same key or RFC misinterpretation?

David Shaw dshaw@jabberwocky.com
Wed Mar 12 23:20:01 2003


--DrWhICOqskFTAXiy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Mar 12, 2003 at 03:50:52PM -0500, Jason Harris wrote:

> The pubkey packets (for the first two keys) differ by +1 (0x9f + 1 =3D 0x=
a0):
>=20
> 9c9
> < 00000080  db a0 94 0d 65 26 4d fd  22 49 4b 00 a0 5f bd c0  |....e&M."I=
K.._..|
> ---
> > 00000080  db a0 94 0d 65 26 4d fd  22 49 4b 00 9f 5f bd c0  |....e&M."I=
K.._..|
>=20
> which pgpdump says is due to the size of q (must be 0, and in the leading
> bit):
>=20
> 6c6
> <       DSA q(160 bits) - 5f bd c0 de a2 b7 2a a3 5a 92 b4 91 7d 53 50 7e=
 5f a1 d7 9f=20
> ---
> >       DSA q(159 bits) - 5f bd c0 de a2 b7 2a a3 5a 92 b4 91 7d 53 50 7e=
 5f a1 d7 9f=20

[..]

> RFC 2440 (bis-06) says:
>=20
>   A V4 fingerprint is the 160-bit SHA-1 hash of the one-octet Packet
>   Tag, followed by the two-octet packet length, followed by the entire
>   Public Key packet starting with the version field.  The key ID is
>=20
>=20
> Which is the correct method?

What you quoted from the RFC is correct, though slightly misleading
since the "one-octet Packet Tag" is always 0x99 regardless of the
actual packet tag.  See
http://www.imc.org/ietf-openpgp/mail-archive/msg05004.html for more on
this.

It's an interesting example, but I don't think it is a bug anywhere.
It looks like you have three copies of the same key, and two of the
three are corrupt.  If a key is corrupt, you'd want and expect the
fingerprint to be different, and any signatures to break (which they
have).  It is interesting that GnuPG's MPI code is capable of handling
one of the corrupt keys.  I haven't looked at exactly why, but MPIs
are not supposed to have leading zeroes, so perhaps the MPI parser in
GnuPG was compensating.

David

--DrWhICOqskFTAXiy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+b7Kz4mZch0nhy8kRAilKAKDNijoMerHVdHtcB0CrTY+bTCMZOQCgtE3J
9r8FIgYn+vwkHhCgSVaQ5Y0=
=v1Xc
-----END PGP SIGNATURE-----

--DrWhICOqskFTAXiy--