtp3.hushmail.com (Postfix) with ESMTP id 4EAE310E567 for ; Thu, 21 Aug 2003 14:09:12 -0700 (PDT) Received: from mailserver1.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver1.hushmail.com (8.12.6/8.12.3) with ESMTP id h7LL9CK8035601 for ; Thu, 21 Aug 2003 14:09:12 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver1.hushmail.com (8.12.6/8.12.3/Submit) id h7LL9CaG035600 for ietf-openpgp@imc.org; Thu, 21 Aug 2003 14:09:12 -0700 (PDT) Message-Id: <200308212109.h7LL9CaG035600@mailserver1.hushmail.com> Date: Thu, 21 Aug 2003 14:09:12 -0700 To: ietf-openpgp@imc.org Cc: Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Thu, 21 Aug 2003 13:14:25 -0700 Hal Finney wrote: [...] >> [1] is there any way to distinguish the composite reconstruction >forgery >> from a 'real' de novo clearsigned message ? > >I disagree that this is a forgery. Rather, it is a reformatting [...] it is a forgery only in the sense, that if it were, for example, posted anonymously by someone else, then there could be circumstances where people viewing it might be upset that such a message that should have been (and was) encrypted, was posted as a public clearsigned message. the term 'forgery' was meant to imply, that the message could be changed in a way that did not reflect the intent of the sender, who would never think of posting it unencrypted. in a sense, it is the same as the Davis re-encryption, which also does not reflect the intent of the sender to send it to the third party but, in the case of re-encryption to another receiver, the sender can take pre-cautions of addressing the 'real' intended receiver by name in the message plaintext. while in the case of the clearsigned reconstruction, there is no such precaution to demonstrate that the sender never intended sending an open message (short of the E,(S&E) solution) vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LKFeqt054898 for ; Thu, 21 Aug 2003 13:15:40 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7LKFePf054897 for ietf-openpgp-bks; Thu, 21 Aug 2003 13:15:40 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LKFdqt054892 for ; Thu, 21 Aug 2003 13:15:39 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h7LKEPH04252; Thu, 21 Aug 2003 13:14:25 -0700 Date: Thu, 21 Aug 2003 13:14:25 -0700 From: "Hal Finney" Message-Id: <200308212014.h7LKEPH04252@finney.org> To: ietf-openpgp@imc.org, vedaal@hush.com Subject: Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Vedaal writes: > have been able to separate a signed and encrypted message into a freestanding > verifiable clearsigned message > > have put up the example here: > http://www.angelfire.com/pr/pgpf/sclsf.html Makes sense, signed messages are signed messages. > would like to ask: > > [1] is there any way to distinguish the composite reconstruction forgery > from a 'real' de novo clearsigned message ? I disagree that this is a forgery. Rather, it is a reformatting (plus you have stripped off an encryption layer). Generally, the hashing rules for text-mode signed messages (as you have in your encrypted and signed message) and clearsigned messages are the same. However some (older?) versions of PGP don't follow the spec and don't ignore trailing whitespace for text-mode signed messages, while they do ignore it for clearsigned messages. So if you had a message with trailing whitespace and created a text-mode signed message (or a signed and encrypted message) using such a version of PGP, it would not verify when converted to a clearsigned message. However such messages would tend to have verification difficulties anyway due to this variation from the spec. > [2] is there a difference between GnuPG and PGP in the way a message > is clearsigned, as opposed to signed and encrypted, > that might distinguish the forged composite, from a real clearsigned > message? Again I would say "reformatted" rather than "forged". These are just two different formats for signed messages. Except for the variation I mentioned above I think that the two are hashed the same for GPG and PGP. > while the Davis paper describes separating and re-encrypting, > it doesn't deal with separating into a freestanding clearsigned message. I saw some code to do this somewhere a while back. It's trivial, once you strip off the encryption layer and leave the text-mode signed message, to convert it to a clearsigned message. Just wrap the literal payload in the appropriate BEGIN PGP headers, and base64 encode the signature packet. Hal Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LHv4qt045410 for ; Thu, 21 Aug 2003 10:57:04 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7LHv4DI045409 for ietf-openpgp-bks; Thu, 21 Aug 2003 10:57:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.33]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7LHv2qt045401 for ; Thu, 21 Aug 2003 10:57:02 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver1.hushmail.com (mailserver1.hushmail.com [65.39.178.20]) by smtp3.hushmail.com (Postfix) with ESMTP id 3D5A710E77E for ; Thu, 21 Aug 2003 10:55:53 -0700 (PDT) Received: from mailserver1.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver1.hushmail.com (8.12.6/8.12.3) with ESMTP id h7LHtrK8018064 for ; Thu, 21 Aug 2003 10:55:53 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver1.hushmail.com (8.12.6/8.12.3/Submit) id h7LHtrZe018063 for ietf-openpgp@imc.org; Thu, 21 Aug 2003 10:55:53 -0700 (PDT) Message-Id: <200308211755.h7LHtrZe018063@mailserver1.hushmail.com> Date: Thu, 21 Aug 2003 10:55:53 -0700 To: ietf-openpgp@imc.org Cc: Subject: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: have been able to separate a signed and encrypted message into a freestanding verifiable clearsigned message have put up the example here: http://www.angelfire.com/pr/pgpf/sclsf.html (the keys and messages are in 3des, idea is not necessary ) would like to ask: [1] is there any way to distinguish the composite reconstruction forgery from a 'real' de novo clearsigned message ? [2] is there a difference between GnuPG and PGP in the way a message is clearsigned, as opposed to signed and encrypted, that might distinguish the forged composite, from a real clearsigned message? while the Davis paper describes separating and re-encrypting, it doesn't deal with separating into a freestanding clearsigned message. tia, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7B457qt079865 for ; Sun, 10 Aug 2003 21:05:07 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7B457Tk079864 for ietf-openpgp-bks; Sun, 10 Aug 2003 21:05:07 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sea.h2np.net (sea.h2np.net [220.110.1.194]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7B455qt079851 for ; Sun, 10 Aug 2003 21:05:05 -0700 (PDT) (envelope-from hironobu@h2np.net) Received: from lax.h2np.net ([220.110.1.195] helo=mail.h2np.net) by sea.h2np.net with esmtp (H2NP Email Service (Exim 3.35)) id 19m3vZ-0008Vh-00; Mon, 11 Aug 2003 13:05:01 +0900 From: Hironobu SUZUKI To: ietf-openpgp@imc.org cc: pgp-keyserver-folk@flame.org, keysignings@alt.org, gnupg-users@gnupg.org, pgp-users@pgp.iijlab.net Reply-To: hironobu@h2np.net Subject: OpenPGP BOF at CRYPTO 2003 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit Date: Mon, 11 Aug 2003 13:04:58 +0900 Message-Id: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, OpenPGP BOF and PGP Keysigning will be hold at CRYPTO 2003 Tuesday afternoon (14:00-15:30 Tuesday August 19, 2003). I hope to see you soon. See more details: CRYPTO 2003 http://www.iacr.org/conferences/crypto2003/ OpenPGP BOF and PGP Keysigning http://www.iacr.org/conferences/crypto2003/content.html ---- * Hironobu SUZUKI , OpenPGP BOF I'm an auther of OpenPGP public keyserver, a.k.a OpenPKSD. Sometime, I'd like to ask to PGP, GPG and other public keyserver developers about their activities because keyserver have to work with other keyserver implementations, PGP/GPG tools and etc. Also I'd like to discuss ideas about OpenPGP and keyserver. Informal face-to-face meeting of OpenPGP in CRYPTO 2003 is a good change to know what is going on around OpenPGP. If you have idea or/and proposal for OpenPGP BOF, feel free to contact to . * PGP Keysigning After the OpenPGP BOF, in the same room, will be a PGP keysigning gathering, where PGP users can identify themselves and take away verified PGP key fingerprints for subsequent signing, enhancing the PGP Web of Trust. --- --- Hironobu SUZUKI E-Mail: hironobu@h2np.net URL: http://h2np.net Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h78Fl5qt037066 for ; Fri, 8 Aug 2003 08:47:05 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h78Fl5CP037065 for ietf-openpgp-bks; Fri, 8 Aug 2003 08:47:05 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp1.kodak.com (smtp1.kodak.com [192.232.121.200]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h78Fl4qt037060 for ; Fri, 8 Aug 2003 08:47:04 -0700 (PDT) (envelope-from john.dlugosz@kodak.com) Received: from knotes2.kodak.com (ko-knotes2.ekc1.ekc.kodak.com [150.221.122.53]) by smtp1.kodak.com (8.11.3/8.11.1) with ESMTP id h78Fl1P13705; Fri, 8 Aug 2003 11:47:01 -0400 (EDT) Subject: Re: signature woes and reconciliation, examples appreciated To: hal@finney.org Cc: ietf-openpgp@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: From: john.dlugosz@kodak.com Date: Fri, 8 Aug 2003 10:46:59 -0500 X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.11 |July 24, 2002) at 08/08/2003 11:47:01 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Adding "...in the same hash context" would probably be enough, as hash contexts are explained in the key stretching section. Of course, adding pseudocode would not hurt. "Hal Finney" To: ietf-openpgp@imc.org, poiboy@SAFe-mail.net Sent by: cc: owner-ietf-openpgp@m Subject: Re: signature woes and reconciliation, examples appreciated ail.imc.org 07/31/2003 07:15 PM > From: poiboy@SAFe-mail.net > I recently ran into trouble trying to calculate the hash needed to > verify a GnuPG (1.2.2) v3 DSA one-pass signature with my pet Python > hopeful-implementation-to-be. I've had someone else run into the same problem interpreting this part of the spec. The language about "first you hash this, then you hash that, then you hash this other thing" seems very natural to me (I wrote much of it after all), working with a programming interface where you pass data incrementally into a hash context object. But other people interpret it as you did, that you produce a hash of the first part, then a hash of the second part, then a hash of the third part, and somehow combine these hashes together to get the final signature. Hal Finney Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75N5uqt044363 for ; Tue, 5 Aug 2003 16:05:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h75N5u0q044362 for ietf-openpgp-bks; Tue, 5 Aug 2003 16:05:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75N5tqt044354 for ; Tue, 5 Aug 2003 16:05:56 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h75N5q914250 for ietf-openpgp@imc.org; Tue, 5 Aug 2003 19:05:52 -0400 Date: Tue, 5 Aug 2003 19:05:52 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: multiple signature packets Message-ID: <20030805230552.GA14127@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200308051426.h75EQ4Qv047597@mailserver2.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200308051426.h75EQ4Qv047597@mailserver2.hushmail.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Gibbous (57% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Aug 05, 2003 at 07:26:04AM -0700, vedaal@hush.com wrote: > On Mon, 04 Aug 2003 17:03:57 -0700 David Shaw > wrote: > > [...] > > >> are multiple simultaneous signatures acceptable Open PGP behavior > >? > > > >The first example you gave was of a nested one-pass signature, and > >the > >second example was a clearsigned message with two signatures after > >it. > > > >While it is unfortunate that 6.5.8 can't handle them, both of these > >constructions are legal in OpenPGP (as per sections 5.4 and 7). > > 6.5.8 can handle all except the clearsigned messages > (btw, 7.xx acts like 8, and handles everything) > > is there a gnupg command syntax that would allow for a nested one > pass signature during clearsigning ? There is no such concept. All clear signatures by their nature (being a signature that can be processed in one pass, by specifying the hash before the data begins) are one pass. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8wOFAACgkQ4mZch0nhy8lJswCg4H3jOkLMfA19pIXP9kukC6FG v1QAn2pO8kwtkgPaWy5+fFUXB1vjMkw3 =n8Hu -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75EQBqt013151 for ; Tue, 5 Aug 2003 07:26:11 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h75EQBvT013150 for ietf-openpgp-bks; Tue, 5 Aug 2003 07:26:11 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.33]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75EQAqt013144 for ; Tue, 5 Aug 2003 07:26:10 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver2.hushmail.com (mailserver2.hushmail.com [65.39.178.21]) by smtp3.hushmail.com (Postfix) with ESMTP id 8316484BA for ; Tue, 5 Aug 2003 07:26:04 -0700 (PDT) Received: from mailserver2.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver2.hushmail.com (8.12.6/8.12.3) with ESMTP id h75EQ4Ks047598 for ; Tue, 5 Aug 2003 07:26:04 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver2.hushmail.com (8.12.6/8.12.3/Submit) id h75EQ4Qv047597 for ietf-openpgp@imc.org; Tue, 5 Aug 2003 07:26:04 -0700 (PDT) Message-Id: <200308051426.h75EQ4Qv047597@mailserver2.hushmail.com> Date: Tue, 5 Aug 2003 07:26:04 -0700 To: ietf-openpgp@imc.org Cc: Subject: Re: multiple signature packets From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Mon, 04 Aug 2003 17:03:57 -0700 David Shaw wrote: [...] >> are multiple simultaneous signatures acceptable Open PGP behavior >? > >The first example you gave was of a nested one-pass signature, and >the >second example was a clearsigned message with two signatures after >it. > >While it is unfortunate that 6.5.8 can't handle them, both of these >constructions are legal in OpenPGP (as per sections 5.4 and 7). 6.5.8 can handle all except the clearsigned messages (btw, 7.xx acts like 8, and handles everything) is there a gnupg command syntax that would allow for a nested one pass signature during clearsigning ? {not suggesting it, as 6.5.8 can handle the armored signing, so it is compatible enough, but am curious if it could somehow be done) tia, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h750jFqt049689 for ; Mon, 4 Aug 2003 17:45:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h750jEuL049688 for ietf-openpgp-bks; Mon, 4 Aug 2003 17:45:14 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h750jDqt049682 for ; Mon, 4 Aug 2003 17:45:14 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.181] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2.1); Mon, 4 Aug 2003 17:45:15 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Mon, 04 Aug 2003 17:45:19 -0700 Subject: Re: Clarification needed on compressed messages From: Jon Callas To: David Shaw , OpenPGP CC: Michael Young Message-ID: In-Reply-To: <20030802213753.GC1916@jabberwocky.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 8/2/03 2:37 PM, "David Shaw" wrote: > I'd like to change that to: > > Literal Message :- Literal Data Packet | > Literal Message, Literal Data Packet. > > The draft, as it stands now, is internally inconsistent. I'd like to > fix that. Changed. Jon Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75042qt048409 for ; Mon, 4 Aug 2003 17:04:02 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h75042ch048407 for ietf-openpgp-bks; Mon, 4 Aug 2003 17:04:02 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75040qt048398 for ; Mon, 4 Aug 2003 17:04:01 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h7503vi02844 for ietf-openpgp@imc.org; Mon, 4 Aug 2003 20:03:57 -0400 Date: Mon, 4 Aug 2003 20:03:57 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: multiple signature packets Message-ID: <20030805000357.GA1246@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200308042141.h74LfIsZ041086@mailserver3.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200308042141.h74LfIsZ041086@mailserver3.hushmail.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (46% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Aug 04, 2003 at 02:41:18PM -0700, vedaal@hush.com wrote: > > > have recently received a clearsigned PGP message that was signed > simultaneously with two different PGP keys, > but it caused 6.5.8ckt (build 8) to crash > > the double signed messages can easily be generated from gnupg (command > line only), > but (afaik) not from pgp, even from the command line (2.x or 6.x) > > have put up examples here: > http://www.angelfire.com/pr/pgpf/dspm.html > > have found that the double signed messages were not a problem in pgp > 8 under any circumstances, and were not a problem for 6.5.8 as long > as they weren't clearsigned [..] > {sort of cool, actually, i wish it could be done from pgp ;-) } > > are multiple simultaneous signatures acceptable Open PGP behavior ? The first example you gave was of a nested one-pass signature, and the second example was a clearsigned message with two signatures after it. While it is unfortunate that 6.5.8 can't handle them, both of these constructions are legal in OpenPGP (as per sections 5.4 and 7). David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8u9G0ACgkQ4mZch0nhy8n9AQCfQgBmYrp9w+XVRr6w1itT95K5 jA8AnjslYItmndfDO4dJOmtK+H8S5XAZ =C1wB -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75026qt048309 for ; Mon, 4 Aug 2003 17:02:06 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h75026ax048308 for ietf-openpgp-bks; Mon, 4 Aug 2003 17:02:06 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h75025qt048302 for ; Mon, 4 Aug 2003 17:02:05 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.181] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2.1); Mon, 4 Aug 2003 17:02:04 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Mon, 04 Aug 2003 17:02:07 -0700 Subject: Re: multiple signature packets From: Jon Callas To: , OpenPGP Message-ID: In-Reply-To: <200308042141.h74LfIsZ041086@mailserver3.hushmail.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 8/4/03 2:41 PM, "vedaal@hush.com" wrote: > are multiple simultaneous signatures acceptable Open PGP behavior ? I almost said no. However, the grammar says yes. OpenPGP Message :- Encrypted Message | Signed Message | Compressed Message | Literal Message. Compressed Message :- Compressed Data Packet. Literal Message :- Literal Data Packet. ESK :- Public Key Encrypted Session Key Packet | Symmetric-Key Encrypted Session Key Packet. ESK Sequence :- ESK | ESK Sequence, ESK. Encrypted Data :- Symmetrically Encrypted Data Packet | Symmetrically Encrypted Integrity Protected Data Packet Encrypted Message :- Encrypted Data | ESK Sequence, Encrypted Data. One-Pass Signed Message :- One-Pass Signature Packet, OpenPGP Message, Corresponding Signature Packet. Signed Message :- Signature Packet, OpenPGP Message | One-Pass Signed Message. Jon Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h74LfPqt039266 for ; Mon, 4 Aug 2003 14:41:25 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h74LfPNq039265 for ietf-openpgp-bks; Mon, 4 Aug 2003 14:41:25 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.33]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h74LfOqt039257 for ; Mon, 4 Aug 2003 14:41:24 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver3.hushmail.com (mailserver3.hushmail.com [65.39.178.45]) by smtp3.hushmail.com (Postfix) with ESMTP id 2FF606FF9 for ; Mon, 4 Aug 2003 14:41:19 -0700 (PDT) Received: from mailserver3.hushmail.com (localhost [127.0.0.1]) by mailserver3.hushmail.com (8.12.6/8.12.3) with ESMTP id h74LfIvo041087 for ; Mon, 4 Aug 2003 14:41:18 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver3.hushmail.com (8.12.6/8.12.3/Submit) id h74LfIsZ041086 for ietf-openpgp@imc.org; Mon, 4 Aug 2003 14:41:18 -0700 (PDT) Message-Id: <200308042141.h74LfIsZ041086@mailserver3.hushmail.com> Date: Mon, 4 Aug 2003 14:41:18 -0700 To: ietf-openpgp@imc.org Cc: Subject: multiple signature packets From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: have recently received a clearsigned PGP message that was signed simultaneously with two different PGP keys, but it caused 6.5.8ckt (build 8) to crash the double signed messages can easily be generated from gnupg (command line only), but (afaik) not from pgp, even from the command line (2.x or 6.x) have put up examples here: http://www.angelfire.com/pr/pgpf/dspm.html have found that the double signed messages were not a problem in pgp 8 under any circumstances, and were not a problem for 6.5.8 as long as they weren't clearsigned would like to request confirmation of this from anyone who uses 6.5.8 or 7.x the double signed message can be very useful in the following specific situation: if someone wants to sign and encrypt to two different people, but, for whatever reason, exchanged one key with one recipient and another key with another, and doesn't want to have the keys uploaded to a server, then, by double signing, the sender can have the message verified independently with different keys for different receivers {sort of cool, actually, i wish it could be done from pgp ;-) } are multiple simultaneous signatures acceptable Open PGP behavior ? tia, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h72Lcwqt036363 for ; Sat, 2 Aug 2003 14:38:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h72LcwDK036362 for ietf-openpgp-bks; Sat, 2 Aug 2003 14:38:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from s-utl01-lanoc.stsn.com (p11.n-lapop01.stsn.com [12.129.240.11]) by above.proper.com (8.12.9/8.12.8) with SMTP id h72Lcwqt036356 for ; Sat, 2 Aug 2003 14:38:58 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from claude.jabberwocky.com ([63.240.218.56]) by s-utl01-lanoc.stsn.com (NAVGW 2.5.2.9) with SMTP id M2003080214381503483 for ; Sat, 02 Aug 2003 14:38:15 -0700 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h72LbrL03045; Sat, 2 Aug 2003 17:37:53 -0400 Date: Sat, 2 Aug 2003 17:37:53 -0400 From: David Shaw To: ietf-openpgp@imc.org Cc: Michael Young Subject: Re: Clarification needed on compressed messages Message-ID: <20030802213753.GC1916@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org, Michael Young References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> <000701c35841$01833380$2ac52609@transarc.ibm.com> <20030801165159.GI27440@jabberwocky.com> <001a01c35854$53754f80$2ac52609@transarc.ibm.com> <20030801192728.GK27440@jabberwocky.com> <000c01c35936$2ce33660$c801a8c0@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <000c01c35936$2ce33660$c801a8c0@transarc.ibm.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (22% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Aug 02, 2003 at 04:39:26PM -0400, Michael Young wrote: > > Come to think, your suggestion of using a compressed data packet to > > encapsulate could be useful here as well: > > ENCRYPTED(COMPRESSED(LITERAL+LITERAL)). > > Yes, it's pretty clear that this is legal. The grammar doesn't > cover the contents of compressed packets, so the language in > section 5.6 would seem to govern. (Curiously, that section > suggests that COMPRESSED packets might live directly in > signatures, which is what kicked off this whole discussion.) Well, I agree with your end result, but I'm not quite sure I agree with the path you took to get there. In fact, the grammar *does* cover the contents of compressed and encrypted packets: In addition, decrypting a Symmetrically Encrypted Data Packet or a Symmetrically Encrypted Integrity Protected Data Packet as well as decompressing a Compressed Data packet must yield a valid OpenPGP Message. Thus, COMPRESSED(LITERAL+LITERAL) is valid only if LITERAL+LITERAL is valid. So what this all comes down to is that 5.6 says that COMPRESSED(LITERAL+LITERAL) is a valid construction. 10.2 says that LITERAL+LITERAL isn't a valid construction. Conflict: they can't both be right. Repeat as needed for section 5.7 and 5.13 - the problem is identical. This is why I have been suggesting a minor change to 10.2 to make it match 5.6, 5.7 and 5.13: The current draft says: Literal Message :- Literal Data Packet. I'd like to change that to: Literal Message :- Literal Data Packet | Literal Message, Literal Data Packet. The draft, as it stands now, is internally inconsistent. I'd like to fix that. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8sLzEACgkQ4mZch0nhy8nF2ACcCGxT6zaF+RWSKIy4eW51J5Q/ WssAoMRmxE8K+gr9f77ZN/5RgqV/9HwD =riai -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h72KfQqt035062 for ; Sat, 2 Aug 2003 13:41:26 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h72KfQ3X035061 for ietf-openpgp-bks; Sat, 2 Aug 2003 13:41:26 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mta5.adelphia.net (mta5.adelphia.net [64.8.50.187]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h72KfOqt035055 for ; Sat, 2 Aug 2003 13:41:25 -0700 (PDT) (envelope-from mwy-opgp97@the-youngs.org) Received: from mwyoung ([24.48.48.86]) by mta5.adelphia.net (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP id <20030802204121.MSOJ12687.mta5.adelphia.net@mwyoung> for ; Sat, 2 Aug 2003 16:41:21 -0400 Message-ID: <000c01c35936$2ce33660$c801a8c0@transarc.ibm.com> From: "Michael Young" To: References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> <000701c35841$01833380$2ac52609@transarc.ibm.com> <20030801165159.GI27440@jabberwocky.com> <001a01c35854$53754f80$2ac52609@transarc.ibm.com> <20030801192728.GK27440@jabberwocky.com> Subject: Re: Clarification needed on compressed messages Date: Sat, 2 Aug 2003 16:39:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "David Shaw" writes: > > > The ONEPASS method can also easily handle such constructions as > > > ONEPASS+OBJECT+OBJECT+OBJECT+SIG, which SIG+OBJECT cannot. ... [to which I replied, and then he replied again:] > It's not clear whether it is permitted now or not. ... > The general question of multiple packets (whether in a one-pass > signature, compressed data packet, or encrypted data packet) is > somewhat hazy in the draft. Speaking only about literal packets for > now, sections 5.6, 5.7, and 5.13 all say yes (using the plural > "literal data packets"). Section 10.2 says no. Those sections refer to sequences inside compressed and the two flavors of encrypted data packets (respectively), not signatures. My claim that this is not allowed for signatures was based on the grammar in 10.2. ... > Come to think, your suggestion of using a compressed data packet to > encapsulate could be useful here as well: > ENCRYPTED(COMPRESSED(LITERAL+LITERAL)). Yes, it's pretty clear that this is legal. The grammar doesn't cover the contents of compressed packets, so the language in section 5.6 would seem to govern. (Curiously, that section suggests that COMPRESSED packets might live directly in signatures, which is what kicked off this whole discussion.) I don't really think that sequences of LITERAL packets are a good thing. I really don't like them for general archiving, as they don't carry nearly enough information. I also see no reason to avoid using an external archiver (tar, zip, or any of many others). I was going to argue against allowing sequences of LITERAL because they complicate decryption: implementations will likely want to provide a user interface to control which LITERALs should be processed. But then, David pointed out that we already have this problem inside COMPRESSED packets. I'd be happy to withdraw that ability, but I'm sure others will object, so I'll admit defeat in advance. [Note that one can always encrypt each file separately, and if you're worried about the public-key encryption cost, your implementation could reuse the session key (but not IV) during multiple-file encryption, and recognize that case on decryption. I'm not advocating this -- I prefer using a real (external) archiver instead -- but simply pointing out an option that would be "conservative in what you generate".] -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBPywhaec3iHYL8FknEQK7KgCg+o9TKREgePvovRFhSNYP+Uze1IsAn0hW yHRBYP/QoAZHfEFayhrg1iqm =lgjq -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71L0wqt026112 for ; Fri, 1 Aug 2003 14:00:58 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h71L0weH026111 for ietf-openpgp-bks; Fri, 1 Aug 2003 14:00:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71L0vqt026102 for ; Fri, 1 Aug 2003 14:00:58 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h71L0sb03814 for ietf-openpgp@imc.org; Fri, 1 Aug 2003 17:00:54 -0400 Date: Fri, 1 Aug 2003 17:00:54 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Location of 'key expiration time' signature subpacket Message-ID: <20030801210054.GN27440@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <127733008.1058276254@ABC1234567890> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <127733008.1058276254@ABC1234567890> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (10% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jul 15, 2003 at 01:37:34PM -0400, Edwin Woudt wrote: > > While implementing key expiration, I noticed that the 'key expiration time' > signature subpacket (#9) is put in self certification signatures instead of > in (self signed) direct key signature. > > Why is that? > > I find it more logical to put it in a direct key signature, as it says > nothing about the user id that is self signed. In fact, given multiple user > id's, putting it in self certification signatures could even result in > conflicting information. It is legal to put the key expiration in a direct key signature, but I'm not sure why it isn't regularly done that way. Possibly because it was done that way a long time ago and there was no dramatic reason to change. In any event, GnuPG does accept a key expiration set from a direct key signature. I'm not sure about PGP. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8q1QYACgkQ4mZch0nhy8kIQgCfdej18CmdSGvoe82yZNZsfny+ Y+AAn3zfIA/EREHN9yjjg2ouRvG4qh8G =S29u -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71JRYqt018680 for ; Fri, 1 Aug 2003 12:27:34 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h71JRYLY018679 for ietf-openpgp-bks; Fri, 1 Aug 2003 12:27:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71JRWqt018636 for ; Fri, 1 Aug 2003 12:27:33 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h71JRTj02897; Fri, 1 Aug 2003 15:27:29 -0400 Date: Fri, 1 Aug 2003 15:27:29 -0400 From: David Shaw To: ietf-openpgp@imc.org Cc: Michael Young Subject: Re: Clarification needed on compressed messages Message-ID: <20030801192728.GK27440@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org, Michael Young References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> <000701c35841$01833380$2ac52609@transarc.ibm.com> <20030801165159.GI27440@jabberwocky.com> <001a01c35854$53754f80$2ac52609@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <001a01c35854$53754f80$2ac52609@transarc.ibm.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (10% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Aug 01, 2003 at 01:42:47PM -0400, Michael Young wrote: > > The ONEPASS method can also easily handle such constructions as > > ONEPASS+OBJECT+OBJECT+OBJECT+SIG, which SIG+OBJECT cannot. > > Only for non-signature OBJECTs. True. There would have to be some encapsulation in that case, perhaps using your compressed packet suggestion: ONEPASS+COMPRESSED(SIG)+SIG. > I'd rather not complicate the rules any further to allow this > construction. (It is not permitted now.) It's not clear whether it is permitted now or not. The general question of multiple packets (whether in a one-pass signature, compressed data packet, or encrypted data packet) is somewhat hazy in the draft. Speaking only about literal packets for now, sections 5.6, 5.7, and 5.13 all say yes (using the plural "literal data packets"). Section 10.2 says no. I actually requested a clarification whether LITERAL+LITERAL was valid a few weeks ago: http://www.imc.org/ietf-openpgp/mail-archive/msg05537.html The reason why I was thinking about LITERAL+LITERAL in the first place was Jon Callas' comments about OpenPGP as an archival primitive. It would be Very Useful to be able to store more than one file into a single OpenPGP message. I don't think OpenPGP should be setting out to replace tar or zip, but it's handy nonetheless. An archive program with strong encryption whose results can be de-archived with any OpenPGP program is compelling. Note that both PGP and GnuPG already do the right thing with ENCRYPTED(LITERAL+LITERAL) messages. Google says Hal Finney argued for this interpretation in 2000: http://cert.uni-stuttgart.de/archive/ietf-openpgp/2000/05/msg00032.html All that said, I think that LITERAL+LITERAL should probably be legal, but either way, the draft shouldn't say both yes and no. Come to think, your suggestion of using a compressed data packet to encapsulate could be useful here as well: ENCRYPTED(COMPRESSED(LITERAL+LITERAL)). David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8qvyAACgkQ4mZch0nhy8mQHgCdGDPXUDnlZqvzdH6eqg0/IhUP LFIAn27XCXC/+sxIFjQgesBpX2h57Pmf =53vx -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71HkIqt012821 for ; Fri, 1 Aug 2003 10:46:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h71HkI0g012820 for ietf-openpgp-bks; Fri, 1 Aug 2003 10:46:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailhost.transarc.ibm.com (bi-03pt1.bluebird.ibm.com [129.42.208.172]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71HkGqt012808 for ; Fri, 1 Aug 2003 10:46:16 -0700 (PDT) (envelope-from mwy-opgp97@the-youngs.org) Received: from mwyoung (dhcp-197-42.transarc.ibm.com [9.38.197.42]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id NAA19378 for ; Fri, 1 Aug 2003 13:46:12 -0400 (EDT) Message-ID: <001a01c35854$53754f80$2ac52609@transarc.ibm.com> From: "Michael Young" To: References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> <000701c35841$01833380$2ac52609@transarc.ibm.com> <20030801165159.GI27440@jabberwocky.com> Subject: Re: Clarification needed on compressed messages Date: Fri, 1 Aug 2003 13:42:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "David Shaw" writes: > It's not just signing the COMPRESSED packet. Using Derek's > interpretation, you can also do possibly useful things as > sign-encrypt-sign or encrypt-sign-encrypt a message and have the > parser handle it automatically. ... > I suppose the user could create > LITERAL(SIGN(ENCRYPT(SIGN(LITERAL(x))))) or > LITERAL(ENCRYPT(SIGN(ENCRYPT(LITERAL(x))))) and sign that, but we're > getting complex again since the parser shouldn't be looking inside a > *literal* packet for more OpenPGP data to parse. I'd use COMPRESSED (with no compression) here instead, which generally are parsed for other packets. But, I agree that this looks messy for SES or ESE applications. I can live with the special case. (The fact that the new implementation conformed to Derek's rule provides further persuasion.) > I agree, but on the subject of the SIG+LITERAL (or SIG+OPENPGPOBJECT) > format, I'd actually like to see it deprecated (in the "understand > this, but please don't generate it" sense). The ONEPASS signature > method is far superior, and we can at least start the slow process of > getting all implementations to use it. I concur. > The ONEPASS method can also easily handle such constructions as > ONEPASS+OBJECT+OBJECT+OBJECT+SIG, which SIG+OBJECT cannot. Only for non-signature OBJECTs. I'd rather not complicate the rules any further to allow this construction. (It is not permitted now.) -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBPyqmjuc3iHYL8FknEQJq/gCcD7g29C4DxhPxYL2T8R1wRyrH/w0AnAl9 I9Pmkrp6sXv4nq8gU0XstLVX =D06R -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71Gq5qt010851 for ; Fri, 1 Aug 2003 09:52:05 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h71Gq4Nd010850 for ietf-openpgp-bks; Fri, 1 Aug 2003 09:52:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71Gq3qt010839 for ; Fri, 1 Aug 2003 09:52:04 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h71Gpxv01059 for ietf-openpgp@imc.org; Fri, 1 Aug 2003 12:51:59 -0400 Date: Fri, 1 Aug 2003 12:51:59 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Clarification needed on compressed messages Message-ID: <20030801165159.GI27440@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> <000701c35841$01833380$2ac52609@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <000701c35841$01833380$2ac52609@transarc.ibm.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (10% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Aug 01, 2003 at 11:24:30AM -0400, Michael Young wrote: > Derek Atkins wrote: > > I believe it is the intent, and in the SIG+(COMPRESSED(LITERAL) the > > SIG should be issued over the COMPRESSED(LITERAL). The only special > > case that I know of is SIG+LITERAL, where the SIG is over the data > > inside the literal and doesn't include the literal packet itself. > > to which "David Shaw" responds: > > This sounds very reasonable to me. I think a word or two to make that > > clear in the draft would be helpful: something that indicates that > > I have mixed feelings about Derek's interpretation, but if that's > the intent, then I agree with David that this must be made clear > in the draft. There is definitely a special case here. > > Why mixed feelings? On the one hand, I don't like special cases. I > also find it surprising that one would want to sign the COMPRESSED > packet. (It's less to hash, but that hardly seems meaningful.) It's not just signing the COMPRESSED packet. Using Derek's interpretation, you can also do possibly useful things as sign-encrypt-sign or encrypt-sign-encrypt a message and have the parser handle it automatically. The special case (and I agree it is a special case) doesn't bother me too much. I agree it would have been nice if the signature had always been over the complete literal packet, headers and all, but history ruled otherwise. It is not terribly complicated to say "always hash the complete OpenPGP object unless it is a literal packet, in which case hash the contents". As you point out, if an implementation wanted to force signing the complete literal packet, it could just encapsulate the literal packet into a compressed data packet. > On the other hand, it is a little disturbing that the LITERAL > packet headers are ignored, and including them in the signature (by > way of hashing the entire COMPRESSED packet) would overcome that > deficiency. > > Note that both of my concerns could be addressed by a different rule > that has no special case: the signature hash is computed over the > CONTENTS of the FOLLOWING packet (*not* recursively). In the original > PGP case, this would be the contents of the literal packet. In the > COMPRESSED(LITERAL(x)) case, it would be the LITERAL(x). [One could > use an "uncompressed" COMPRESSED packet to intentionally capture the > LITERAL header information.] This seems a bit like simplifying the hashing rule by adding complexity somewhere else. For starters, we would lose the current ability to do encrypt-sign-encrypt (the signature would become effectively a detached signature over the encrypted data) and sign-encrypt-sign (the outer signature would become a notary signature in effect). I suppose the user could create LITERAL(SIGN(ENCRYPT(SIGN(LITERAL(x))))) or LITERAL(ENCRYPT(SIGN(ENCRYPT(LITERAL(x))))) and sign that, but we're getting complex again since the parser shouldn't be looking inside a *literal* packet for more OpenPGP data to parse. > Whatever we do, I expect that > ONEPASS COMPRESSED(LITERAL(x)) SIGNATURE > would be treated the same as > OLD-SIG COMPRESSED(LITERAL(x)) > Reasonable? I agree, but on the subject of the SIG+LITERAL (or SIG+OPENPGPOBJECT) format, I'd actually like to see it deprecated (in the "understand this, but please don't generate it" sense). The ONEPASS signature method is far superior, and we can at least start the slow process of getting all implementations to use it. The ONEPASS method can also easily handle such constructions as ONEPASS+OBJECT+OBJECT+OBJECT+SIG, which SIG+OBJECT cannot. > Before passing final judgement, I'd be curious to know what the > known implementation that uses SIG+COMPRESSED(LITERAL(x)) did > with the construct? What did it sign? It signed COMPRESSED(LITERAL(x)) - the whole packet. Note also that PGP can correctly verify such a message, so Derek's interpretation is supported by working code... though possibly because Derek worked on the PGP parser at one point. ;) David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iEYEARECAAYFAj8qmq8ACgkQ4mZch0nhy8lMvQCgpWjFDvsaBIuDtyNGu/zeFQXI 7wkAn3995O7VDr4SnG1M9IneUfpGgRe6 =GGO2 -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71FQNqt006694 for ; Fri, 1 Aug 2003 08:26:23 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h71FQNqu006693 for ietf-openpgp-bks; Fri, 1 Aug 2003 08:26:23 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailhost.transarc.ibm.com (bi-03pt1.bluebird.ibm.com [129.42.208.172]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h71FQLqt006686 for ; Fri, 1 Aug 2003 08:26:21 -0700 (PDT) (envelope-from mwy-opgp97@the-youngs.org) Received: from mwyoung (dhcp-197-42.transarc.ibm.com [9.38.197.42]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id LAA19268 for ; Fri, 1 Aug 2003 11:26:20 -0400 (EDT) Message-ID: <000701c35841$01833380$2ac52609@transarc.ibm.com> From: "Michael Young" To: References: <20030730173458.GH614@jabberwocky.com> <20030801031917.GA24835@jabberwocky.com> Subject: Re: Clarification needed on compressed messages Date: Fri, 1 Aug 2003 11:24:30 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Derek Atkins wrote: > I believe it is the intent, and in the SIG+(COMPRESSED(LITERAL) the > SIG should be issued over the COMPRESSED(LITERAL). The only special > case that I know of is SIG+LITERAL, where the SIG is over the data > inside the literal and doesn't include the literal packet itself. to which "David Shaw" responds: > This sounds very reasonable to me. I think a word or two to make that > clear in the draft would be helpful: something that indicates that I have mixed feelings about Derek's interpretation, but if that's the intent, then I agree with David that this must be made clear in the draft. There is definitely a special case here. Why mixed feelings? On the one hand, I don't like special cases. I also find it surprising that one would want to sign the COMPRESSED packet. (It's less to hash, but that hardly seems meaningful.) On the other hand, it is a little disturbing that the LITERAL packet headers are ignored, and including them in the signature (by way of hashing the entire COMPRESSED packet) would overcome that deficiency. Note that both of my concerns could be addressed by a different rule that has no special case: the signature hash is computed over the CONTENTS of the FOLLOWING packet (*not* recursively). In the original PGP case, this would be the contents of the literal packet. In the COMPRESSED(LITERAL(x)) case, it would be the LITERAL(x). [One could use an "uncompressed" COMPRESSED packet to intentionally capture the LITERAL header information.] Whatever we do, I expect that ONEPASS COMPRESSED(LITERAL(x)) SIGNATURE would be treated the same as OLD-SIG COMPRESSED(LITERAL(x)) Reasonable? Of course, adopting the "be liberal in what you accept" principle, an implementation *could* do parallel hashes against all of these possibilities, and report what got signed :-). Before passing final judgement, I'd be curious to know what the known implementation that uses SIG+COMPRESSED(LITERAL(x)) did with the construct? What did it sign? -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBPyqGHec3iHYL8FknEQLQKgCg9eogHTyrFk+G2/eov95/ThLCit0An3ce UflAjBQJLf3j45hrL8wfA9yx =Clak -----END PGP SIGNATURE-----