From gniibe at fsij.org  Mon Sep  2 05:27:04 2013
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Mon, 02 Sep 2013 12:27:04 +0900
Subject: True RNG and GnuPG / libgcrypt (was: NeuG 0.11)
In-Reply-To: <1377157444.3419.8.camel@cfw2.gniibe.org>
References: <1377157444.3419.8.camel@cfw2.gniibe.org>
Message-ID: <1378092424.3168.5.camel@cfw2.gniibe.org>

I have a question about support of hardware RNG and GnuPG / libgcrypt.

I develop NeuG, my own True RNG implementation.  It is Free Software
for embedded MCU, specifically, STM32F103.  It is possible to use the
routine as a standalone device, and free hardware design by me is
also available.

When I test (at least for each release), I collect 64GiB of output and
test by NIST STS 2.1.1, Dieharder 3.31.1.  Recently, it is also tested
by PractRand 0.90.  I don't know if it's good to address, but it is
also tested by TestU01, too.  (Note that TestU01 is not free software.)

I think that the quality of random output is good enough.  Currently,
I use the output through the interface of /dev/random on GNU/Linux.

There are two issues for me, now.

  (1) I don't find any method to feed entropy (for /dev/random) on
      *BSD system

  (2) It would be better for an application to use the standalone
      device directly, not through /dev/random

Please let me know any related information about those issues. And...

How do you think about supporting hardware RNG by GnuPG / libgcrypt?


			*	*	*

FYI, here's the information about NeuG to /dev/random.

Standalone device of NeuG can be used to feed entropy to /dev/random.
I have following files for that:

============================== /etc/udev/rules.d/90-neug.rules
KERNEL=="ttyACM[0-9]*", SUBSYSTEMS=="usb", ACTION=="add", \
    ATTRS{idVendor}=="234b", ATTRS{idProduct}=="0001", \
    RUN+="/etc/udev/ctrl_rng.sh"

SUBSYSTEMS=="usb", ACTION=="remove", \
    ATTRS{idVendor}=="234b", ATTRS{idProduct}=="0001", \
    RUN+="/etc/udev/ctrl_rng.sh"
==============================

============================== /etc/udev/ctrl_rng.sh
#! /bin/sh

PIDFILE=/var/run/rngd.pid

case "$ACTION" in
add)
  stty -F $DEVNAME raw -echo -parenb
  /usr/sbin/rngd --fill-watermark=90% --feed-interval=1 --rng-device=$DEVNAME
  ;;
remove)
  # This will be called twice, since there are two interfaces for the device.
  # Called once for 10/0/0, another for 2/2/1.
  if [ x$INTERFACE = x"2/2/1" -a -f $PIDFILE ]; then
      kill -SIGTERM `cat $PIDFILE`
      rm -f $PIDFILE
  else
      exit 0
  fi
  ;;
esac

exit 0
==============================

That's for automatically connecting NeuG standalone device to RNGD,
when plugged.
-- 




From gniibe at fsij.org  Mon Sep  2 06:07:44 2013
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Mon, 02 Sep 2013 13:07:44 +0900
Subject: True RNG and GnuPG / libgcrypt (was: NeuG 0.11)
In-Reply-To: <1378092424.3168.5.camel@cfw2.gniibe.org>
References: <1377157444.3419.8.camel@cfw2.gniibe.org>
 <1378092424.3168.5.camel@cfw2.gniibe.org>
Message-ID: <1378094864.3168.7.camel@cfw2.gniibe.org>

Replying to my own question:

On 2013-09-02 at 12:27 +0900, NIIBE Yutaka wrote:
> How do you think about supporting hardware RNG by GnuPG / libgcrypt?

It seems that easiest way to support hardware RNG (without touching
libgcrypt) is to use the EGD (Entropy Gathering Daemon) interface, and
to write a helper daemon which accesses hardware RNG and provides its
random data through the interface.
-- 




From users.giulietta at gmail.com  Tue Sep  3 22:53:54 2013
From: users.giulietta at gmail.com (Tone Kastlunger)
Date: Tue, 3 Sep 2013 23:53:54 +0300
Subject: gpg-agent miscoordination on homedir
Message-ID: <CAHCc5YV7ZOZeBb7onAoMTkuuZ0aGEa9V-eHd+9UhP4APt93ZWw@mail.gmail.com>

Hi;
apparently gpg-agent has indeed some issues with non-standard homedirs

I have been trying to get gpg4win to work over gpgme;
but passphrase dialog was not showing in my project and bad passphrase was
always raised.

It kept puzzling me until after alot of googling around I reached this:

http://lists.gnupg.org/pipermail/gnupg-users/2012-April/044138.html

Basically what I did in my project is to set a custom home directory via
gpgme_ctx_set_engine_info;

pre-starting the gpg-agent with the same argumes as the gpgme would PLUS the
 --homedir set to the same value passed to gpgme_ctx_set_engine_info fixed
the issue and made the pass entry dialog show correctly.

I think it might have something to do with the gpg-agent not finding the
socket descriptor.

Best,
tortoisedoc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130903/9c5871c9/attachment.html>

From users.giulietta at gmail.com  Wed Sep  4 07:52:35 2013
From: users.giulietta at gmail.com (Tone Kastlunger)
Date: Wed, 4 Sep 2013 08:52:35 +0300
Subject: gpg-agent miscoordination on homedir
In-Reply-To: <CAHCc5YV7ZOZeBb7onAoMTkuuZ0aGEa9V-eHd+9UhP4APt93ZWw@mail.gmail.com>
References: <CAHCc5YV7ZOZeBb7onAoMTkuuZ0aGEa9V-eHd+9UhP4APt93ZWw@mail.gmail.com>
Message-ID: <CAHCc5YUK52H+ezkTqpv42c6zy2ZePmMCbpfhq-S4HMYSNPdOXQ@mail.gmail.com>

Few more details:
gpgme used to generate symmetric encryption with gpgme_op_encrypt;
version is latest gpg4win.

Best,
tortoisedoc


On Tue, Sep 3, 2013 at 11:53 PM, Tone Kastlunger
<users.giulietta at gmail.com>wrote:

> Hi;
> apparently gpg-agent has indeed some issues with non-standard homedirs
>
> I have been trying to get gpg4win to work over gpgme;
> but passphrase dialog was not showing in my project and bad passphrase was
> always raised.
>
> It kept puzzling me until after alot of googling around I reached this:
>
> http://lists.gnupg.org/pipermail/gnupg-users/2012-April/044138.html
>
> Basically what I did in my project is to set a custom home directory via
> gpgme_ctx_set_engine_info;
>
> pre-starting the gpg-agent with the same argumes as the gpgme would PLUS
> the
>  --homedir set to the same value passed to gpgme_ctx_set_engine_info fixed
> the issue and made the pass entry dialog show correctly.
>
> I think it might have something to do with the gpg-agent not finding the
> socket descriptor.
>
> Best,
> tortoisedoc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130904/15561e3c/attachment-0001.html>

From amk at amk.ca  Fri Sep  6 15:31:59 2013
From: amk at amk.ca (A.M. Kuchling)
Date: Fri, 6 Sep 2013 09:31:59 -0400
Subject: How to help with GnuPG documentation?
Message-ID: <20130906133159.GA67631@DATLANDREWK.local>

I'd like to help with updating GnuPG's documentation and/or the web
site.  What tasks need to be done?  I'm happy to write new material,
check that existing text and examples are still correct for GnuPG 2,
convert the documentation from one format to another, update the FAQ,
etc.

For example, I noticed the GNU Privacy Handbook has a copyright date
of 1999.  Does it need updating for current versions of GnuPG?  If yes,
where is the master Texinfo source?  I've been unable to locate it.

(My writing background: I've written some pieces of the official
Python documentation, such as the What's New in Python 2.x and some of
the HOWTOs, but now am looking for a new documentation project to work
on.)

Thanks!

--amk


From orion at cora.nwra.com  Fri Sep  6 22:54:11 2013
From: orion at cora.nwra.com (Orion Poplawski)
Date: Fri, 6 Sep 2013 20:54:11 +0000 (UTC)
Subject: Should pinentry use libassuan and/or libgcrypt?
Message-ID: <loom.20130906T224811-300@post.gmane.org>

Please pardon this naive question.  From a packaging standpoint, I was
trying to determine if pinentry "bundles" libassuan and/or parts of
libgcrypt (as secmem).  Apparently there is a "stripped down" libassuan in
assuan/, and it has a secmem/ directory which I think provides functionality
that is in libgcrypt.

Is there a technical reason to do it this way rather than using libassuan
and libgcrypt directly?  Naively I'm thinking that reusing security
sensitive code via a library would be better than copies of source code
making for multiple places to fix issues.

- Orion 



From wk at gnupg.org  Sat Sep  7 12:24:30 2013
From: wk at gnupg.org (Werner Koch)
Date: Sat, 07 Sep 2013 12:24:30 +0200
Subject: Should pinentry use libassuan and/or libgcrypt?
In-Reply-To: <loom.20130906T224811-300@post.gmane.org> (Orion Poplawski's
 message of "Fri, 6 Sep 2013 20:54:11 +0000 (UTC)")
References: <loom.20130906T224811-300@post.gmane.org>
Message-ID: <87eh91gc9t.fsf@vigenere.g10code.de>

On Fri,  6 Sep 2013 22:54, orion at cora.nwra.com said:

> Please pardon this naive question.  From a packaging standpoint, I was
> trying to determine if pinentry "bundles" libassuan and/or parts of
> libgcrypt (as secmem).  Apparently there is a "stripped down"

Right - very stripped down.

> Is there a technical reason to do it this way rather than using libassuan
> and libgcrypt directly?  Naively I'm thinking that reusing security
> sensitive code via a library would be better than copies of source code
> making for multiple places to fix issues.

Nope: The goal is to make Pinentry as small as possible so that it can
be easily audited and regression in libraries don't reflect badly on it.
We don't need anything from Libgcrypt.  It is just a coincidence that
both try to protect malloced data from being paged out.  We could even
get rid of that if only the swap space would be encrypted.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Sat Sep  7 12:45:11 2013
From: wk at gnupg.org (Werner Koch)
Date: Sat, 07 Sep 2013 12:45:11 +0200
Subject: How to help with GnuPG documentation?
In-Reply-To: <20130906133159.GA67631@DATLANDREWK.local> (A. M. Kuchling's
 message of "Fri, 6 Sep 2013 09:31:59 -0400")
References: <20130906133159.GA67631@DATLANDREWK.local>
Message-ID: <87zjrogbbc.fsf@vigenere.g10code.de>

Hi,

On Fri,  6 Sep 2013 15:31, amk at amk.ca said:
> I'd like to help with updating GnuPG's documentation and/or the web
> site.  What tasks need to be done?  I'm happy to write new material,
> check that existing text and examples are still correct for GnuPG 2,
> convert the documentation from one format to another, update the FAQ,

Right, the documentation is pretty old.  There are a lot of open tasks;
see below.

> For example, I noticed the GNU Privacy Handbook has a copyright date
> of 1999.  Does it need updating for current versions of GnuPG?  If yes,
> where is the master Texinfo source?  I've been unable to locate it.

The problem with the GPH is that we put it under the GNU FDL which turns
out to be a real problem for reuse.  I'd love to change this to
CC-by-sa/GPL - I just have not come around to ask the FSF to allow for
that.  I have recently been in contact with Mike Ashley, who wrote the
GPH and he agrees that this will be good move.

There is also another book: The Gpg4win Compendium (German and English
version) which has quite some interesting stuff in it.  It suffers from
the same FDL problem.  Here I already contacted the copyright holders
and it seems that we will eventually be able to change the license.

The most important thing to do is to give the www.gnupg.org a fresh
look.  The site is based on WML which is not exactly easy to maintained
or use.  I have already started to change that by converting the
rendered HTML pages to org-mode.  Most existing pages have now been
converted but a menu system and a new CSS is missing.  I have not yet
pushed the new org-mode based pages but can do this soon.  Although we
need to maintain the old links (because they are references a lot) we
should add some more information targeted to an average use.  For the
old pages a simple note at the top, that the info below is probably out
of dated will make sense.

The FAQ has been converted to org-mode and is part of GnuPG proper; it
is easy to update but it needs more stuff.  Fortunately Robert Hansen
worked on a new FAQ and we should merge the existing stuff with his new
answers.



Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From rjh at sixdemonbag.org  Sat Sep  7 14:26:42 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 07 Sep 2013 08:26:42 -0400
Subject: How to help with GnuPG documentation?
In-Reply-To: <87zjrogbbc.fsf@vigenere.g10code.de>
References: <20130906133159.GA67631@DATLANDREWK.local>
 <87zjrogbbc.fsf@vigenere.g10code.de>
Message-ID: <522B1B82.40402@sixdemonbag.org>

On 9/7/2013 6:45 AM, Werner Koch wrote:
> The FAQ has been converted to org-mode and is part of GnuPG proper; it
> is easy to update but it needs more stuff.  Fortunately Robert Hansen
> worked on a new FAQ and we should merge the existing stuff with his new
> answers.

Further, there's a github repository for it:

	https://github.com/rjhansen/gpgfaq

I was under the impression it was going to be a total rewrite rather
than a merge.  If there are any questions in the current FAQ that are
not in the new one (and need to be), I'd consider that a bug and would
appreciate being told about them.  :)

What do you need from me, on my end, in order to begin replacing the old
FAQ with the new one?



From nicholas.cole at gmail.com  Sat Sep  7 17:58:29 2013
From: nicholas.cole at gmail.com (Nicholas Cole)
Date: Sat, 7 Sep 2013 16:58:29 +0100
Subject: Command Line Consistency
Message-ID: <CAAu18heUPX7a3yoC4cyyPsh_kqR4XAKbi+G7Qz_Eb52CmoF7AQ@mail.gmail.com>

Dear Werner,

I wonder if the command line for

--disable-cipher-algo name

could be made consistent with

--personal-cipher-preferences string

Currently, the former can only accept the name of the algorithm,
whereas the latter can accept either the name or the OpenPGP number.
In addition --disable-cipher-algo only accepts a single name at a
time, whereas the other similar options tend to accept a list.

Just a thought.

N.


From amk at amk.ca  Sat Sep  7 18:03:41 2013
From: amk at amk.ca (A.M. Kuchling)
Date: Sat, 7 Sep 2013 12:03:41 -0400
Subject: How to help with GnuPG documentation?
In-Reply-To: <87zjrogbbc.fsf@vigenere.g10code.de>
References: <20130906133159.GA67631@DATLANDREWK.local>
 <87zjrogbbc.fsf@vigenere.g10code.de>
Message-ID: <20130907160341.GB74214@datlandrewk.home>

On Sat, Sep 07, 2013 at 12:45:11PM +0200, Werner Koch wrote:
> or use.  I have already started to change that by converting the
> rendered HTML pages to org-mode.  Most existing pages have now been
> converted but a menu system and a new CSS is missing.  I have not yet
> pushed the new org-mode based pages but can do this soon.

OK; I'm happy to work on this, or on the FAQ conversion. I already use
org-mode to track my todo items so I have some familiarity with it,
though I haven't used it for writing documents.  Are either the web
site or the FAQ available as repositories?  Or should I be writing
Robert Hansen and offering help?

Thanks!

--amk


From wk at gnupg.org  Sat Sep  7 20:30:06 2013
From: wk at gnupg.org (Werner Koch)
Date: Sat, 07 Sep 2013 20:30:06 +0200
Subject: How to help with GnuPG documentation?
In-Reply-To: <522B1B82.40402@sixdemonbag.org> (Robert J. Hansen's message of
 "Sat, 07 Sep 2013 08:26:42 -0400")
References: <20130906133159.GA67631@DATLANDREWK.local>
 <87zjrogbbc.fsf@vigenere.g10code.de> <522B1B82.40402@sixdemonbag.org>
Message-ID: <87bo44fpsh.fsf@vigenere.g10code.de>

On Sat,  7 Sep 2013 14:26, rjh at sixdemonbag.org said:

> I was under the impression it was going to be a total rewrite rather
> than a merge.  If there are any questions in the current FAQ that are

To avoid breaking links to the existing FAQ, we should keep the anchors
which are already known.  Those answers might be moved to an old-stuff
section andd updated with a link to a more appropriate Q+A.

> not in the new one (and need to be), I'd consider that a bug and would
> appreciate being told about them.  :)

I have not checked for quite some time :-(

> What do you need from me, on my end, in order to begin replacing the old
> FAQ with the new one?

Well, I would like to change to org-mode.  pandoc has support for this
or it can be done manually while kind of merging with the list.
org-mode is really easy to read and edit.  Here is an example (indented
by 2 spaces)

  #+LINK: gnupgweb http://www.gnupg.org/
  #+LINK: roundup https://bugs.g10code.com/gnupg/issue

  * General Questions
  
  ** What is GnuPG?
     :PROPERTIES:
     :CUSTOM_ID: what-is-gnupg
     :END:

     [[gnupgweb][GnuPG]] stands for GNU Privacy Guard ...
  
One asterisk translates to <h1> and two of them to <h2> but that can be
changed.  The +LINK: lines defines shortcuts for URLs and the PROPERTIES
drawer is used to specify a link id (In HTML: #what-is-gnupg).  I can do
that conversion if you agree to make org-mode the new source format.

I would also very much like to have the FAQ under a dual license
CC-by-sa 3.0 unported and GPLv2+.  This allows to reuse it in Wikipedia
other manuals as well as in GPL code.

The existing FAQ has a copyright notices mentioning only the FSF.  That
is actually not correct because this was never assigned to the FSF and
for sure some answers have been taken from the mailing lists (which
however is assumed to be in the public domain).  Thus it is not easy to
track who wrote for the FAQ.  I would very much like to see a 

(C) 1998-2013 The GnuPG contributors 

with a list of those contributors.  I am not sure whather this is
legally possible given that this is a fuzzy description.  As of now it
reads

  Many thanks to Nils Ellmenreich for maintaining this FAQ file for
  such a long time, David D. Scribner for continuing maintenance,
  Werner Koch for the original FAQ file, and to all posters to
  gnupg-users and gnupg-devel.  They all provided most of the answers.
  Converted to org-mode and removed from the tarballs in October 2010.

We could keep that and add the copyright lines for all mentioned persons
with you listed first.

Any suggestions?


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Sat Sep  7 20:33:54 2013
From: wk at gnupg.org (Werner Koch)
Date: Sat, 07 Sep 2013 20:33:54 +0200
Subject: How to help with GnuPG documentation?
In-Reply-To: <20130907160341.GB74214@datlandrewk.home> (A. M. Kuchling's
 message of "Sat, 7 Sep 2013 12:03:41 -0400")
References: <20130906133159.GA67631@DATLANDREWK.local>
 <87zjrogbbc.fsf@vigenere.g10code.de>
 <20130907160341.GB74214@datlandrewk.home>
Message-ID: <877gesfpm5.fsf@vigenere.g10code.de>

On Sat,  7 Sep 2013 18:03, amk at amk.ca said:

> org-mode to track my todo items so I have some familiarity with it,
> though I haven't used it for writing documents.  Are either the web

It is really cool tool.

> site or the FAQ available as repositories?  Or should I be writing
> Robert Hansen and offering help?

The original one is doc/faq.org in gnupg's git master. Or at
<http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/faq.org>

Robert's is at 	https://github.com/rjhansen/gpgfaq



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Sat Sep  7 20:36:53 2013
From: wk at gnupg.org (Werner Koch)
Date: Sat, 07 Sep 2013 20:36:53 +0200
Subject: Command Line Consistency
In-Reply-To: <CAAu18heUPX7a3yoC4cyyPsh_kqR4XAKbi+G7Qz_Eb52CmoF7AQ@mail.gmail.com>
 (Nicholas Cole's message of "Sat, 7 Sep 2013 16:58:29 +0100")
References: <CAAu18heUPX7a3yoC4cyyPsh_kqR4XAKbi+G7Qz_Eb52CmoF7AQ@mail.gmail.com>
Message-ID: <8738pgfph6.fsf@vigenere.g10code.de>

On Sat,  7 Sep 2013 17:58, nicholas.cole at gmail.com said:

> Currently, the former can only accept the name of the algorithm,
> whereas the latter can accept either the name or the OpenPGP number.

I prefer to keep it as it is, changing this would require quite some
changes for an option which in most cases is useless.  But if someone
provides a concise patch I would reconsider.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From rjh at sixdemonbag.org  Sun Sep  8 02:07:46 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 07 Sep 2013 20:07:46 -0400
Subject: How to help with GnuPG documentation?
In-Reply-To: <87bo44fpsh.fsf@vigenere.g10code.de>
References: <20130906133159.GA67631@DATLANDREWK.local>
 <87zjrogbbc.fsf@vigenere.g10code.de> <522B1B82.40402@sixdemonbag.org>
 <87bo44fpsh.fsf@vigenere.g10code.de>
Message-ID: <522BBFD2.3020006@sixdemonbag.org>

On 9/7/2013 2:30 PM, Werner Koch wrote:
> To avoid breaking links to the existing FAQ, we should keep the
> anchors which are already known.  Those answers might be moved to an
> old-stuff section andd updated with a link to a more appropriate
> Q+A.

I'll see about making a first stab at this.

> Well, I would like to change to org-mode.

It's already in org-mode.  Or, rather, it's in a *really* kludged up XML
that I convert to org-mode via a Python script (which is part of the git
repo).

> I can do that conversion if you agree to make org-mode the new source
> format.

There are reasons to prefer XML right now -- basically, it makes it much
easier for me to keep a table of contents together.  But yes, it was
always my understanding that it would be submitted as org-mode text.

> I would also very much like to have the FAQ under a dual license 
> CC-by-sa 3.0 unported and GPLv2+.  This allows to reuse it in
> Wikipedia other manuals as well as in GPL code.

Point.  I can see about making that change.  Since I'm the only author,
relicensing isn't a problem.

> We could keep that and add the copyright lines for all mentioned
> persons with you listed first.

It's not important to me that I be listed first -- just that I be
listed.  :)



From amk at amk.ca  Sun Sep  8 04:24:41 2013
From: amk at amk.ca (A.M. Kuchling)
Date: Sat, 7 Sep 2013 22:24:41 -0400
Subject: Old and new FAQs
Message-ID: <20130908022441.GA81707@datlandrewk.home>

I took a look at the question titles in the existing and proposed new
FAQs, assuming that we'd want to start from the new FAQ and
cherry-pick bits from the old FAQ, since portions of it are obsolete,
rather than the other way around.

What I thought:

* We can ignore the old FAQ's 'Compatibility Issues' and 'Problems
  and Error Messages' sections; it's not clear if any of them apply
  to GPG 2.0, and we'd have to figure out what error messages are
  currently relevant.

* The old FAQ had an empty 'Bug reporting and hacking' section; the new
  FAQ should have a brief entry for that.

* Some old FAQ questions that seemed worth examining further and
  possibly incorporating in the new FAQ:

** What is the difference between options and commands?

(three related questions)
** I can't delete a user ID on my secret keyring because it has
   already been deleted on my public keyring. What can I do?
** I can't delete my secret key because the public key disappeared.  What can I do?
** I still have my secret key, but lost my public key. What can I do?
   gpgsplit not installed by my MacOS binary installation.

** How do I sign a patch file?
** How can I get rid of the Version and Comment headers in armored messages?
   (answer is outdated; correct answer for gpg2 is --no-version --no-comments)
** What does the "You are using the xxxx character set." mean?
** How can I get list of key IDs used to encrypt a message? (answer still works)
** How can I use GnuPG in an automated environment?
** Clearsigned messages sent from my web-mail account have an invalid signature. Why?

Some of these may actually be addressed in the new FAQ; I haven't
actually read the entry texts yet.  I've included the question lists
below, so that others can compare them and suggest other topics that
should or shouldn't be included.

(BTW, I'm happy to take this discussion back to gnupg-doc if it's too
off-topic or gets too high-traffic for gnupg-devel.)

--amk

Old FAQ:

* Welcome
** What conventions are used in this FAQ?
* General Questions
** What is GnuPG?
** Is GnuPG compatible with PGP?
** Is GnuPG free to use for personal or commercial use?
* Sources of Information
** Where can I find more information on GnuPG?
** Where do I get GnuPG?
* Installation
** Which OSes does GnuPG run on?
** Which random data gatherer should I use?
** How do I include support for RSA and IDEA?
* Usage
** What is the recommended key size?
** Why does it sometimes take so long to create keys?
** And it really takes long when I work on a remote system. Why?
** What is the difference between options and commands?
** I can't delete a user ID on my secret keyring because it has already been deleted on my public keyring. What can I do?
** I can't delete my secret key because the public key disappeared.  What can I do?
** What are trust, validity and ownertrust?
** How do I sign a patch file?
** Where is the "encrypt-to-self" option?
** How can I get rid of the Version and Comment headers in armored messages?
** What does the "You are using the xxxx character set." mean?
** How can I get list of key IDs used to encrypt a message?
** Why can't I decrypt files encrypted as symmetrical-only (-c) with a version of GnuPG prior to 1.0.1.
** How can I use GnuPG in an automated environment?
** Which email-client can I use with GnuPG?
** Can't we have a gpg library?
** I have successfully generated a revocation certificate, but I don't understand how to send it to the key servers.
** How do I put my keyring in a different directory?
** How do I verify signed packages?
** How do I export a keyring with only selected signatures (keys)?
** I still have my secret key, but lost my public key. What can I do?
** Clearsigned messages sent from my web-mail account have an invalid signature. Why?
* Compatibility Issues
** How can I encrypt a message with GnuPG so that PGP is able to decrypt it?
** How do I migrate from PGP 2.x to GnuPG?
** Why is PGP 5.x not able to encrypt messages with some keys?
** Why is PGP 5.x not able to verify my messages?
** How do I transfer owner trust values from PGP to GnuPG?
** PGP does not like my secret key.
** GnuPG no longer installs a ~/.gnupg/options file. Is it missing?
** How do you export GnuPG keys for use with PGP?
** What are DH/DSS keys?
* Problems and Error Messages
** Why do I get "gpg: Warning: using insecure memory!"
** Large File Support doesn't work
** In the edit menu the trust values are not displayed correctly after signing uids. Why?
** What does "skipping pubkey 1: already loaded" mean?
** GnuPG 1.0.4 doesn't create ~/.gnupg ...
** An Elgamal signature does not verify anymore since version 1.0.2
** Old versions of GnuPG can't verify Elgamal signatures
** When I use --clearsign, the plain text has sometimes extra dashes in it - why?
** What is the thing with "can't handle multiple signatures"?
** If I submit a key to a keyserver, nothing happens
** I get "gpg: waiting for lock ..."
** Older gpg binaries (e.g., 1.0) have problems with keys from newer gpg binaries
** With 1.0.4, I get "this cipher algorithm is deprecated ..."
** Some dates are displayed as ????-??-??. Why?
** I still have a problem. How do I report a bug?
** Why doesn't GnuPG support X.509 certificates?
** Why do national characters in my user ID look funny?
** I get 'sed' errors when running ./configure on Mac OS X ...
** Why does GnuPG 1.0.6 bail out on keyrings used with 1.0.7?
** I upgraded to GnuPG version 1.0.7 and now it takes longer to load my keyrings. What can I do?
** Doesn't a fully trusted user ID on a key prevent warning messages when encrypting to other IDs on the key?
** I just compiled GnuPG from source on my GNU/Linux RPM-based system and it's not working. Why?
* Advanced Topics
** How does this whole thing work?
** Why are some signatures with an ELG-E key valid?
** How does the whole trust thing work?
** What kind of output is this: "key C26EE891.298, uid 09FB: ...."?
** How do I interpret some of the informational outputs?
** Are the header lines of a cleartext signature part of the signed material?
** What is the list of preferred algorithms?
** How do I change the list of preferred algorithms?
** How can I import all the missing signer keys?
* Bug reporting and hacking
** Copyright assignments
** U.S. export restrictions
* Acknowledgements
* Changes


New FAQ:

    <section name="Foreword" id="foreword">
      <section name="Trademark notice" id="trademarks"/>
      <section name="Creative Commons license" id="documentation_license"/>
      <section name="Disclaimer of liability" id="liability"/>
    <section name="Welcome" id="welcome">
      <section name="What conventions are used in this FAQ?" id="conventions"/>
      <section name="Who maintains this FAQ?" id="maintainer"/>
      <section name="Is this the official GnuPG FAQ?" id="is_it_official"/>
      <section name="When was this FAQ last checked for accuracy?" id="last_checked"/>
    <section name="General questions" id="general">
      <section name="What?s GnuPG?" id="whats_gnupg"/>
      <section name="How do I pronounce GnuPG?" id="pronunciation"/>
      <section name="Is it compatible with Symantec?s PGP?" id="compatible"/>
      <section name="Which operating systems does it run on?" id="oses"/>
      <section name="How much does it cost?" id="free_as_in_beer"/>
      <section name="From where can I download it?" id="get_gnupg">
        <section name="? for Microsoft Windows?" id="get_gnupg_win32"/>
	      <section name="? for Mac OS X?" id="get_gnupg_osx"/>
	      <section name="? for Linux?" id="get_gnupg_linux">
	        <section name="? for Debian GNU/Linux?" id="get_gnupg_debian"/>
	        <section name="? for OpenSUSE?" id="get_gnupg_opensuse"/>
	        <section name="? for Fedora?" id="get_gnupg_fedora"/>
	        <section name="? for CentOS or RHEL?" id="get_gnupg_centos"/>
	        <section name="? for Ubuntu?" id="get_gnupg_ubuntu"/>
	        <section name="? for Slackware?" id="get_gnupg_slack"/>
	        <section name="? for Gentoo?" id="get_gnupg_gentoo"/>
	      <section name="? for FreeBSD?" id="get_gnupg_freebsd"/>
      <section name="Is there source code available for it?" id="source_code"/>
      <section name="What?s Free Software, and why does it matter?" id="gpl"/>
      <section name="How can I donate money to the GnuPG project?" id="donate"/>
    <section name="Where can I get more information?" id="more_info">
      <section name="How can I spot the charlatans?" id="fraudsters"/>
      <section name="What are some useful mailing lists?" id="mailing_lists">
	      <section name="The GnuPG-Users mailing list" id="gnupg-users_list"/>
	      <section name="The Enigmail mailing list" id="enigmail_list"/>
	      <section name="PGP-Basics" id="pgp-basics_list"/>
	      <section name="PGPNET" id="pgpnet_list"/>
      <section name="What are some useful webpages?" id="webpages">
	      <section name="Where can I find the homepage for?" id="homepages">
	        <section name="? GnuPG?" id="gnupg_homepage"/>
	        <section name="? Enigmail?" id="enigmail_homepage"/>
	        <section name="? GPGTools?" id="gpgtools_homepage"/>
	        <section name="? GPG4WIN?" id="gpg4win_homepage"/>
	      <section name="Where can I find webpages covering?" id="pages_about">
	        <section name="? an easy introduction to cryptography?" id="pages_about_introduction_to_crypto"/>
	        <section name="? the deeper mathematics of cryptography?" id="pages_about_cryptographic_mathematics"/>
	        <section name="? best practices for using GnuPG?" id="pages_about_best_practices"/>
	        <section name="? the politics of cryptography?" id="pages_about_politics"/>
    <section name="What email clients support GnuPG on?" id="email_clients">
      <section name="? Microsoft Windows?" id="email_clients_win32"/>
      <section name="? Mac OS X?" id="email_clients_osx"/>
      <section name="? Linux or FreeBSD?" id="email_clients_linux"/>
    <section name="Is GnuPG available as a ?portable app??" id="portable_app"/>
    <section name="What do all these strange words mean?" id="glossary">
      <section name="What?s ?public-key cryptography??" id="define_asymc"/>
      <section name="What?s ?symmetric cryptography??" id="define_symc"/>
      <section name="What?s a ?key??" id="define_key"/>
      <section name="What?s a ?certificate??" id="define_certificate"/>
      <section name="What?s RSA?" id="define_rsa"/>
      <section name="What?s DSA?" id="define_dsa"/>
      <section name="What?s Elgamal?" id="define_elgamal"/>
      <section name="What?s AES?" id="define_aes"/>
      <section name="What are Twofish and Blowfish?" id="define_fish"/>
      <section name="What?s 3DES?" id="define_3des"/>
      <section name="What?s Camellia?" id="define_camellia"/>
      <section name="What are SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 and SHA-3?" id="define_sha"/>
      <section name="What?s MD5?" id="define_md5"/>
      <section name="What are CAST, CAST5, and CAST5-128?" id="define_cast"/>
      <section name="What are ZLIB, ZIP and BZIP?" id="define_compress"/>
      <section name="What?s a ?revocation certificate??" id="define_rev_cert"/>
      <section name="What?s a ?designated revoker??" id="define_desig_revkr"/>
      <section name="What does ?validity? mean?" id="define_validity"/>
      <section name="What does ?trust? mean?" id="define_trust"/>
      <section name="What does ?ownertrust? mean?" id="define_ownertrust"/>
    <section name="How do I start using GnuPG?" id="starting_out">
      <section name="Does GnuPG need to be ?tuned? before use?" id="tuning"/>
      <section name="How large should my key be?" id="new_key_size"/>
      <section name="What algorithm should I use?" id="new_key_algo"/>
      <section name="Why does it take so long to generate a certificate?" id="new_key_generate_time"/>
      <section name="What should I do after making my certificate?" id="new_key_after_generation">
        <section name="How do I appoint a designated revoker?" id="appoint_revoker"/>
        <section name="How do I generate a revocation certificate?" id="generate_revocation_certificate"/>
        <section name="How do I send my certificate to the keyserver network?" id="send_to_keyservers"/>
      <section name="Where does GnuPG look for configuration options?" id="location_gpg_conf_file"/>
      <section name="What options should I put in my configuration file?" id="new_user_gpg_conf"/>
      <section name="Is there any particular keyserver I should use?" id="new_user_default_keyserver"/>
      <section name="What?s the difference between an ?option? and a ?command??" id="diff_option_commands"/>
      <section name="What are the most commonly used options?" id="common_options"/>
      <section name="What are the most commonly used commands?" id="common_commands"/>
      <section name="How do I use another person?s certificate?" id="using_certificates">
        <section name="How do I search the keyserver for someone?s certificate?" id="searching_keyservers"/>
        <section name="How do I retrieve a certificate if I already know its fingerprint?" id="retrieving_by_fingerprint"/>
        <section name="Why do I need to validate certificates?" id="why_validate"/>
        <section name="How do I validate certificates?" id="how_to_validate"/>
      <section name="Why can?t I read emails I?ve sent, and how do I fix it?" id="encrypt_to_self"/>
      <section name="How do I encrypt a file for multiple recipients?" id="multiple_recipients"/>
      <section name="How do I sign a file with multiple certificates?" id="multiple_signers"/>
      <section name="How do I combine encryption with signing?" id="encrypt_and_sign"/>
      <section name="How do I force GnuPG to make printable-text output?" id="ascii_armor"/>
      <section name="How do I create an ?inline signature??" id="generate_inline_signature"/>
      <section name="I?m a programmer and I need a GnuPG library.  Is there one?" id="yes_gpgme"/>
      <section name="I?m a programmer and I need a way to call GnuPG internals directly.  Is there a library for this?" id="keep_dreaming"/>
    <section name="What common problems come up?" id="common_problems">
      <section name="Why is GnuPG warning me this certificate might not belong to whom I think it does?" id="you_need_to_validate"/>
      <section name="Why is GnuPG warning me about using insecure memory?" id="insecure_memory"/>
      <section name="Why is GnuPG changing my message?" id="escaped_dashes"/>
    <section name="What are some common best practices?" id="best_practices">
      <section name="How can I choose a strong passphrase?" id="strong_passphrase"/>
      <section name="How can I keep my revocation certificate safe?" id="keep_rev_cert_safe"/>
      <section name="How can I keep my computer safe from malware?" id="malware"/>
      <section name="Should I use encrypted disk software like TrueCrypt, BitLocker or FileVault?" id="disk_encryption"/>
    <section name="Advanced topics" id="advanced_topics">
      <section name="Why does GnuPG use RSA-2048 by default?" id="default_rsa2048"/>
      <section name="Do other high-security applications use RSA-2048?" id="rsa2048_in_the_real_world"/>
      <section name="Why doesn?t GnuPG default to using RSA-4096?" id="no_default_of_rsa4096"/>
      <section name="Why do people advise against using RSA-4096?" id="please_use_ecc"/>
      <section name="Why does GnuPG support RSA-4096 if it?s such a bad idea?" id="not_a_bad_idea_just_unnecessary"/>
      <section name="Can any of the ciphers in GnuPG be brute-forced?" id="brute_force"/>
      <section name="Has GnuPG ever been successfully attacked?" id="successful_attacks"/>
      <section name="Should I use PGP/MIME for my emails?" id="use_pgpmime"/>
      <section name="What are the best algorithms in GnuPG?" id="no_best_algo"/>
      <section name="Why is my DSA key limited to 3072 bits?" id="no_dsa4096"/>
      <section name="Why does my DSA-1024 key use a different digest algorithm than my DSA-2048 or DSA-3072 key?" id="hash_widths_in_dsa"/>


From wk at gnupg.org  Sun Sep  8 11:26:34 2013
From: wk at gnupg.org (Werner Koch)
Date: Sun, 08 Sep 2013 11:26:34 +0200
Subject: Deterministic DSA
Message-ID: <87wqmrd5px.fsf@vigenere.g10code.de>

Hi,

although the default for GnuPG is to use RSA keys, DSA signing keys are
still in wide use and sometimes offer an advantage over RSA.  Thomas
Pornin recently came up with a specification on how to properly do DSA
and ECDSA without a random nonce.  This has already been implemented in
Libgcrypt master.  I think it is time to make use of it.  What do you
think about this patch?

Salam-Shalom,

   Werner

>From 6466db10fb22a4f24df4edad9c5cb33ec67321bd Mon Sep 17 00:00:00 2001
From: Werner Koch <wk at gnupg.org>
Date: Sat, 7 Sep 2013 10:06:46 +0200
Subject: [PATCH] Switch to deterministic DSA.

* agent/pksign.c (rfc6979_hash_algo_string): New.
(do_encode_dsa) [Libgcrypt >= 1.6]: Make use of RFC-6979.
--

Now that we have a good (and not NSA/NIST demanded ;-) specification
on how to use DSA without a random nonce, we take advantage of it and
thus avoid pitfalls related to a misbehaving RNG during signature
creation.

Note that OpenPGP has the option of using a longer hash algorithm but
truncated to what is suitable for the used DSA key size.  The hash
used as input to RFC-6979 will also be one with an appropriate digest
length but not a truncated one.  This is allowed by RFC-6979.

Signed-off-by: Werner Koch <wk at gnupg.org>
---
 agent/pksign.c |   40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/agent/pksign.c b/agent/pksign.c
index 8518730..ad783ce 100644
--- a/agent/pksign.c
+++ b/agent/pksign.c
@@ -1,5 +1,6 @@
 /* pksign.c - public key signing (well, actually using a secret key)
  * Copyright (C) 2001, 2002, 2003, 2004, 2010 Free Software Foundation, Inc.
+ * Copyright (C) 2013  Werner Koch
  *
  * This file is part of GnuPG.
  *
@@ -111,6 +112,25 @@ get_dsa_qbits (gcry_sexp_t key)
 }
 
 
+/* Return an appropriate hash algorithm to be used with RFC-6979 for a
+   message digest of length MDLEN.  Although a fallback of SHA-256 is
+   used the current implementation in Libgcrypt will reject a hash
+   algorithm which does not match the length of the message.  */
+static const char *
+rfc6979_hash_algo_string (size_t mdlen)
+{
+  switch (mdlen)
+    {
+    case 20: return "sha1";
+    case 28: return "sha224";
+    case 32: return "sha256";
+    case 48: return "sha384";
+    case 64: return "sha512";
+    default: return "sha256";
+    }
+}
+
+
 /* Encode a message digest for use with an DSA algorithm. */
 static gpg_error_t
 do_encode_dsa (const byte *md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey,
@@ -177,11 +197,20 @@ do_encode_dsa (const byte *md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey,
   if (mdlen > qbits/8)
     mdlen = qbits/8;
 
-  /* Create the S-expression.  We need to convert to an MPI first
-     because we want an unsigned integer.  Using %b directly is not
-     possible because libgcrypt assumes an mpi and uses
-     GCRYMPI_FMT_STD for parsing and thus possible yielding a negative
-     value.  */
+  /* Create the S-expression.  If we are using Libgcrypt 1.6 we make
+     use of Deterministic DSA.  Libgcrypt < 1.6 does not implement
+     RFC-6979 and also requires us to convert to an MPI because it
+     expects an unsigned integer.  Using %b directly is not possible
+     because Libgcrypt assumes an MPI and uses GCRYMPI_FMT_STD for
+     parsing and thus possible yielding a negative value.  */
+#if GCRYPT_VERSION_NUMBER >= 0x010600 /* Libgcrypt >= 1.6 */
+  {
+    err = gcry_sexp_build (&hash, NULL,
+                           "(data (flags rfc6979) (hash %s %b))",
+                           rfc6979_hash_algo_string (mdlen),
+                           (int)mdlen, md);
+  }
+#else /* Libgcrypt < 1.6 */
   {
     gcry_mpi_t mpi;
 
@@ -193,6 +222,7 @@ do_encode_dsa (const byte *md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey,
         gcry_mpi_release (mpi);
       }
   }
+#endif /* Libgcrypt < 1.6 */
   if (!err)
     *r_hash = hash;
   return err;
-- 
1.7.10.4




-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From dkg at fifthhorseman.net  Sun Sep  8 17:00:52 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Sun, 08 Sep 2013 11:00:52 -0400
Subject: Deterministic DSA
In-Reply-To: <87wqmrd5px.fsf@vigenere.g10code.de>
References: <87wqmrd5px.fsf@vigenere.g10code.de>
Message-ID: <522C9124.90403@fifthhorseman.net>

On 09/08/2013 05:26 AM, Werner Koch wrote:
> @@ -177,11 +197,20 @@ do_encode_dsa (const byte *md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey,
>    if (mdlen > qbits/8)
>      mdlen = qbits/8;
>  
> -  /* Create the S-expression.  We need to convert to an MPI first
> -     because we want an unsigned integer.  Using %b directly is not
> -     possible because libgcrypt assumes an mpi and uses
> -     GCRYMPI_FMT_STD for parsing and thus possible yielding a negative
> -     value.  */
> +  /* Create the S-expression.  If we are using Libgcrypt 1.6 we make
> +     use of Deterministic DSA.  Libgcrypt < 1.6 does not implement
> +     RFC-6979 and also requires us to convert to an MPI because it
> +     expects an unsigned integer.  Using %b directly is not possible
> +     because Libgcrypt assumes an MPI and uses GCRYMPI_FMT_STD for
> +     parsing and thus possible yielding a negative value.  */
> +#if GCRYPT_VERSION_NUMBER >= 0x010600 /* Libgcrypt >= 1.6 */
> +  {
> +    err = gcry_sexp_build (&hash, NULL,
> +                           "(data (flags rfc6979) (hash %s %b))",
> +                           rfc6979_hash_algo_string (mdlen),
> +                           (int)mdlen, md);
> +  }
> +#else /* Libgcrypt < 1.6 */
>    {
>      gcry_mpi_t mpi;
>  
> @@ -193,6 +222,7 @@ do_encode_dsa (const byte *md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey,
>          gcry_mpi_release (mpi);
>        }
>    }
> +#endif /* Libgcrypt < 1.6 */

is a compile-time check the right solution here?  is this something we
can detect at runtime instead?

since libgcrypt 1.6 doesn't appear to have been released yet, i'm not
sure if it will bump its SONAME from 11 (used by 1.5.3) to something
higher or not.  if that's the case, it's conceivable that a package
linked against 1.6 at compile time will be run against an older version
at runtime (e.g. for people moving binary packages across distributions
that don't track symbol additions).

A runtime check seems like it would be more robust, if that's possible.

maybe the test could be:

 if gcry_check_version("1.6.0") {

instead of

#if GCRYPT_VERSION_NUMBER >= 0x010600

?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130908/f2e02699/attachment-0001.sig>

From wk at gnupg.org  Sun Sep  8 21:00:52 2013
From: wk at gnupg.org (Werner Koch)
Date: Sun, 08 Sep 2013 21:00:52 +0200
Subject: Deterministic DSA
In-Reply-To: <522C9124.90403@fifthhorseman.net> (Daniel Kahn Gillmor's message
 of "Sun, 08 Sep 2013 11:00:52 -0400")
References: <87wqmrd5px.fsf@vigenere.g10code.de>
 <522C9124.90403@fifthhorseman.net>
Message-ID: <871u4zcf4r.fsf@vigenere.g10code.de>

On Sun,  8 Sep 2013 17:00, dkg at fifthhorseman.net said:

> is a compile-time check the right solution here?  is this something we
> can detect at runtime instead?

I pondered with the runtiome check idea but compile time is fine because
1.6 is an ABI change.

> since libgcrypt 1.6 doesn't appear to have been released yet, i'm not
> sure if it will bump its SONAME from 11 (used by 1.5.3) to something

On GNU/Linux systems the SONAME will be 20.  The git version already
uses that to avoid conflicts with the old ABI.  Frankly, for most users
this ABI change will be invisible because only long deprecated or rarely
used functions are affected; technically it is one and thus the SONAME
needs to be changed.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From timprepscius at gmail.com  Mon Sep  9 01:29:43 2013
From: timprepscius at gmail.com (Tim Prepscius)
Date: Sun, 8 Sep 2013 19:29:43 -0400
Subject: looking up pgp keys
Message-ID: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>

I'm looking at the pgp mit server and the http://pool.sks-keyservers.net.

I do not see a way of forcing the search results format from html into
something more conducive to machine parsing.  (aka json)

I've tried random things like: &format=json, &fmt=json, &plzcanhavjson=1
None have worked.  Parsing the html isn't just a big deal, but ....

Does anyone know a way of doing this?

Thanks,

-tim


From dkg at fifthhorseman.net  Mon Sep  9 02:00:40 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Sun, 08 Sep 2013 20:00:40 -0400
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
Message-ID: <522D0FA8.2060207@fifthhorseman.net>

On 09/08/2013 07:29 PM, Tim Prepscius wrote:
> I'm looking at the pgp mit server and the http://pool.sks-keyservers.net.
> 
> I do not see a way of forcing the search results format from html into
> something more conducive to machine parsing.  (aka json)
> 
> I've tried random things like: &format=json, &fmt=json, &plzcanhavjson=1
> None have worked.  Parsing the html isn't just a big deal, but ....
> 
> Does anyone know a way of doing this?

SKS is the dominant implementation of OpenPGP keyserver infrastructure
these days.  most of the servers in the pool you're referring to run
SKS.  So the best place to ask this kind of question is on the  SKS
development list <sks-devel at nongnu.org>.

That said, the "machine-parsable" format is of a much older vintage than
json :)

The spec for HKP suggests that you need to supply the "mr" variable in
the query string:

  https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-3.2.1.1

and then read the line-oriented text-based output format:

  https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-5

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130908/279d1918/attachment.sig>

From timprepscius at gmail.com  Mon Sep  9 02:09:17 2013
From: timprepscius at gmail.com (Tim Prepscius)
Date: Sun, 8 Sep 2013 20:09:17 -0400
Subject: looking up pgp keys
In-Reply-To: <522D0FA8.2060207@fifthhorseman.net>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
Message-ID: <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>

awesomeness.

&options=mr it is.

thanks,

-tim

On 9/8/13, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 09/08/2013 07:29 PM, Tim Prepscius wrote:
>> I'm looking at the pgp mit server and the http://pool.sks-keyservers.net.
>>
>> I do not see a way of forcing the search results format from html into
>> something more conducive to machine parsing.  (aka json)
>>
>> I've tried random things like: &format=json, &fmt=json, &plzcanhavjson=1
>> None have worked.  Parsing the html isn't just a big deal, but ....
>>
>> Does anyone know a way of doing this?
>
> SKS is the dominant implementation of OpenPGP keyserver infrastructure
> these days.  most of the servers in the pool you're referring to run
> SKS.  So the best place to ask this kind of question is on the  SKS
> development list <sks-devel at nongnu.org>.
>
> That said, the "machine-parsable" format is of a much older vintage than
> json :)
>
> The spec for HKP suggests that you need to supply the "mr" variable in
> the query string:
>
>   https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-3.2.1.1
>
> and then read the line-oriented text-based output format:
>
>   https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-5
>
> hth,
>
> 	--dkg
>
>


From kristian.fiskerstrand at sumptuouscapital.com  Mon Sep  9 01:35:05 2013
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Mon, 09 Sep 2013 01:35:05 +0200
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
Message-ID: <522D09A9.6070901@sumptuouscapital.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 09/09/2013 01:29 AM, Tim Prepscius wrote:
> I'm looking at the pgp mit server and the
> http://pool.sks-keyservers.net.

Hi Tim,

> 
> I do not see a way of forcing the search results format from html
> into something more conducive to machine parsing.  (aka json)
> 
> I've tried random things like: &format=json, &fmt=json,
> &plzcanhavjson=1 None have worked.  Parsing the html isn't just a
> big deal, but ....
> 
> Does anyone know a way of doing this?
> 

Try &options=mr


- -- 
- ----------------------------
Kristian Fiskerstrand
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Uxor formosa et vinum sunt dulcia venena
Beautiful women and wine are sweet venom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.0-beta220 (GNU/Linux)

iQIcBAEBCAAGBQJSLQmkAAoJEJjgB+fVz3puwjIP/j7uH6mKcjrl0ucLvciurOOp
P3M6jAzaa4/GVin7PqB44fXU/aV94Jt6GKTkQmpAXX9owo/0IWL8r/8BfIDON3Px
WohyzE4vkrR31FbkuZW2lESxHqwjUVBuSdnuP3zBs3qqT+uTNYPtXRe78WwNA/zy
1zZIzDEFBDyCqHcxmOVtLP9BJ44qaXZNpBHP9qiXcgyiDaPlxaOk5P5cxEMrrwwA
NOFpmjExE3MHZxRG4qqgqAhgcEtutMse9gk/huKc2CrhvHfDvg8YjAWRE/4kxw5P
51lvhQjDZHcrSDPWdNTVDLURmpeAK3J1DpZbIR8V03pTnJZ3HaY2oDr5slpZ+Gu7
l+qxFaPdYobq7y+ZpGOJf6xas0A0EuF9hTiUhoyORZcq0uRmvB7FhniZTTQPD/Ni
td8q19OPz/wTWs5voPlw7UTArg52p1xJm145uk15XIyowglbQHwliBb5UZ2ji5c8
l4U+u+xgZLDvrT/CwMvV1rDhLO1aNh2+eYz7FUhWz7tBd7LmKsoJ215Oi3cVjMIR
0EDD9PjPKDuv99Ru0tuVZNS/5yAJ8Y9jQ4PM6m0giPwC0WTvCCJUD9I6Fr9VxyDL
mJPdi1BsilP2SiDWumWZ40r5Symkkp+lK4J9yxYFR32wbXRskpjt6SZgchLjxCGX
/OlACMmpD4VPzwI76l+Y
=YNTR
-----END PGP SIGNATURE-----


From timprepscius at gmail.com  Mon Sep  9 03:53:49 2013
From: timprepscius at gmail.com (Tim Prepscius)
Date: Sun, 8 Sep 2013 21:53:49 -0400
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
Message-ID: <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>

Actually, I will ask one more question.
It is sort of off topic, well, it *is* off topic, but I think it is
appropriate anyhow.


So I'm writing this secure e-mail web system.
I'm currently integrating pgp for end to end security.


I'm at the point now where I need to look up recipients' public keys.


Here are 3 options:

1.  web mail contacts web server, says, "hey give me tom's public
key," web server contacts pgp-servers/recipient server, sends back key
to web-mail.

2.  web mail contacts pgp-servers directly, says, "hey give me tom's key."

3.  web mail first tries to contact recipient mail server and ask it
(assuming it is running a key server), then resorts to public pgp
servers.



So I am tending to like #1 because:
1.  web server will make request, real requester IP of web-mail client
won't be known.
2.  web server will prob be on faster connection than client

But I also like #2 because:
1.  web mail client can talk to many servers and validate it gets same
result from all.

..

Does anyone have any thoughts on this issue?

-tim


On 9/8/13, Tim Prepscius <timprepscius at gmail.com> wrote:
> awesomeness.
>
> &options=mr it is.
>
> thanks,
>
> -tim
>
> On 9/8/13, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>> On 09/08/2013 07:29 PM, Tim Prepscius wrote:
>>> I'm looking at the pgp mit server and the
>>> http://pool.sks-keyservers.net.
>>>
>>> I do not see a way of forcing the search results format from html into
>>> something more conducive to machine parsing.  (aka json)
>>>
>>> I've tried random things like: &format=json, &fmt=json, &plzcanhavjson=1
>>> None have worked.  Parsing the html isn't just a big deal, but ....
>>>
>>> Does anyone know a way of doing this?
>>
>> SKS is the dominant implementation of OpenPGP keyserver infrastructure
>> these days.  most of the servers in the pool you're referring to run
>> SKS.  So the best place to ask this kind of question is on the  SKS
>> development list <sks-devel at nongnu.org>.
>>
>> That said, the "machine-parsable" format is of a much older vintage than
>> json :)
>>
>> The spec for HKP suggests that you need to supply the "mr" variable in
>> the query string:
>>
>>   https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-3.2.1.1
>>
>> and then read the line-oriented text-based output format:
>>
>>   https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-5
>>
>> hth,
>>
>> 	--dkg
>>
>>
>


From gnupg-devel at spodhuis.org  Mon Sep  9 08:12:58 2013
From: gnupg-devel at spodhuis.org (Phil Pennock)
Date: Sun, 8 Sep 2013 23:12:58 -0700
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
Message-ID: <20130909061258.GA92675@redoubt.spodhuis.org>

On 2013-09-08 at 21:53 -0400, Tim Prepscius wrote:
> So I'm writing this secure e-mail web system.
> I'm currently integrating pgp for end to end security.

What is your threat model?  Who and what attacks are you protecting
against?  What do you mean by "security" in this context?

> Does anyone have any thoughts on this issue?

Yes; I'm going to assume that various news items of the past few months
are a motivating factor in your work and thus that trace data privacy is
one of the concerns.  I'll also assume that you're accepting leaking of
"someone in domain Foo is (or wants to) talk to someone in domain Bar"
and that you understand the anonymity of crowds in such a security
model.

Note that most recipient mail-servers will not also run PGP keyservers,
If you want that approach to take off, I suggest figuring out a DNS
scheme for asking for SRV records _mail-openpgp._tcp.example.org or
somesuch.  The details don't matter.  If you mandate TLS and sort out
naming/identity issues then that also gives you federated-level privacy
as to who the communicants within the domains are.  A snooper still
knows which domains you're talking to, but they'd know that anyway from
the DNS traffic you send out and then a correlation from the SMTP
connection before you set up TLS. 

If you want to talk to some selection of PGP keyservers, then how do you
decide which to talk to?  How do you establish trust?  The public PGP
keyserver pools are a convenience, but if you use them then you're
sacrificing privacy about who you wish to communicate with.  If the NSA
is not running at least one PGP keyserver in the SKS pool, then they're
slipping.  *Best* case for privacy is that a non-NSA person with a
security clearance runs a keyserver with a code modification to hide
some peers, and so provides a hidden gateway for sending copies of key
updates into the NSA, without the NSA actually tracking who is asking
for PGP keys.  Somehow, that regard for communicant privacy does not
seem to match the current narrative around the NSA.

If you care about privacy and making any meaningful assertions, you run
keyservers yourself, peer into the public pool, and point your clients
only at the keyservers which *you* run and which you hope you can
meaningfully vouch for.


Regards,
-Phil


From dkg at fifthhorseman.net  Mon Sep  9 15:56:52 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 09 Sep 2013 09:56:52 -0400
Subject: looking up pgp keys
In-Reply-To: <20130909061258.GA92675@redoubt.spodhuis.org>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
 <20130909061258.GA92675@redoubt.spodhuis.org>
Message-ID: <522DD3A4.4020406@fifthhorseman.net>

On 09/09/2013 02:12 AM, Phil Pennock wrote:

> Note that most recipient mail-servers will not also run PGP keyservers,
> If you want that approach to take off, I suggest figuring out a DNS
> scheme for asking for SRV records _mail-openpgp._tcp.example.org or
> somesuch.  The details don't matter.

If you do something like that, please don't make up your own scheme.
The current proposed draft for this kind of lookup is from Paul Wouters:

  https://tools.ietf.org/html/draft-wouters-dane-openpgp

If you are working on implementing this sort of scheme, and you evaluate
your threat models sensibly like Phil is suggesting, and you think you
see a problem with it, or a way it could be improved, you should mention
it to Paul.  i'm sure he would be happy to get feedback from
implementors for a revised draft if it is necessary.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130909/47e5c699/attachment-0001.sig>

From timprepscius at gmail.com  Tue Sep 10 02:40:42 2013
From: timprepscius at gmail.com (Tim Prepscius)
Date: Mon, 9 Sep 2013 20:40:42 -0400
Subject: looking up pgp keys
In-Reply-To: <522DD3A4.4020406@fifthhorseman.net>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
 <20130909061258.GA92675@redoubt.spodhuis.org>
 <522DD3A4.4020406@fifthhorseman.net>
Message-ID: <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>

Thank you very much for this feed back.

I'm thinking, thinking, thinking...


Here is sort of a naive question:

Why aren't the results from the http://pgp.mit.edu:11371 signed with their key?
They have an http request but there is no way I can tell if I've been mitm-ed.


I should be able to ask each server I request from, the public key of
the other servers, and then check the signature of each against each
other

??

Is this implemented and I'm missing it somehow?

-tim


On 9/9/13, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 09/09/2013 02:12 AM, Phil Pennock wrote:
>
>> Note that most recipient mail-servers will not also run PGP keyservers,
>> If you want that approach to take off, I suggest figuring out a DNS
>> scheme for asking for SRV records _mail-openpgp._tcp.example.org or
>> somesuch.  The details don't matter.
>
> If you do something like that, please don't make up your own scheme.
> The current proposed draft for this kind of lookup is from Paul Wouters:
>
>   https://tools.ietf.org/html/draft-wouters-dane-openpgp
>
> If you are working on implementing this sort of scheme, and you evaluate
> your threat models sensibly like Phil is suggesting, and you think you
> see a problem with it, or a way it could be improved, you should mention
> it to Paul.  i'm sure he would be happy to get feedback from
> implementors for a revised draft if it is necessary.
>
> Regards,
>
> 	--dkg
>
>


From gnupg-devel at spodhuis.org  Tue Sep 10 04:06:05 2013
From: gnupg-devel at spodhuis.org (Phil Pennock)
Date: Mon, 9 Sep 2013 19:06:05 -0700
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
 <20130909061258.GA92675@redoubt.spodhuis.org>
 <522DD3A4.4020406@fifthhorseman.net>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
Message-ID: <20130910020605.GA6491@redoubt.spodhuis.org>

On 2013-09-09 at 20:40 -0400, Tim Prepscius wrote:
> Why aren't the results from the http://pgp.mit.edu:11371 signed with their key?
> They have an http request but there is no way I can tell if I've been mitm-ed.
> 
> 
> I should be able to ask each server I request from, the public key of
> the other servers, and then check the signature of each against each
> other
> 
> ??
> 
> Is this implemented and I'm missing it somehow?

Anyone can upload content to the public keyservers.  I could, instead of
writing this email, use GnuPG to create an OpenPGP key which claims to
belong to:

  Tim Prepscius <timprepscius at gmail.com>

and upload it.

Signatures securing links between keyservers don't matter, when *anyone*
can anonymously upload keys into a keyserver and let them propagate.

The security of the PGP keyservers is not from "being in the public
repositories" -- they're a collection of assertions that various people
make.

The security is because PGP inherently provides an object-level model of
security, where the items themselves should be sufficient for
establishing links.  This is where the Web-of-Trust comes in.  Given
user decisions of how much I trust, say, "Werner Koch" (as that identity
is expressed by one particular PGP key) to bother verifying identities
of people and the links between them and keys, I can trust the identity
assertions in keys which carry a uid signature from Werner.  The link is
there from the signature already, I decide how much I trust signatures
from a particular key.

There is spam in the public keyservers.  There are known bad keys, there
are known malicious keys.  The continuing viability of public keyservers
is a reasonable thing to question.  The loss of them would be a blow.

But the mere presence of a key in a public collection conveys no
inherent trust.  There's more trust from `finger foo at example.org`,
because heck, at least faking the result would require a current active
attack.  That's still not a lot of trust, but it is mildly suggestive
that a key might be a reasonable match to an identity (in the form of an
email/finger address), unlike being present in a public keyserver, which
is not suggestive at all.

-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: </pipermail/attachments/20130909/e934d25b/attachment.sig>

From timprepscius at gmail.com  Tue Sep 10 04:57:00 2013
From: timprepscius at gmail.com (Tim Prepscius)
Date: Mon, 9 Sep 2013 22:57:00 -0400
Subject: looking up pgp keys
In-Reply-To: <20130910020605.GA6491@redoubt.spodhuis.org>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
 <20130909061258.GA92675@redoubt.spodhuis.org>
 <522DD3A4.4020406@fifthhorseman.net>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <20130910020605.GA6491@redoubt.spodhuis.org>
Message-ID: <CAAJ3AvVVqETvOAgQdfooER6+NQVW22D7em954b1W+95yOjCyiQ@mail.gmail.com>

This is also very interesting.

Why is this the model which has been chosen?

For instance, if I wanted to send a message to you, having never met
you before, I could not verify I am sending to you and not a third
party masquerading as you.  I could probably look you up on the net,
read a bunch of web pages, perhaps you've posted your pub key on some
blog or something.  But that takes a human.

If I am a machine, is there anyway to effectively filter out poisoned
results?  (which are not poisoned via MITM but just globally
poisoned)?


Why didn't the mail server people also run local key servers for which
you could only change your key with your password?
(while this would not be any strict guarantee of course, it would
solve the problem of spam, and anyone writing to anything)


--

So basically what I'm getting from this, is if I do this with a machine:

1.  There is no trust.
2.  Changing from one key to another key, if the first key hasn't been
"officially" revoked, is even less trust.
3.  And in fact, even if the first key was revoked, there is no
guarantee that the second key is trustworthy.
4.  I need to continually monitor all keys of my users in the public
key repository, watch for changes.

-tim



On 9/9/13, Phil Pennock <gnupg-devel at spodhuis.org> wrote:
> On 2013-09-09 at 20:40 -0400, Tim Prepscius wrote:
>> Why aren't the results from the http://pgp.mit.edu:11371 signed with their
>> key?
>> They have an http request but there is no way I can tell if I've been
>> mitm-ed.
>>
>>
>> I should be able to ask each server I request from, the public key of
>> the other servers, and then check the signature of each against each
>> other
>>
>> ??
>>
>> Is this implemented and I'm missing it somehow?
>
> Anyone can upload content to the public keyservers.  I could, instead of
> writing this email, use GnuPG to create an OpenPGP key which claims to
> belong to:
>
>   Tim Prepscius <timprepscius at gmail.com>
>
> and upload it.
>
> Signatures securing links between keyservers don't matter, when *anyone*
> can anonymously upload keys into a keyserver and let them propagate.
>
> The security of the PGP keyservers is not from "being in the public
> repositories" -- they're a collection of assertions that various people
> make.
>
> The security is because PGP inherently provides an object-level model of
> security, where the items themselves should be sufficient for
> establishing links.  This is where the Web-of-Trust comes in.  Given
> user decisions of how much I trust, say, "Werner Koch" (as that identity
> is expressed by one particular PGP key) to bother verifying identities
> of people and the links between them and keys, I can trust the identity
> assertions in keys which carry a uid signature from Werner.  The link is
> there from the signature already, I decide how much I trust signatures
> from a particular key.
>
> There is spam in the public keyservers.  There are known bad keys, there
> are known malicious keys.  The continuing viability of public keyservers
> is a reasonable thing to question.  The loss of them would be a blow.
>
> But the mere presence of a key in a public collection conveys no
> inherent trust.  There's more trust from `finger foo at example.org`,
> because heck, at least faking the result would require a current active
> attack.  That's still not a lot of trust, but it is mildly suggestive
> that a key might be a reasonable match to an identity (in the form of an
> email/finger address), unlike being present in a public keyserver, which
> is not suggestive at all.
>
> -Phil
>


From gnupg-devel at spodhuis.org  Tue Sep 10 06:26:57 2013
From: gnupg-devel at spodhuis.org (Phil Pennock)
Date: Mon, 9 Sep 2013 21:26:57 -0700
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvVVqETvOAgQdfooER6+NQVW22D7em954b1W+95yOjCyiQ@mail.gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
 <20130909061258.GA92675@redoubt.spodhuis.org>
 <522DD3A4.4020406@fifthhorseman.net>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <20130910020605.GA6491@redoubt.spodhuis.org>
 <CAAJ3AvVVqETvOAgQdfooER6+NQVW22D7em954b1W+95yOjCyiQ@mail.gmail.com>
Message-ID: <20130910042656.GA9109@redoubt.spodhuis.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On 2013-09-09 at 22:57 -0400, Tim Prepscius wrote:
> This is also very interesting.
> 
> Why is this the model which has been chosen?

Trust has to reside somewhere.  You appear to be asking for "trust
someone else, the server operator", in which case a compromise of them
is a compromise of your local trust integrity.

PGP *fundamentally* works on a Web-of-Trust model.  I suggest further
reading on this topic, but this is how PGP works.  If you don't want a
web-of-trust, with clients responsible for evaluating trust and
identity, then you don't want to be using PGP (OpenPGP or its
implementations such as GnuPG).

> For instance, if I wanted to send a message to you, having never met
> you before, I could not verify I am sending to you and not a third
> party masquerading as you.  I could probably look you up on the net,
> read a bunch of web pages, perhaps you've posted your pub key on some
> blog or something.  But that takes a human.

If you have a validating DNS resolver, and you trust your root zone
trust anchor to not have been subverted, then you can use DNS to find my
PGP key, verifying the results with DNSSEC.  'phil.pennock' as a
left-hand-side in the domain used for this email has CERT records in
DNS.  GnuPG can query and retrieve these.  (For mailing-lists, I use
other left-hand-sides in the domain, but given a direct email from me,
not as a reply to a list-post, your systems could do this
automatically).

(Actually, I only use CERT type 6 (IPGP), to publish the key
 fingerprint and a URL for retrieval.)

So *if* you trust your ability to verify DNSSEC, and *if* you're happy
validating only the email address, not any purported human identity,
then you could look for those CERT records and then locally sign them
upon import so that your local keyring can use the key without
prompting.

If you want to be able to _automatically_ identify a _human_ identity,
then you need a system which provides verifiable human identities.  PGP
provides that, with the WoT; PKIX provides that, with client
certificates.  To scale up then in practice, you're looking at national
identity schemes.  If your threat model includes government agencies of
your local government, then national ID systems are probably not where
you want to go.

> If I am a machine, is there anyway to effectively filter out poisoned
> results?  (which are not poisoned via MITM but just globally
> poisoned)?

Yes.  Read the GnuPG handbook, ponder the difference between "have a
key" and "have a trust path to a key".  Read up on stuff like the Strong
Set.  Don't use keys you don't have a trust-path to.  Locally-sign keys
you import where you do trust the import mechanism.

> Why didn't the mail server people also run local key servers for which
> you could only change your key with your password?
> (while this would not be any strict guarantee of course, it would
> solve the problem of spam, and anyone writing to anything)

If the problem of spam could be resolved by mail-servers, a lot of
postmasters would sigh a huge sigh of relief.

If you want something you have to log in to change, then you're looking
for 'finger', with PGP keys going in ~/.plan files.

There are various keyservers which speak HKP (the PGP usage profile of
HTTP for key search, retrieval and upload) without trying to maintain
the entire set of all publicly known keys.  You asked about using the
public keyservers, which have the characteristics stated.  If you want
to go spidering and retrieving keys by other means, and are confident of
your ability to create a multi-protocol spider which won't trigger abuse
complaints, then go for it.

Or you could look into the Strong Set, which is an identified sub-set of
the public keys for which there might be reason to believe that the
identities are probably valid.

> So basically what I'm getting from this, is if I do this with a machine:
> 
> 1.  There is no trust.

There is plenty of trust, but it's up to _you_, as the client, to trust
and verify.  In PGP, folks tend to not blindly trust remote sources not
under their own control.

> 2.  Changing from one key to another key, if the first key hasn't been
> "officially" revoked, is even less trust.

If I publish a key in which one of the UIDs has my name and a comment
stating that it replaces some other key, and I get enough signatures on
that new key, then you trust that.  Nothing I know of currently parses
such comments to automatically discard old keys.  But frankly, if a key
hasn't had new signatures on it in the past two years, then it's likely
defunct and if it hasn't had signatures in the past five years, then it
really truly is defunct.  Worst case scenario, you generate a new
self-sig and re-upload with no third-party signatures.

> 3.  And in fact, even if the first key was revoked, there is no
> guarantee that the second key is trustworthy.

The only guarantees are those you verify for yourself.

> 4.  I need to continually monitor all keys of my users in the public
> key repository, watch for changes.

No: if you know the ID of a key belonging to one of your users, then the
only changes are new signatures.  That's not an issue and shouldn't
negatively affect trust.

You *might* instead watch for new keys appearing for the same human name
as your users and figure out heuristics for which ones you care about.
If one of your users has a name such as "John Smith" then you'll have
more problems.

Naming is a hard problem.  Third-party independently verifiable naming,
using names that carry semantic value, is even harder.

- -Phil
-----BEGIN PGP SIGNATURE-----

iEYEAREDAAYFAlIun4cACgkQQDBDFTkDY3/pzwCdFcj8Xt+oA/Qko4eYJ/IvVI14
Ax0An08KkfUv3fJHxdok/dkwehjF4GuW
=XIrN
-----END PGP SIGNATURE-----


From wk at gnupg.org  Tue Sep 10 14:37:19 2013
From: wk at gnupg.org (Werner Koch)
Date: Tue, 10 Sep 2013 14:37:19 +0200
Subject: looking up pgp keys
In-Reply-To: <20130910042656.GA9109@redoubt.spodhuis.org> (Phil Pennock's
 message of "Mon, 9 Sep 2013 21:26:57 -0700")
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
 <20130909061258.GA92675@redoubt.spodhuis.org>
 <522DD3A4.4020406@fifthhorseman.net>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <20130910020605.GA6491@redoubt.spodhuis.org>
 <CAAJ3AvVVqETvOAgQdfooER6+NQVW22D7em954b1W+95yOjCyiQ@mail.gmail.com>
 <20130910042656.GA9109@redoubt.spodhuis.org>
Message-ID: <87hads7szk.fsf@vigenere.g10code.de>

On Tue, 10 Sep 2013 06:26, gnupg-devel at spodhuis.org said:

> reading on this topic, but this is how PGP works.  If you don't want a
> web-of-trust, with clients responsible for evaluating trust and
> identity, then you don't want to be using PGP (OpenPGP or its

Although the WoT is the de-facto trust mechanism used with OpenPGP,
there is no reason or technical problem to use OpenPGP in a different
way.  In fact, OpenPGP is quiet about the trust mechanism.  Instead of
the WoT you may implement an X.509 alike mode on top of OpenPGP or use a
simple direct trust mechanism ("gpg --trust-model=direct")

> If you want something you have to log in to change, then you're looking
> for 'finger', with PGP keys going in ~/.plan files.

finger even supports a ~/.pubkey file.  I am using this for ages.

> Naming is a hard problem.  Third-party independently verifiable naming,
> using names that carry semantic value, is even harder.

Right.

Let's address each other only by the fingerprint of its key:-).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From dkg at fifthhorseman.net  Tue Sep 10 22:50:01 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 10 Sep 2013 16:50:01 -0400
Subject: subkey binding signature with no usage flags and/or a critical
 notation
In-Reply-To: <51488365.7000307@fifthhorseman.net>
References: <87obeo2vg7.fsf@alice.fifthhorseman.net>
 <A01620E8-2FA2-4BE0-909D-4D44E0D039BA@JABBERWOCKY.COM>
 <5141F550.5020702@fifthhorseman.net> <874ngc1zrz.fsf@vigenere.g10code.de>
 <514356CE.2000302@fifthhorseman.net> <87r4jgzdbo.fsf@vigenere.g10code.de>
 <514385EB.8060102@fifthhorseman.net> <877gl38msi.fsf@vigenere.g10code.de>
 <51488365.7000307@fifthhorseman.net>
Message-ID: <87hadsmmfa.fsf@alice.fifthhorseman.net>

On Tue 2013-03-19 11:25:25 -0400, Daniel Kahn Gillmor wrote:

> On 03/19/2013 10:52 AM, Werner Koch wrote:
>> On Fri, 15 Mar 2013 21:34, dkg at fifthhorseman.net said:
>>> My patch was just removing 3 lines ( ~ 30 bytes ) from
>>> do_add_key_flags() in g10/keygen.c -- i don't see any sort of copyright
>>> pertaining at all, but i'm fine waiting if you want me to wait.
>> 
>> Okay, send again.
>
> it's attached to this mail.

--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -210,9 +210,6 @@
     if (use & PUBKEY_USAGE_AUTH)
         buf[0] |= 0x20;
 
-    if (!buf[0])
-        return;
-
     build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
 }

I don't think the above patch (to enable creation of a subkey with a
usage flags subpacket, but no usage flags set) was ever applied to
either the 1.4 or 2.0 branches -- is this something you would be OK
adding to a stable branch, or is it only going to be in 2.1/master?

thanks,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: </pipermail/attachments/20130910/4a52630d/attachment-0001.sig>

From jeanjacquesbrucker at gmail.com  Wed Sep 11 13:54:45 2013
From: jeanjacquesbrucker at gmail.com (jbar)
Date: Wed, 11 Sep 2013 13:54:45 +0200
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
 <20130909061258.GA92675@redoubt.spodhuis.org>
 <522DD3A4.4020406@fifthhorseman.net>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
Message-ID: <20130911135445.105c0e89@gmail.com>

On Mon, 9 Sep 2013 20:40:42 -0400
Tim Prepscius <timprepscius at gmail.com> wrote:

> Why aren't the results from the http://pgp.mit.edu:11371 signed with their key?
> They have an http request but there is no way I can tell if I've been mitm-ed.
> 
 Just to say, as the develooper of thttpgpd/ludd[1], that such key
 server may sign its result using a new MIME-type
 "multipart/msigned"[2].

 You may try for example :
 $ curl -v -H "Accept: multipart/msigned" \
 "http://domesticserver.org:11371/pks/lookup?search=jbar&search=loubov&op=get"

 But that doesn't change the fact that, as Phil said, the main
 mechanism to trust a key is to use the OpenPGP WoT.
 And so if your certificate isn't connected to myself, the signature
 shouldn't be enough for you, to trust that the answer is coming from
 me, or from my own keyserver.

 By the way, if I said "There is no bad or malicious certificates on my
 key server" and you trust that and myself. Then such signed key server
 results may help you, even if it isn't as strong as checking the
 OpenPGP WoT of received certificates.

 Note: thttpgpd/ludd have yet no synchronisation mechanism
 implemented, even if I run daily a script that send updated key on
 the main SKS pool[3].

[1]:https://github.com/Open-UDC/thttpgpd
[2]:https://github.com/Open-UDC/open-udc/blob/master/docs/HTTP_OpenPGP_Authentication.draft.txt
[3]:https://github.com/Open-UDC/thttpgpd/blob/master/scripts/check_pks_add_logs.daily.sh

> 
> I should be able to ask each server I request from, the public key of
> the other servers, and then check the signature of each against each
> other
> 
> ??
> 
> Is this implemented and I'm missing it somehow?
> 
> -tim
> 
> 
> On 9/9/13, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> > On 09/09/2013 02:12 AM, Phil Pennock wrote:
> >
> >> Note that most recipient mail-servers will not also run PGP keyservers,
> >> If you want that approach to take off, I suggest figuring out a DNS
> >> scheme for asking for SRV records _mail-openpgp._tcp.example.org or
> >> somesuch.  The details don't matter.
> >
> > If you do something like that, please don't make up your own scheme.
> > The current proposed draft for this kind of lookup is from Paul Wouters:
> >
> >   https://tools.ietf.org/html/draft-wouters-dane-openpgp
> >
> > If you are working on implementing this sort of scheme, and you evaluate
> > your threat models sensibly like Phil is suggesting, and you think you
> > see a problem with it, or a way it could be improved, you should mention
> > it to Paul.  i'm sure he would be happy to get feedback from
> > implementors for a revised draft if it is necessary.
> >
> > Regards,
> >
> > 	--dkg
> >
> >
> 
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20130911/b12ece35/attachment.sig>

From timprepscius at gmail.com  Wed Sep 11 15:09:47 2013
From: timprepscius at gmail.com (Tim Prepscius)
Date: Wed, 11 Sep 2013 09:09:47 -0400
Subject: looking up pgp keys
In-Reply-To: <20130911135445.105c0e89@gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
 <20130909061258.GA92675@redoubt.spodhuis.org>
 <522DD3A4.4020406@fifthhorseman.net>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <20130911135445.105c0e89@gmail.com>
Message-ID: <CAAJ3AvVqKdxEsH6OF6CgOGEyWGJ+BrpmaNacygqTJ_VNrTt0MA@mail.gmail.com>

Yes.. I'm thinking about something similar to the idea implicit in this email.

Basically, I would request that mail servers maintain a "good" list of pgp info.
(and I, myself, my mail-server, would run one)


At random times, or perhaps non random times, Bob's client would
verify that the information the mail server broadcasts is correct.
And the broadcaster (the mail server) would verify that the
information in the global servers is correct against what I know.



It would be incredibly useful to do this through a Tor/Proxy
configuration, so that I know that I am not MITM.  Or at least I know
that the NSA has gone through the trouble of MITM *every* key server.



There are still problems of course, like, if Bob doesn't check
periodically his own broadcast information, there are windows of
opportunity.  But I think this can be fixed if different mail servers
verify each other.  If there are changes, notify e-mail sender (before
actually sending) that the pub key has changed, "Joe's public key has
changed, the public key broadcast SuperMail.com is the same as stored
by MIT and by 3 other mailservers.  Do you want to accept this
change?"


I guess I am attempting to establish a web of trust via servers
checking each other and clients checking servers.



I would also fashion it, so that look ups are all done exactly, and
there is no "listing."  I'm actually sort of surprised there is any
listing mechanism.



Still thinking, but overall I think this is the plan.  Maybe not.  I
need a "machine compatible" method of finding someone's public key.

-tim


On 9/11/13, jbar <jeanjacquesbrucker at gmail.com> wrote:
> On Mon, 9 Sep 2013 20:40:42 -0400
> Tim Prepscius <timprepscius at gmail.com> wrote:
>
>> Why aren't the results from the http://pgp.mit.edu:11371 signed with their
>> key?
>> They have an http request but there is no way I can tell if I've been
>> mitm-ed.
>>
>  Just to say, as the develooper of thttpgpd/ludd[1], that such key
>  server may sign its result using a new MIME-type
>  "multipart/msigned"[2].
>
>  You may try for example :
>  $ curl -v -H "Accept: multipart/msigned" \
> "http://domesticserver.org:11371/pks/lookup?search=jbar&search=loubov&op=get"
>
>  But that doesn't change the fact that, as Phil said, the main
>  mechanism to trust a key is to use the OpenPGP WoT.
>  And so if your certificate isn't connected to myself, the signature
>  shouldn't be enough for you, to trust that the answer is coming from
>  me, or from my own keyserver.
>
>  By the way, if I said "There is no bad or malicious certificates on my
>  key server" and you trust that and myself. Then such signed key server
>  results may help you, even if it isn't as strong as checking the
>  OpenPGP WoT of received certificates.
>
>  Note: thttpgpd/ludd have yet no synchronisation mechanism
>  implemented, even if I run daily a script that send updated key on
>  the main SKS pool[3].
>
> [1]:https://github.com/Open-UDC/thttpgpd
> [2]:https://github.com/Open-UDC/open-udc/blob/master/docs/HTTP_OpenPGP_Authentication.draft.txt
> [3]:https://github.com/Open-UDC/thttpgpd/blob/master/scripts/check_pks_add_logs.daily.sh
>
>>
>> I should be able to ask each server I request from, the public key of
>> the other servers, and then check the signature of each against each
>> other
>>
>> ??
>>
>> Is this implemented and I'm missing it somehow?
>>
>> -tim
>>
>>
>> On 9/9/13, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>> > On 09/09/2013 02:12 AM, Phil Pennock wrote:
>> >
>> >> Note that most recipient mail-servers will not also run PGP
>> >> keyservers,
>> >> If you want that approach to take off, I suggest figuring out a DNS
>> >> scheme for asking for SRV records _mail-openpgp._tcp.example.org or
>> >> somesuch.  The details don't matter.
>> >
>> > If you do something like that, please don't make up your own scheme.
>> > The current proposed draft for this kind of lookup is from Paul
>> > Wouters:
>> >
>> >   https://tools.ietf.org/html/draft-wouters-dane-openpgp
>> >
>> > If you are working on implementing this sort of scheme, and you
>> > evaluate
>> > your threat models sensibly like Phil is suggesting, and you think you
>> > see a problem with it, or a way it could be improved, you should
>> > mention
>> > it to Paul.  i'm sure he would be happy to get feedback from
>> > implementors for a revised draft if it is necessary.
>> >
>> > Regards,
>> >
>> > 	--dkg
>> >
>> >
>>
>> _______________________________________________
>> Gnupg-devel mailing list
>> Gnupg-devel at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
>


From ott at mirix.org  Wed Sep 11 20:42:06 2013
From: ott at mirix.org (Matthias-Christian Ott)
Date: Wed, 11 Sep 2013 20:42:06 +0200
Subject: True RNG and GnuPG / libgcrypt
In-Reply-To: <1378092424.3168.5.camel@cfw2.gniibe.org>
References: <1377157444.3419.8.camel@cfw2.gniibe.org>
 <1378092424.3168.5.camel@cfw2.gniibe.org>
Message-ID: <5230B97E.2080408@mirix.org>

On 2013-09-02 05:27, NIIBE Yutaka wrote:
> I have a question about support of hardware RNG and GnuPG / libgcrypt.
>
> I develop NeuG, my own True RNG implementation.  It is Free Software
> for embedded MCU, specifically, STM32F103.  It is possible to use the
> routine as a standalone device, and free hardware design by me is
> also available.
>
> When I test (at least for each release), I collect 64GiB of output and
> test by NIST STS 2.1.1, Dieharder 3.31.1.  Recently, it is also tested
> by PractRand 0.90.  I don't know if it's good to address, but it is
> also tested by TestU01, too.  (Note that TestU01 is not free software.)
>
> I think that the quality of random output is good enough.  Currently,
> I use the output through the interface of /dev/random on GNU/Linux.
>
> There are two issues for me, now.
>
>   (1) I don't find any method to feed entropy (for /dev/random) on
>       *BSD system

>From a quick look at the FreeBSD source code of /dev/random, you can
feed entropy into it, if it uses Yarrow. If it uses the VIA Padlock RNG
[1], it won't work.

As far as I can tell from the source code, on illumos, OpenBSD,
DragonFlyBSD, NetBSD and XNU you can also feed entropy into /dev/random.

On Microsoft Windows it seems you can't feed entropy into the kernel.
But there is the EGDW [2]. On ReactOS CryptGenRandom and RtlGenRandom
don't use a CPRNG.

Minix 3 and Haiku allow you to feed entropy into /dev/random.

Plan 9 doesn't allow writes to /dev/random and doesn't use a CPRNG for
/dev/random.

On HP-UX you can't write to /dev/random or /dev/urandom. On AIX you can
feed entropy into /dev/random and /dev/urandom.

If you're concerned about some other obscure POSIX-like operating
system, I'll try my best to find some information about its /dev/random.
But I think it safe to say that on all major operating system except
Microsoft Windows, you can write to /dev/random and the data written is
feed into an entropy pool of the kernel.

Regards,
Matthias-Christian

[1]
http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/evaluation_padlock_rng.pdf
[2] http://egdw.sourceforge.net/


From dkg at fifthhorseman.net  Wed Sep 11 23:46:41 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 11 Sep 2013 17:46:41 -0400
Subject: subkey binding signature with no usage flags and/or a critical
 notation
In-Reply-To: <874ngc1zrz.fsf@vigenere.g10code.de>
References: <87obeo2vg7.fsf@alice.fifthhorseman.net>
 <A01620E8-2FA2-4BE0-909D-4D44E0D039BA@JABBERWOCKY.COM>
 <5141F550.5020702@fifthhorseman.net> <874ngc1zrz.fsf@vigenere.g10code.de>
Message-ID: <87bo3zm3pa.fsf@alice.fifthhorseman.net>

On Fri 2013-03-15 10:52:16 -0400, Werner Koch wrote:

> On Thu, 14 Mar 2013 17:05, dkg at fifthhorseman.net said:
>> On 03/13/2013 06:27 PM, David Shaw wrote:
>>> Yes. Having no flags set at all is treated as if there is no subpacket present.  This may not be the best behavior.
>>
>> yeah, i think this needs fixing.
>
> What about this untested patch against master:
>
> commit 8f8f3984e82a025cf1384132a419f67f39c7e07d 
> Author: Werner Koch <wk at gnupg.org>
> Date:   Fri Mar 15 15:46:03 2013 +0100
>
>     gpg: Distinguish between missing and cleared key flags.
>     
>     * include/cipher.h (PUBKEY_USAGE_NONE): New.
>     * g10/getkey.c (parse_key_usage): Set new flag.
>     --
>     
>     We do not want to use the default capabilities (derived from the
>     algorithm) if any key flags are given in a signature.  Thus if key
>     flags are used in any way, the default key capabilities are never
>     used.
>     
>     This allows to create a key with key flags set to all zero so it can't
>     be used.  This better reflects common sense.
>
> 	Modified g10/getkey.c
> diff --git a/g10/getkey.c b/g10/getkey.c
> index 9294273..8cc5601 100644
> --- a/g10/getkey.c
> +++ b/g10/getkey.c
> @@ -1276,13 +1276,19 @@ parse_key_usage (PKT_signature * sig)
>  
>        if (flags)
>  	key_usage |= PUBKEY_USAGE_UNKNOWN;
> +
> +      if (!key_usage)
> +	key_usage |= PUBKEY_USAGE_NONE;
>      }
> +  else if (p) /* Key flags of length zero.  */
> +    key_usage |= PUBKEY_USAGE_NONE;
>  
>    /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
>       capability that we do not handle.  This serves to distinguish
>       between a zero key usage which we handle as the default
>       capabilities for that algorithm, and a usage that we do not
> -     handle. */
> +     handle.  Likewise we use PUBKEY_USAGE_NONE to indicate that
> +     key_flags have been given but they do not specify any usage.  */
>  
>    return key_usage;
>  }
> 	Modified include/cipher.h
> diff --git a/include/cipher.h b/include/cipher.h
> index 191e197..557ab70 100644
> --- a/include/cipher.h
> +++ b/include/cipher.h
> @@ -54,9 +54,14 @@
>  
>  #define PUBKEY_USAGE_SIG     GCRY_PK_USAGE_SIGN  /* Good for signatures. */
>  #define PUBKEY_USAGE_ENC     GCRY_PK_USAGE_ENCR  /* Good for encryption. */
> -#define PUBKEY_USAGE_CERT    GCRY_PK_USAGE_CERT  /* Also good to certify keys. */
> +#define PUBKEY_USAGE_CERT    GCRY_PK_USAGE_CERT  /* Also good to certify keys.*/
>  #define PUBKEY_USAGE_AUTH    GCRY_PK_USAGE_AUTH  /* Good for authentication. */
>  #define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN  /* Unknown usage flag. */
> +#define PUBKEY_USAGE_NONE    256                 /* No usage given. */
> +#if  (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \
> +      | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256
> +# error Please choose another value for PUBKEY_USAGE_NONE
> +#endif
>  
>  #define DIGEST_ALGO_MD5       /*  1 */ GCRY_MD_MD5
>  #define DIGEST_ALGO_SHA1      /*  2 */ GCRY_MD_SHA1
>

As i reported earlier, this fix works fine.  I've backported it against
1.4.14 and it works there too (below).  It does not seem to be applied
to the stable branches (1.4 and 2.0).  I think it needs to be applied
to the stable branches.

Without this patch, if a subkey with a usage flags subpacket that is
all-zero appears, GnuPG thinks that the key is valid for all
capabilities (usage: SCEA).

This is dangerous in several ways:

 * if it's your own key, GnuPG will use it to sign messages or certify
   other OpenPGP certificates

 * if it's someone else's key, GnuPG will encrypt to it

 * if it's someone else's key, GnuPG may be willing to rely on OpenPGP
   certifications made by the key, despite the owner having clearly
   marked that it is not acceptable for that use.

Depending on how such a key is actually used in practice, this may cause
unrelated confidential data to be revealed, or it may let GnuPG follow
spoofable paths through the WoT.  It can can also cause invalid
signatures to be issued, which has already affected me in as a mini
self-DoS (i have a primary key with a subkey with such an empty
usage-flags subpacket that i have avoided publishing out of wariness; i
sent a message to an automated service which requires signed mail, and
the message was rejected because it was made by this subkey).

While very few people have such keys in practice right now (i might be
the only person experimenting with them -- i'm trying to circumscribe
the use of experimental subkeys to much more specific application
domains than the usage flags permit), it would be bad if these keys
continue to misinterpreted by GnuPG.

I'm inclined to see this as a security vulnerability (because of the
confidentiality and certification-following concerns); i'd like to see
it fixed in the stable branches and assigned a CVE, so that i can push
for getting it resolved in those distros that care about CVE coverage.

Any objections to this plan?  I am happy to request the CVE myself, and
will report it back here once it is assigned.

     --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-empty-usage-flags.patch
Type: text/x-diff
Size: 2015 bytes
Desc: handle keys with empty usage flag arguments properly
URL: </pipermail/attachments/20130911/da7cac88/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: </pipermail/attachments/20130911/da7cac88/attachment.sig>

From John at enigmail.net  Thu Sep 12 01:48:57 2013
From: John at enigmail.net (John Clizbe)
Date: Wed, 11 Sep 2013 18:48:57 -0500
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
 <20130909061258.GA92675@redoubt.spodhuis.org>
 <522DD3A4.4020406@fifthhorseman.net>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
Message-ID: <52310169.9030500@enigmail.net>

LTim Prepscius wrote:
> Thank you very much for this feed back.
> 
> I'm thinking, thinking, thinking...
> 
> 
> Here is sort of a naive question:
> 
> Why aren't the results from the http://pgp.mit.edu:11371 signed with their key?
> They have an http request but there is no way I can tell if I've been mitm-ed.

As others have replied, it's not the keyserver's responsibility

> I should be able to ask each server I request from, the public key of
> the other servers, and then check the signature of each against each
> other
> 
> ??
> 
> Is this implemented and I'm missing it somehow?

Aside from what is required to calculate a fingerprint, and in SKS' case the
hash used in reconiliation, there is NO crypto functionality built into the
keyserver software. That responsibility rests with the client software.

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130911/b258318c/attachment-0001.sig>

From mailinglisten at hauke-laging.de  Thu Sep 12 03:20:26 2013
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Thu, 12 Sep 2013 03:20:26 +0200
Subject: looking up pgp keys
In-Reply-To: <52310169.9030500@enigmail.net>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <52310169.9030500@enigmail.net>
Message-ID: <41790150.7fMvT3ZpDy@inno.berlin.laging.de>

Am Mi 11.09.2013, 18:48:57 schrieb John Clizbe:

> > Why aren't the results from the http://pgp.mit.edu:11371 signed with their
> > key? They have an http request but there is no way I can tell if I've
> > been mitm-ed.
> As others have replied, it's not the keyserver's responsibility

If the WoT is ever to be taken seriously (the obvious comparison is the 
signature law with its requirements for CAs) then this MUST be(come) the 
server's responsibility. If you cannot know (in a way you can prove) whether 
the information you get from the server is the current state of the 
certificate then the information is close to useless.

On the other hand you must be capable of proving that you have revoked your 
key at a certain date (and time).

We need a much better keyserver infrastructure before the OpenPGP user numbers 
explode (which I claim for the next five years as I am very actively working 
on that. I have given a lecture about OpenPGP at the German BSI last month and 
even without me bringing this up they mentioned that something had to be done 
about the keyserver situation. Thus I hope they will throw some money at that.


Hauke
-- 
Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130912/46632842/attachment.sig>

From gnupg-devel at spodhuis.org  Thu Sep 12 06:25:42 2013
From: gnupg-devel at spodhuis.org (Phil Pennock)
Date: Wed, 11 Sep 2013 21:25:42 -0700
Subject: looking up pgp keys
In-Reply-To: <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <52310169.9030500@enigmail.net>
 <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
Message-ID: <20130912042542.GA56830@redoubt.spodhuis.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On 2013-09-12 at 03:20 +0200, Hauke Laging wrote:
> If the WoT is ever to be taken seriously (the obvious comparison is the 
> signature law with its requirements for CAs) then this MUST be(come) the 
> server's responsibility. If you cannot know (in a way you can prove) whether 
> the information you get from the server is the current state of the 
> certificate then the information is close to useless.

So who or what are you wanting to trust, and under what circumstances?

The moment you start talking about compliance with signature law, I
infer that you expect the keyservers to be liable for any malicious data
present, even if validation has occurred but the attacker worked to
deceive multiple people to get their data in.  If this happens, I for
one will stop running a public keyserver: I'm not taking on public
liability for the actions of others, which I can't prevent, and with the
liability being to a public which is too often misled by persuasive
idiots who don't understand the basic principles of the components
they're talking about.

The most forgiving interpretation is that you want the server operators
to have performed some kind of filtering, but still accept
responsibility for trust verification yourself.  This is a recipe for
the filtering-by-others being "good enough" for people who don't
understand what's happening, and then again we're back to lawsuits when
reality shows that the filtering would never be complete.  It would
never be complete because there's no true definition of what should be
filtered out.  At the most simple level: "Are pseudonyms allowed?"

Please, please don't bring laws into this if you want to continue to
benefit from a public service provided for free by volunteers.

> We need a much better keyserver infrastructure before the OpenPGP user numbers 
> explode (which I claim for the next five years as I am very actively working 
> on that. I have given a lecture about OpenPGP at the German BSI last month and 
> even without me bringing this up they mentioned that something had to be done 
> about the keyserver situation. Thus I hope they will throw some money at that.

Since you're actively working on this, I welcome constructive
suggestions on how to improve matters.  Some basics for what I consider
necessary in a suggestion for it to be constructive:

 1. It outlines what the proposal considers broken in the existing
    system;
 2. Has a real actionable proposal for a technical behaviour;
 3. The proposal in 2 would truly fix point 1;
 4. The proposal does not add liability onto volunteers;
 5. The proposal does not work to make it impossible for people to
    provide a free public service, by constructing or preferentially
    facilitating a regime in which only nation-state favoured operators
    are able to safely provide the service without fear of retribution;
 6. The proposal does not give any nation, or treaty-established body,
    the authority to decide which keys are permitted to exist or which
    users are permitted to have privacy; (for the rationale for
    'treaty-established body', look up "policy laundering");
 7. The proposal does not lock in a favoured set of users.

Some thoughts on things that might help:

A keyserver pool which only contains keys in the strong set prevents
people attending keysigning parties from being able to get their keys
signed, so on its own does not work.  Setting up keyserver pools
containing only keys in the strong set, automatically pulling from the
complete pull, would let folks normally use the strong-set keyserver
pool and only reference the complete one when actively in a frame of
mind in which they're considering how to verify a key.

Automatically discarding from indices any key which hasn't had a new
self-signature in the past five years.  The key can still be present,
but the index and search don't need to report it by default.  If your
key disappears and has just been dormant, then issue a new self-sig on
your key and re-push it.  (Using "any signature" would let Eve
maliciously keep Alice's old key alive.)

Setting up restricted keyserver pools, based on local national
frameworks for notaries, is in theory a reasonable thing, provided that
the legal basis for this does not penalize the international pools.  The
trouble would be in ensuring that penalization doesn't come later.  I'm
sceptical that this could be safely done: too many people profit from
creating national ghettos to keep the unwashed masses in line.

- -Phil
-----BEGIN PGP SIGNATURE-----

iEYEAREDAAYFAlIxQj0ACgkQQDBDFTkDY3/WDgCfTFyjYN5JHrE/WiHdGo7ZFNX/
s78An0EMgtRdGYuOcFkirIcFat4t+Q5x
=4UmZ
-----END PGP SIGNATURE-----


From John at enigmail.net  Thu Sep 12 09:02:31 2013
From: John at enigmail.net (John Clizbe)
Date: Thu, 12 Sep 2013 02:02:31 -0500
Subject: looking up pgp keys
In-Reply-To: <20130912042542.GA56830@redoubt.spodhuis.org>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <52310169.9030500@enigmail.net> <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
 <20130912042542.GA56830@redoubt.spodhuis.org>
Message-ID: <52316707.2040204@enigmail.net>

Phil Pennock wrote:
> On 2013-09-12 at 03:20 +0200, Hauke Laging wrote:
>> If the WoT is ever to be taken seriously (the obvious comparison is the
>> signature law with its requirements for CAs) then this MUST be(come) the
>> server's responsibility. If you cannot know (in a way you can prove) whether
>> the information you get from the server is the current state of the
>> certificate then the information is close to useless.
> 
> So who or what are you wanting to trust, and under what circumstances?
> 
> The moment you start talking about compliance with signature law, I
> infer that you expect the keyservers to be liable for any malicious data
> present, even if validation has occurred but the attacker worked to
> deceive multiple people to get their data in.  If this happens, I for
> one will stop running a public keyserver: I'm not taking on public
> liability for the actions of others, which I can't prevent, and with the
> liability being to a public which is too often misled by persuasive
> idiots who don't understand the basic principles of the components
> they're talking about.

"misled by persuasive idiots.*\.$" Perfectly said.

If one wants to implement a X.509-type CA on top of, or as an alternative to,
the W0T, one is free to do so. Werner has made this point numerous times. But
it will fail if you try to regulate or legislate the keyservers into
compliance with your scheme.

> The most forgiving interpretation is that you want the server operators
> to have performed some kind of filtering, but still accept
> responsibility for trust verification yourself.  This is a recipe for
> the filtering-by-others being "good enough" for people who don't
> understand what's happening, and then again we're back to lawsuits when
> reality shows that the filtering would never be complete.  It would
> never be complete because there's no true definition of what should be
> filtered out.  At the most simple level: "Are pseudonyms allowed?"
> 
> Please, please don't bring laws into this if you want to continue to
> benefit from a public service provided for free by volunteers.
> 
We've already lost one keyserver due to someone believing his key could
somehow be removed from a keyserver and insisting it was his right under a
national data protection act. The operator was a valued member of the
community. This incident has with probably led to the loss of patience with
and the typically blunt application of a cluebat to the removalist camp.

The keyserver network actually works because of the lack of regulation. Trying
to regulate its operation is viewed by many as trying to control who may and
may not use crypto.

I keep seeing arguments being made about trusting the data from keyservers. I
think it is fundamentally naive to think that a [NSA|GCHQ|BSI]-regulated
keyserver will be considered being more "trustworthy" than what we have now.


-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130912/10f7bf32/attachment.sig>

From buanzo at buanzo.com.ar  Thu Sep 12 13:47:34 2013
From: buanzo at buanzo.com.ar (Arturo 'Buanzo' Busleiman)
Date: Thu, 12 Sep 2013 08:47:34 -0300
Subject: looking up pgp keys
In-Reply-To: <52316707.2040204@enigmail.net>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <52310169.9030500@enigmail.net>
 <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
 <20130912042542.GA56830@redoubt.spodhuis.org>
 <52316707.2040204@enigmail.net>
Message-ID: <CAAcS2GruU7SjWPCt+s=mKZt8Cen9HVertE0jctAKL68bj0gQbg@mail.gmail.com>

The human side of things (the WoT) must always be separated from
keyservers, which are just a convenient key search/publish/obtain system.

I have (slowly) been working on openpgp extensions for http for the past
six+ years (enigform and mod_openpgp). I am now working on a decentralized
secure IM. As most secure systems it will probably be difficult for people
that do not requiere such level of security.

We have already seen what happens when the delicate balance of ease of use
and/or functionality versus security is affected.

It hurts a bit, doesnt it, when we see that security is so hard to provide
for the end user. :(
 On Sep 12, 2013 4:03 AM, "John Clizbe" <John at enigmail.net> wrote:

> Phil Pennock wrote:
> > On 2013-09-12 at 03:20 +0200, Hauke Laging wrote:
> >> If the WoT is ever to be taken seriously (the obvious comparison is the
> >> signature law with its requirements for CAs) then this MUST be(come) the
> >> server's responsibility. If you cannot know (in a way you can prove)
> whether
> >> the information you get from the server is the current state of the
> >> certificate then the information is close to useless.
> >
> > So who or what are you wanting to trust, and under what circumstances?
> >
> > The moment you start talking about compliance with signature law, I
> > infer that you expect the keyservers to be liable for any malicious data
> > present, even if validation has occurred but the attacker worked to
> > deceive multiple people to get their data in.  If this happens, I for
> > one will stop running a public keyserver: I'm not taking on public
> > liability for the actions of others, which I can't prevent, and with the
> > liability being to a public which is too often misled by persuasive
> > idiots who don't understand the basic principles of the components
> > they're talking about.
>
> "misled by persuasive idiots.*\.$" Perfectly said.
>
> If one wants to implement a X.509-type CA on top of, or as an alternative
> to,
> the W0T, one is free to do so. Werner has made this point numerous times.
> But
> it will fail if you try to regulate or legislate the keyservers into
> compliance with your scheme.
>
> > The most forgiving interpretation is that you want the server operators
> > to have performed some kind of filtering, but still accept
> > responsibility for trust verification yourself.  This is a recipe for
> > the filtering-by-others being "good enough" for people who don't
> > understand what's happening, and then again we're back to lawsuits when
> > reality shows that the filtering would never be complete.  It would
> > never be complete because there's no true definition of what should be
> > filtered out.  At the most simple level: "Are pseudonyms allowed?"
> >
> > Please, please don't bring laws into this if you want to continue to
> > benefit from a public service provided for free by volunteers.
> >
> We've already lost one keyserver due to someone believing his key could
> somehow be removed from a keyserver and insisting it was his right under a
> national data protection act. The operator was a valued member of the
> community. This incident has with probably led to the loss of patience with
> and the typically blunt application of a cluebat to the removalist camp.
>
> The keyserver network actually works because of the lack of regulation.
> Trying
> to regulate its operation is viewed by many as trying to control who may
> and
> may not use crypto.
>
> I keep seeing arguments being made about trusting the data from
> keyservers. I
> think it is fundamentally naive to think that a [NSA|GCHQ|BSI]-regulated
> keyserver will be considered being more "trustworthy" than what we have
> now.
>
>
> --
> John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
> SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
> FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
>      mailto:pgp-public-keys at gingerbear.net?subject=HELP
>
> Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
> A:"An odd melody / island voices on the winds / surplus of vowels"
>
>
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130912/b910112c/attachment-0001.html>

From mailinglisten at hauke-laging.de  Thu Sep 12 14:50:14 2013
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Thu, 12 Sep 2013 14:50:14 +0200
Subject: looking up pgp keys
In-Reply-To: <20130912042542.GA56830@redoubt.spodhuis.org>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
 <20130912042542.GA56830@redoubt.spodhuis.org>
Message-ID: <5973476.XXOI0E28qX@inno.berlin.laging.de>

Am Mi 11.09.2013, 21:25:42 schrieb Phil Pennock:

> So who or what are you wanting to trust, and under what circumstances?

This is less about trust and more about proof. To make this clear: It is also 
not about making regulations for existing keyservers. I want a widely used 
keyserver software to offer (not force) the necessary features so that e.g. 
mail providers can easily decide to set it up for their domains. The 
responsibility to mark such a reliable keyserver as preferred keyserver would 
be up to the user.


> The moment you start talking about compliance with signature law, I
> infer that you expect the keyservers to be liable for any malicious data
> present, even if validation has occurred but the attacker worked to
> deceive multiple people to get their data in.

I am not talking about data at all. I am talking about a proof: "This is what 
this key looked like on this keyserver at this time." Checking the data would 
be a different feature.


> liability being to a public which is too often misled by persuasive
> idiots who don't understand the basic principles of the components
> they're talking about.

Indeed, the general knowledge level is really bad. Thus I have started this 
some time ago (German only, though):
http://www.openpgp-schulungen.de/fuer/webautoren/
I read articles about OpenPGP on the web and try to correct them. One problem 
is though: Often articles are bad not only due to real errors but due to the 
lot of stuff they don't mention...


> The most forgiving interpretation is that you want the server operators
> to have performed some kind of filtering,

I do want the technical possibility for filtering (you give the reason for 
that yourself later in the mail) but that is a completely different feature. 
Filtering does not have any relevant relation to the state of a key at a given 
point in time.


> lawsuits

> reality shows that the filtering would never be complete.  It would
> never be complete because there's no true definition of what should be
> filtered out.

The whole offline world does not work by "true definitions". It works by 
imprecise definitions and people complaining. The moment someone says "I want 
that removed" you can either accept that and remove it (and maybe inform the 
one who caused the content) or take it to court. That's the case for web sites 
and everything. Why should keyservers be handled differently? What we need 
(and are going to get) is a simple but obligatory system by which someone can 
make such claims (and can be held responsible for making such claims).


> Please, please don't bring laws into this if you want to continue to
> benefit from a public service provided for free by volunteers.

As I said: I do not want to force anyone to offer the technical abilities. But 
for the filtering: As you (indirectly) mention yourself later the legal 
situation in Germany and probably more or less everywhere in the civilized 
world is already that you must filter. If you don't then you may run into 
trouble if somebody complains. Being a volunteer is nice but does not relieve 
you from general legal duties. It doesn't with webservers why should it with 
keyservers?

Thus my demand for filtering (as a different feature than the one I started 
talking about) is not to trigger legal problems but to solve those which are 
already where.


>  1. It outlines what the proposal considers broken in the existing
>     system;

Didn't I?


>  2. Has a real actionable proposal for a technical behaviour;

The keyserver must frequently offer a direct or (for performance reasons) 
indirect signature for each key showing the state of the key at the time of 
the signature.


>  3. The proposal in 2 would truly fix point 1;

yeah


>  4. The proposal does not add liability onto volunteers;

You are sure that you don't mix up "constructive" with "convenient for me"...?


>  5. The proposal does not work to make it impossible for people to
>     provide a free public service

yeah


>  6. The proposal does not give any nation, or treaty-established body,
>     the authority to decide which keys are permitted to exist or which
>     users are permitted to have privacy; (for the rationale for
>     'treaty-established body', look up "policy laundering");

yeah (But: The existing law already defines that.)


>  7. The proposal does not lock in a favoured set of users.

yeah


> A keyserver pool which only contains keys in the strong set

I guess what we will see is not that but keyservers which serve certificates 
for their domains only. This solves the scaling problem: Those with millions 
of email addresses do have the necessary resources for keyservers on that 
scale.


> Setting up restricted keyserver pools, based on local national
> frameworks for notaries, is in theory a reasonable thing, provided that
> the legal basis for this does not penalize the international pools.

Usually you don't have to care about the law in countries other than yours.

Though we already had a counterexample for that: The braindead European Union 
decided years ago that people should (as a side effect) be held reliable for 
things that are illegal in another country only. The German constitutional 
court was required to intervene in order to stop this bullshit. Turned out 
very embarrassing for the federal government (which the stupid people happily 
reelect though...).


Hauke
-- 
Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130912/439d745d/attachment.sig>

From rjh at sixdemonbag.org  Thu Sep 12 15:53:07 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 12 Sep 2013 09:53:07 -0400
Subject: looking up pgp keys
In-Reply-To: <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <52310169.9030500@enigmail.net> <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
Message-ID: <5231C743.5050009@sixdemonbag.org>

On 9/11/2013 9:20 PM, Hauke Laging wrote:
> If the WoT is ever to be taken seriously (the obvious comparison is the 
> signature law with its requirements for CAs) then this MUST be(come) the 
> server's responsibility.

Why?

> If you cannot know (in a way you can prove) whether 
> the information you get from the server is the current state of the 
> certificate then the information is close to useless.

Then the information is close to useless.  There is no requirement that
people update the keyservers when they change their certificate.  Nor
could such a requirement possibly ever be enforced.

> On the other hand you must be capable of proving that you have revoked your 
> key at a certain date (and time).

Requires a trusted third party to do timestamping.  Trusted timestamp
services are also highly nontrivial and tend to be high-value targets
for compromise.

> We need a much better keyserver infrastructure before the OpenPGP user numbers 
> explode...

I've been hearing "we must do X before OpenPGP takes off" for the past
20 years.  After seeing many, many Xes go by, I'm deeply skeptical of
this claim.



From mailinglisten at hauke-laging.de  Thu Sep 12 16:10:53 2013
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Thu, 12 Sep 2013 16:10:53 +0200
Subject: looking up pgp keys
In-Reply-To: <5231C743.5050009@sixdemonbag.org>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
 <5231C743.5050009@sixdemonbag.org>
Message-ID: <2105948.iL5G3P1axX@inno.berlin.laging.de>

Am Do 12.09.2013, 09:53:07 schrieb Robert J. Hansen:
> On 9/11/2013 9:20 PM, Hauke Laging wrote:
> > If the WoT is ever to be taken seriously (the obvious comparison is the
> > signature law with its requirements for CAs) then this MUST be(come) the
> > server's responsibility.
> 
> Why?

The answer is above. An unreliable system is inacceptable from legal 
perspective.


> There is no requirement that
> people update the keyservers when they change their certificate.  Nor
> could such a requirement possibly ever be enforced.

I am not talking about the users but about the keyservers. It's perfectly OK 
for a user not to care about his key. Of course, he is liable for the damage 
caused by that (this is not special to crypto but the case everywhere in 
life). But the public must be capable of proving that he didn't.


> > On the other hand you must be capable of proving that you have revoked
> > your key at a certain date (and time).
> 
> Requires a trusted third party to do timestamping.

It's enough that the keyserver does the signing.


> > We need a much better keyserver infrastructure before the OpenPGP user
> > numbers explode...
> 
> I've been hearing "we must do X before OpenPGP takes off" for the past
> 20 years.  After seeing many, many Xes go by, I'm deeply skeptical of
> this claim.

This may be a language problem. My statement was not meant as cause and result 
("If we improve the keyservers then we will as a result of that see a big 
increase of the OpenPGP users.") but as a warning: The numbers will explode 
anyway (even if GnuPG and the keyserver software don't change at all) but we 
will run into problems if we do not manage to improve the keyserver software 
in time.

So you are welcome to be skeptical but about the right claim, please... ;-)


Hauke
-- 
Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130912/43aadca2/attachment.sig>

From timprepscius at gmail.com  Thu Sep 12 18:42:21 2013
From: timprepscius at gmail.com (Tim Prepscius)
Date: Thu, 12 Sep 2013 12:42:21 -0400
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvVqKdxEsH6OF6CgOGEyWGJ+BrpmaNacygqTJ_VNrTt0MA@mail.gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <522D0FA8.2060207@fifthhorseman.net>
 <CAAJ3AvXPv35BEu7+XhxevzJdaxaYoA=EgC-pZU6UYFaJq9nAXg@mail.gmail.com>
 <CAAJ3AvXT4CFH_nxfG9vGz65PSH8U19Bt4iJWcZ322NT0taVD1w@mail.gmail.com>
 <20130909061258.GA92675@redoubt.spodhuis.org>
 <522DD3A4.4020406@fifthhorseman.net>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <20130911135445.105c0e89@gmail.com>
 <CAAJ3AvVqKdxEsH6OF6CgOGEyWGJ+BrpmaNacygqTJ_VNrTt0MA@mail.gmail.com>
Message-ID: <CAAJ3AvWGKcu2+qHmVfunL7tM343_xjR3kmqOu1feR0GhzJuoMA@mail.gmail.com>

I fear I am one of the "persuasive idiots.*\.$"

---

But I'm not sure why compliance would even come into play..

The only function that needs to happen is that "the place of standard
lookup," (what I'm proposing would be receiving mail server.

Would be verifiable.


It doesn't matter if it has the wrong key in it, if this issue can be
discovered.

So for instance if SuperMail has key for Bob.  Malicious hacker
replaces key with different key.

Bob can verify.
Other servers will detect change.


If *super-hacker* replaces key for Bob and then MITM Bob so he cannot
discover it, still for this to be effective, the key *must* be visible
to the outside world.

So other servers can detect the change, and Bob can detect the change
through other servers.


If *ultra-super-hacker-inviso-shirt* replaces key for Bob and then
completely MITM Bob so that he cannot get key from *any* server and
cannot ask *any* server to verify.

Then this is obviously a problem.  But I would say, (perhaps like an
idiot), that so far as I see:

-- if bob is truly a target his computer will be rooted anyway, he
will have a key logger, and his private key should be considered
revealed. --

It would probably be much easier to root his computer/phone take his
key, have a janitor walk into his work place, break into his
apartment, etc, than MITM *all* of his traffic searching for requests
for verification of his private key...


???

I fear I am missing an obvious issue here.  Feel free to enlighten ;-)

-tim


From martin at martinpaljak.net  Thu Sep 12 18:14:08 2013
From: martin at martinpaljak.net (Martin Paljak)
Date: Thu, 12 Sep 2013 19:14:08 +0300
Subject: looking up pgp keys
In-Reply-To: <5231C743.5050009@sixdemonbag.org>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <52310169.9030500@enigmail.net> <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
 <5231C743.5050009@sixdemonbag.org>
Message-ID: <CACsm3DW9Hz5Zk+A1H6WJS5n4jhK9WQFxSnMK8ctGA8xcWnCwmQ@mail.gmail.com>

On Thu, Sep 12, 2013 at 4:53 PM, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
>> On the other hand you must be capable of proving that you have revoked your
>> key at a certain date (and time).
>
> Requires a trusted third party to do timestamping.  Trusted timestamp
> services are also highly nontrivial and tend to be high-value targets
> for compromise.

Have you heard of www.guardtime.com ?

--
Martin
+372 515 6495


From rjh at sixdemonbag.org  Fri Sep 13 01:00:56 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 12 Sep 2013 19:00:56 -0400
Subject: looking up pgp keys
In-Reply-To: <2105948.iL5G3P1axX@inno.berlin.laging.de>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
 <5231C743.5050009@sixdemonbag.org> <2105948.iL5G3P1axX@inno.berlin.laging.de>
Message-ID: <523247A8.2030408@sixdemonbag.org>

On 9/12/2013 10:10 AM, Hauke Laging wrote:
> The answer is above. An unreliable system is inacceptable from legal 
> perspective.

Your definition of 'unreliable' is interesting.

The keyservers make *absolutely no assurances* about the certificate
they're giving you.  It's just a bunch of bits.  The certificate itself
is what gives confidence and reliability.

If we were to add strong crypto to the keyserver network, the size of
the SKS codebase would explode -- and with it, the bug count.  Complex
systems are fragile systems.  Compare how many security-critical bugs
there have been in GnuPG versus how many there have been in SKS.  (This
is not a slam against GnuPG!  I'm just pointing out the vast difference
in code base size, and the impact it has on reliability.)

If we were to do what you believe is necessary to make keyservers
"reliable", it would have the effect of making them vastly more unreliable.

John Clizbe, whom I believe is one of the maintainers for SKS, can often
be found on this list.  I'd love to hear his thoughts on whether adding
these reliability features to SKS would enhance or diminish SKS's security.

> But the public must be capable of proving that he didn't.

Can't be done, bang, period, end of sentence.  Some people like to think
OpenPGP provides nonrepudiability, but that's an ephemera.  If you don't
control your PC -- if you're playing host to malware -- it's very easy
to say, "but I didn't write that!" and have it be completely credible.

I have seen PGP-signed spam mail.  The victim had PGP set up as an
outbound mail proxy to sign everything, and the victim got hit by
malware and turned into a spambot.

In an era where about one desktop in three is compromised, you cannot
rely on cryptographic protocols to provide nonrepudiability.

> It's enough that the keyserver does the signing.

Well, that's a disaster right there.  Now on top of hundreds of
keyservers we've got each one of them serving as its own timestamp
authority.  What happens when two of them conflict?  What happens when
one gets the latest time zone update file and another doesn't?  What
happens then one corrects for a leap second and another doesn't?  And
how do they all stay in sync, anyway?



From tomanek at internet-sicherheit.de  Fri Sep 13 08:48:54 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Fri, 13 Sep 2013 08:48:54 +0200
Subject: Checking key server response against the request parameters
Message-ID: <20130913064854.GZ21970@zirkel.wertarbyte.de>

While working with the gnupg source code, I noticed that gnupg does not take
the query itself into consideration when retrieving key data from a server
(--search-key, --recv-key); regardless of the query issued, gnupg will happily
import anything returned.

This poses a few problems:

A malicious keyserver (or man in the middle) can "pollute" the keyring with
additional keys, making it hard to identify the correct ones. Creating keys
with identical (short) key ids has become easy over the years, so it might be
possible for an attacker to introduce bogus key material into the keyring of a
targeted victim (who might not pay attention to the real fingerprint after
importing).

It also violates the principle of least surprise:
Issuing a very specific command like receiving a key identified by its
fingerprint (gpg --recv-keys 0x15F900BFBA9B685D15D0266C2788CD17B78FEAFA)
should not bear the possibility of importing completely unrelated key material;
neither should 'gpg --refresh-key'.

I've created a set of patches to tackle this issue:

1. display the key fingerprint when searching for keys

When using vague arguments to search for matching keys on the servers, current
releases of e.g. SKS (1.1.4+) return the entire fingerprint in the result set
instead of a shorter key id. When displaying the result, GnuPG cuts this down
to the setting of --keyformat, possibly hiding vital information for key
identification. Checking the fingerprint after importing the key (and removing
it on mismatch) is prone to user neglect and error.

With my patches applied, the fingerprint (if available) is shown to the user
_before_ the key is added to the keyring.

2. filter the retrieved key data by applying the constraints of the query

Instead of blindly importing anything returned by the keyserver, the changeset
introduces a filtering mechanism that takes the initial request into
consideration. If, for example, the get request was issued using a complete
fingerprint (like when using --refresh-keys or --search-keys), the filter
function will look at each key to be imported and match its calculated
fingerprint against the initial query value.

This prevents malicious attackers from "slipping" additional keys into the
result set.

I've already sent the patches to this list (however, they might be stuck in
moderation). The changeset is also available on my github account - although
based on 1.4, they should also be applicable to the 2.0 branch.

https://github.com/wertarbyte/gnupg/compare/stable-1-4...keyserver_fpr

I'd really like to see those changes integrated into the official tree;
of course, any feedback is welcome as well.

Stefan Tomanek
-- 
if(is) - Institut f?r Internet-Sicherheit
Westf?lische Hochschule, Gelsenkirchen


From tomanek at internet-sicherheit.de  Fri Sep 13 08:58:19 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Fri, 13 Sep 2013 08:58:19 +0200
Subject: [PATCH 1/3] unify formatting of fingerprints
Message-ID: <20130913065819.GA21970@zirkel.wertarbyte.de>

This change introduces a common function to turn
a fingerprint into a human readable format.

Signed-off-by: Stefan Tomanek <tomanek at internet-sicherheit.de>
---
 g10/keylist.c |   57 +++++++++++++++++++++++++++++----------------------------
 g10/main.h    |    1 +
 2 files changed, 30 insertions(+), 28 deletions(-)

diff --git a/g10/keylist.c b/g10/keylist.c
index 6618a7f..4426efd 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -1459,6 +1459,28 @@ list_keyblock( KBNODE keyblock, int secret, int fpr, void *opaque )
         list_keyblock_print (keyblock, secret, fpr, opaque );
 }
 
+char *
+format_fingerprint(const byte *fpr, const int len)
+{
+    int str_len =     len*2                  /* 2 hex digits per byte */
+                  +  (len*2-1) / 4           /* one space every 4 digits */
+                  + ((len*2-1) / 4 - 1) / 5; /* one additional space after 5 groups */
+    char *fp = xmalloc_clear(str_len + 1);
+
+    int i;
+    int j;
+    for (i = 0, j = 0; i < len && j < str_len-1; i++, j+=2)
+      {
+        if (i && i%2 == 0)
+          fp[j++] = ' ';
+        if (len == 20 && i == 10)
+          fp[j++] = ' ';
+        sprintf(&fp[j], "%02X", fpr[i]);
+      }
+    fp[str_len] = '\0';
+    return fp;
+}
+
 /*
  * standard function to print the finperprint.
  * mode 0: as used in key listings, opt.with_colons is honored
@@ -1555,34 +1577,13 @@ print_fingerprint (PKT_public_key *pk, PKT_secret_key *sk, int mode )
             fputs (text, fp);
         else
             tty_printf ("%s", text);
-	if (n == 20) {
-	    for (i=0; i < n ; i++, i++, p += 2 ) {
-                if (fp) {
-                    if (i == 10 )
-                        putc(' ', fp);
-                    fprintf (fp, " %02X%02X", *p, p[1] );
-                }
-                else {
-                    if (i == 10 )
-                        tty_printf (" ");
-                    tty_printf (" %02X%02X", *p, p[1]);
-                }
-	    }
-	}
-	else {
-	    for (i=0; i < n ; i++, p++ ) {
-                if (fp) {
-                    if (i && !(i%8) )
-                        putc (' ', fp);
-                    fprintf (fp, " %02X", *p );
-                }
-                else {
-                    if (i && !(i%8) )
-                        tty_printf (" ");
-                    tty_printf (" %02X", *p );
-                }
-	    }
-	}
+
+        char *fpr = format_fingerprint(p, n);
+        if (fp)
+            fprintf (fp, " %s", fpr);
+        else
+            tty_printf (" %s", fpr);
+        xfree(fpr);
     }
     if (fp)
         putc ('\n', fp);
diff --git a/g10/main.h b/g10/main.h
index 784ade0..eadac1f 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -250,6 +250,7 @@ void secret_key_list( STRLIST list );
 void print_subpackets_colon(PKT_signature *sig);
 void reorder_keyblock (KBNODE keyblock);
 void list_keyblock( KBNODE keyblock, int secret, int fpr, void *opaque );
+char *format_fingerprint(const byte *fpr, const int len);
 void print_fingerprint (PKT_public_key *pk, PKT_secret_key *sk, int mode);
 void print_revokers(PKT_public_key *pk);
 void show_policy_url(PKT_signature *sig,int indent,int mode);
-- 
1.7.10.4


From tomanek at internet-sicherheit.de  Fri Sep 13 08:58:36 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Fri, 13 Sep 2013 08:58:36 +0200
Subject: [PATCH 2/3] display key fingerprints if offered by keyserver
Message-ID: <20130913065836.GB21970@zirkel.wertarbyte.de>

This change tries to make use of complete key fingerprints if those are
offered by the consulted keyserver. If a keyserver returns the entire
fingerprint as a user id, it will be shown to the user searching the
database.

Signed-off-by: Stefan Tomanek <tomanek at internet-sicherheit.de>
---
 g10/keyserver.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/g10/keyserver.c b/g10/keyserver.c
index 1eadff1..440c6a1 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -462,6 +462,8 @@ print_keyrec(int number,struct keyrec *keyrec)
 {
   int i;
 
+  char *fp_str = NULL;
+
   iobuf_writebyte(keyrec->uidbuf,0);
   iobuf_flush_temp(keyrec->uidbuf);
   printf("(%d)\t%s  ",number,iobuf_get_temp_buffer(keyrec->uidbuf));
@@ -503,6 +505,7 @@ print_keyrec(int number,struct keyrec *keyrec)
       printf("key ");
       for(i=0;i<16;i++)
 	printf("%02X",keyrec->desc.u.fpr[i]);
+      fp_str = format_fingerprint(keyrec->desc.u.fpr, 16);
       break;
 
       /* If we get a modern fingerprint, we have the most
@@ -512,6 +515,7 @@ print_keyrec(int number,struct keyrec *keyrec)
 	u32 kid[2];
 	keyid_from_fingerprint(keyrec->desc.u.fpr,20,kid);
 	printf("key %s",keystr(kid));
+        fp_str = format_fingerprint(keyrec->desc.u.fpr, 20);
       }
       break;
 
@@ -540,6 +544,14 @@ print_keyrec(int number,struct keyrec *keyrec)
     printf(" (%s)",_("expired"));
 
   printf("\n");
+  if(fp_str)
+    {
+      printf("\t%s ", _("      Key fingerprint ="));
+      printf("%s", fp_str);
+      xfree(fp_str);
+      printf("\n");
+    }
+  printf("\n");
 }
 
 /* Returns a keyrec (which must be freed) once a key is complete, and
-- 
1.7.10.4


From tomanek at internet-sicherheit.de  Fri Sep 13 08:58:53 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Fri, 13 Sep 2013 08:58:53 +0200
Subject: [PATCH 3/3] filter and verify keyserver responses
Message-ID: <20130913065853.GC21970@zirkel.wertarbyte.de>

This changes introduces import functions that apply a constraining
filter to imported keys. These filters can verify the fingerprints of
the keys returned before importing them into the keyring, ensuring that
the keys fetched from the keyserver are in fact those selected by the
user beforehand.

Signed-off-by: Stefan Tomanek <tomanek at internet-sicherheit.de>
---
 g10/import.c    |   60 ++++++++++++++++++++++++++++++++++++++++++++++++-------
 g10/keyserver.c |   39 ++++++++++++++++++++++++++++++++++--
 g10/main.h      |    4 ++++
 3 files changed, 94 insertions(+), 9 deletions(-)

diff --git a/g10/import.c b/g10/import.c
index 90fc2d6..c817a51 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -58,6 +58,9 @@ struct stats_s {
 };
 
 
+static int import_constr( IOBUF inp, const char* fname,struct stats_s *stats,
+	unsigned char **fpr,size_t *fpr_len,unsigned int options,
+	import_filter filter, void *filter_arg );
 static int import( IOBUF inp, const char* fname,struct stats_s *stats,
 		   unsigned char **fpr,size_t *fpr_len,unsigned int options );
 static int read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root );
@@ -65,6 +68,11 @@ static void revocation_present(KBNODE keyblock);
 static int import_one(const char *fname, KBNODE keyblock,struct stats_s *stats,
 		      unsigned char **fpr,size_t *fpr_len,
 		      unsigned int options,int from_sk);
+static int import_one_constr(const char *fname, KBNODE keyblock,struct stats_s *stats,
+		      unsigned char **fpr,size_t *fpr_len,
+		      unsigned int options,int from_sk,
+		      import_filter filter, void *filter_arg);
+
 static int import_secret_one( const char *fname, KBNODE keyblock,
                               struct stats_s *stats, unsigned int options);
 static int import_revoke_cert( const char *fname, KBNODE node,
@@ -161,9 +169,10 @@ import_release_stats_handle (void *p)
  *
  */
 static int
-import_keys_internal( IOBUF inp, char **fnames, int nnames,
+import_keys_internal_constr( IOBUF inp, char **fnames, int nnames,
 		      void *stats_handle, unsigned char **fpr, size_t *fpr_len,
-		      unsigned int options )
+		      unsigned int options,
+		      import_filter filter, void *filter_arg )
 {
     int i, rc = 0;
     struct stats_s *stats = stats_handle;
@@ -172,7 +181,7 @@ import_keys_internal( IOBUF inp, char **fnames, int nnames,
         stats = import_new_stats_handle ();
 
     if (inp) {
-        rc = import( inp, "[stream]", stats, fpr, fpr_len, options);
+        rc = import_constr( inp, "[stream]", stats, fpr, fpr_len, options, filter, filter_arg);
     }
     else {
         int once = (!fnames && !nnames);
@@ -219,6 +228,14 @@ import_keys_internal( IOBUF inp, char **fnames, int nnames,
     return rc;
 }
 
+static int
+import_keys_internal( IOBUF inp, char **fnames, int nnames,
+		      void *stats_handle, unsigned char **fpr, size_t *fpr_len,
+		      unsigned int options )
+{
+  return import_keys_internal_constr(inp, fnames, nnames, stats_handle, fpr, fpr_len, options, NULL, NULL);
+}
+
 void
 import_keys( char **fnames, int nnames,
 	     void *stats_handle, unsigned int options )
@@ -227,15 +244,24 @@ import_keys( char **fnames, int nnames,
 }
 
 int
+import_keys_stream_constr( IOBUF inp, void *stats_handle,
+		    unsigned char **fpr, size_t *fpr_len,unsigned int options,
+	            import_filter filter, void *filter_arg )
+{
+  return import_keys_internal_constr(inp,NULL,0,stats_handle,fpr,fpr_len,options,filter,filter_arg);
+}
+
+int
 import_keys_stream( IOBUF inp, void *stats_handle,
 		    unsigned char **fpr, size_t *fpr_len,unsigned int options )
 {
-  return import_keys_internal(inp,NULL,0,stats_handle,fpr,fpr_len,options);
+  return import_keys_stream_constr(inp,stats_handle,fpr,fpr_len,options,NULL,NULL);
 }
 
 static int
-import( IOBUF inp, const char* fname,struct stats_s *stats,
-	unsigned char **fpr,size_t *fpr_len,unsigned int options )
+import_constr( IOBUF inp, const char* fname,struct stats_s *stats,
+	unsigned char **fpr,size_t *fpr_len,unsigned int options,
+	import_filter filter, void *filter_arg )
 {
     PACKET *pending_pkt = NULL;
     KBNODE keyblock = NULL;
@@ -252,7 +278,8 @@ import( IOBUF inp, const char* fname,struct stats_s *stats,
 
     while( !(rc = read_block( inp, &pending_pkt, &keyblock) )) {
 	if( keyblock->pkt->pkttype == PKT_PUBLIC_KEY )
-	    rc = import_one( fname, keyblock, stats, fpr, fpr_len, options, 0);
+	    rc = import_one_constr( fname, keyblock, stats, fpr, fpr_len, options, 0,
+	                            filter, filter_arg);
 	else if( keyblock->pkt->pkttype == PKT_SECRET_KEY )
                 rc = import_secret_one( fname, keyblock, stats, options );
 	else if( keyblock->pkt->pkttype == PKT_SIGNATURE
@@ -278,6 +305,12 @@ import( IOBUF inp, const char* fname,struct stats_s *stats,
     return rc;
 }
 
+static int
+import( IOBUF inp, const char* fname,struct stats_s *stats,
+	unsigned char **fpr,size_t *fpr_len,unsigned int options )
+{
+	return import_constr(inp, fname, stats, fpr, fpr_len, options, NULL, NULL);
+}
 
 void
 import_print_stats (void *hd)
@@ -740,6 +773,15 @@ import_one( const char *fname, KBNODE keyblock, struct stats_s *stats,
 	    unsigned char **fpr,size_t *fpr_len,unsigned int options,
 	    int from_sk )
 {
+  return import_one_constr(fname, keyblock, stats, fpr,
+    fpr_len, options, from_sk, NULL, NULL);
+}
+
+static int
+import_one_constr( const char *fname, KBNODE keyblock, struct stats_s *stats,
+	    unsigned char **fpr,size_t *fpr_len,unsigned int options,
+	    int from_sk, import_filter filter, void *filter_arg)
+{
     PKT_public_key *pk;
     PKT_public_key *pk_orig;
     KBNODE node, uidnode;
@@ -778,6 +820,10 @@ import_one( const char *fname, KBNODE keyblock, struct stats_s *stats,
 	return 0;
       }
 
+    if (filter && filter(pk, filter_arg)) {
+        log_error( _("key %s: rejected by import filter\n"), keystr_from_pk(pk));
+        return 0;
+    }
     if (opt.interactive) {
         if(is_status_enabled())
 	  print_import_check (pk, uidnode->pkt->pkt.user_id);
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 440c6a1..448ef5f 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -971,6 +971,40 @@ direct_uri_map(const char *scheme,unsigned int is_direct)
 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
 
+static int
+keyserver_retrieval_filter(PKT_public_key *pk, void *arg)
+{
+  KEYDB_SEARCH_DESC *desc = arg;
+  u32 keyid[2];
+  byte fpr[MAX_FINGERPRINT_LEN];
+  size_t fpr_len = 0;
+  fingerprint_from_pk(pk, fpr, &fpr_len);
+  keyid_from_pk(pk, keyid);
+
+  /* compare requested and returned fingerprints if available */
+  if (desc->mode == KEYDB_SEARCH_MODE_FPR20) {
+    if (fpr_len != 20 || memcmp(fpr, desc->u.fpr, 20)) {
+      return 1;
+    }
+  }
+  else if (desc->mode == KEYDB_SEARCH_MODE_FPR16) {
+    if (fpr_len != 16 || memcmp(fpr, desc->u.fpr, 16)) {
+      return 1;
+    }
+  }
+  else if (desc->mode == KEYDB_SEARCH_MODE_LONG_KID) {
+    if (memcmp(keyid, desc->u.kid, sizeof(keyid))) {
+      return 1;
+    }
+  }
+  else if (desc->mode == KEYDB_SEARCH_MODE_SHORT_KID) {
+    if (memcmp(&keyid[1], &desc->u.kid[1], 1)) {
+      return 1;
+    }
+  }
+  return 0;
+}
+
 static int 
 keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
 		int count,int *prog,unsigned char **fpr,size_t *fpr_len,
@@ -1517,8 +1551,9 @@ keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
 	     way to do this could be to continue parsing this
 	     line-by-line and make a temp iobuf for each key. */
 
-	  import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len,
-			     opt.keyserver_options.import_options);
+	  import_keys_stream_constr(spawn->fromchild,stats_handle,fpr,fpr_len,
+			     opt.keyserver_options.import_options,
+			     &keyserver_retrieval_filter, desc);
 
 	  import_print_stats(stats_handle);
 	  import_release_stats_handle(stats_handle);
diff --git a/g10/main.h b/g10/main.h
index eadac1f..cfa8f36 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -207,11 +207,15 @@ MPI encode_md_value( PKT_public_key *pk, PKT_secret_key *sk,
 		     MD_HANDLE md, int hash_algo );
 
 /*-- import.c --*/
+typedef int (*import_filter)(PKT_public_key *pk, void *arg);
 int parse_import_options(char *str,unsigned int *options,int noisy);
 void import_keys( char **fnames, int nnames,
 		  void *stats_hd, unsigned int options );
 int import_keys_stream( IOBUF inp,void *stats_hd,unsigned char **fpr,
 			size_t *fpr_len,unsigned int options );
+int import_keys_stream_constr( IOBUF inp,void *stats_hd,unsigned char **fpr,
+			size_t *fpr_len,unsigned int options,
+			import_filter constr, void *filter_arg);
 void *import_new_stats_handle (void);
 void import_release_stats_handle (void *p);
 void import_print_stats (void *hd);
-- 
1.7.10.4


From tomanek at internet-sicherheit.de  Fri Sep 13 14:36:13 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Fri, 13 Sep 2013 14:36:13 +0200
Subject: [PATCH 2/3] display key fingerprints if offered by keyserver
In-Reply-To: <CAAu18hf8x3pXYY0AunLOAXzsoM5W+FM5np+KJt5jO26+eQPBbA@mail.gmail.com>
References: <20130913065836.GB21970@zirkel.wertarbyte.de>
 <CAAu18hf8x3pXYY0AunLOAXzsoM5W+FM5np+KJt5jO26+eQPBbA@mail.gmail.com>
Message-ID: <20130913123613.GE21970@zirkel.wertarbyte.de>

Dies schrieb Nicholas Cole (nicholas.cole at gmail.com):

> Is this patch likely to affect the output of the --with-colons version
> of the results? If so could that change be documented somewhere (eg.
> in DETAILS)?

I don't think so, using --with-colons in conjunction with --search-keys seems
just to be printing the keyserver output. The fingerprint is only shown when
used in the normal, human readable way.
-- 
if(is) - Institut f?r Internet-Sicherheit
Westf?lische Hochschule, Gelsenkirchen


From nicholas.cole at gmail.com  Fri Sep 13 14:19:22 2013
From: nicholas.cole at gmail.com (Nicholas Cole)
Date: Fri, 13 Sep 2013 13:19:22 +0100
Subject: [PATCH 2/3] display key fingerprints if offered by keyserver
In-Reply-To: <20130913065836.GB21970@zirkel.wertarbyte.de>
References: <20130913065836.GB21970@zirkel.wertarbyte.de>
Message-ID: <CAAu18hf8x3pXYY0AunLOAXzsoM5W+FM5np+KJt5jO26+eQPBbA@mail.gmail.com>

On Fri, Sep 13, 2013 at 7:58 AM, Stefan Tomanek
<tomanek at internet-sicherheit.de> wrote:
> This change tries to make use of complete key fingerprints if those are
> offered by the consulted keyserver. If a keyserver returns the entire
> fingerprint as a user id, it will be shown to the user searching the
> database.
>
> Signed-off-by: Stefan Tomanek <tomanek at internet-sicherheit.de>

Is this patch likely to affect the output of the --with-colons version
of the results? If so could that change be documented somewhere (eg.
in DETAILS)?

N.


From rjh at sixdemonbag.org  Fri Sep 13 16:36:12 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 13 Sep 2013 10:36:12 -0400
Subject: looking up pgp keys
In-Reply-To: <20130912042542.GA56830@redoubt.spodhuis.org>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <CAAJ3AvWNWMWZOmq9MMdjdoe9Z5VfP7he2R06BbOzpKa3xiRThQ@mail.gmail.com>
 <52310169.9030500@enigmail.net> <41790150.7fMvT3ZpDy@inno.berlin.laging.de>
 <20130912042542.GA56830@redoubt.spodhuis.org>
Message-ID: <523322DC.9010006@sixdemonbag.org>

On 9/12/2013 12:25 AM, Phil Pennock wrote:
> Since you're actively working on this, I welcome constructive
> suggestions on how to improve matters.  Some basics for what I consider
> necessary in a suggestion for it to be constructive:

I respectfully add:

8. The proposal does not further complicate an already-complicated
   protocol.

Minsky's SKS algorithm is literally the product of his Ph.D. thesis.  It
would not surprise me if there were under a dozen people in the world
who truly, thoroughly understood the algorithm and its implementation in
SKS.  Further complexity should, IMO, be eschewed.


From dkg at fifthhorseman.net  Sat Sep 14 00:03:16 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Fri, 13 Sep 2013 18:03:16 -0400
Subject: subkey binding signature with no usage flags and/or a critical
 notation
In-Reply-To: <87bo3zm3pa.fsf@alice.fifthhorseman.net>
References: <87obeo2vg7.fsf@alice.fifthhorseman.net>
 <A01620E8-2FA2-4BE0-909D-4D44E0D039BA@JABBERWOCKY.COM>
 <5141F550.5020702@fifthhorseman.net> <874ngc1zrz.fsf@vigenere.g10code.de>
 <87bo3zm3pa.fsf@alice.fifthhorseman.net>
Message-ID: <87ioy4l6qj.fsf@alice.fifthhorseman.net>

On Wed 2013-09-11 17:46:41 -0400, Daniel Kahn Gillmor wrote:
> Without this patch, if a subkey with a usage flags subpacket that is
> all-zero appears, GnuPG thinks that the key is valid for all
> capabilities (usage: SCEA).
>
> This is dangerous in several ways:
>
>  * if it's your own key, GnuPG will use it to sign messages or certify
>    other OpenPGP certificates
>
>  * if it's someone else's key, GnuPG will encrypt to it
>
>  * if it's someone else's key, GnuPG may be willing to rely on OpenPGP
>    certifications made by the key, despite the owner having clearly
>    marked that it is not acceptable for that use.
>
> Depending on how such a key is actually used in practice, this may cause
> unrelated confidential data to be revealed, or it may let GnuPG follow
> spoofable paths through the WoT. 

 [...]

> I'm inclined to see this as a security vulnerability (because of the
> confidentiality and certification-following concerns); i'd like to see
> it fixed in the stable branches and assigned a CVE, so that i can push
> for getting it resolved in those distros that care about CVE coverage.

This is now CVE-2013-4351.

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: </pipermail/attachments/20130913/a448044d/attachment-0001.sig>

From wk at gnupg.org  Sat Sep 14 10:51:02 2013
From: wk at gnupg.org (Werner Koch)
Date: Sat, 14 Sep 2013 10:51:02 +0200
Subject: subkey binding signature with no usage flags and/or a critical
 notation
In-Reply-To: <87bo3zm3pa.fsf@alice.fifthhorseman.net> (Daniel Kahn Gillmor's
 message of "Wed, 11 Sep 2013 17:46:41 -0400")
References: <87obeo2vg7.fsf@alice.fifthhorseman.net>
 <A01620E8-2FA2-4BE0-909D-4D44E0D039BA@JABBERWOCKY.COM>
 <5141F550.5020702@fifthhorseman.net>
 <874ngc1zrz.fsf@vigenere.g10code.de>
 <87bo3zm3pa.fsf@alice.fifthhorseman.net>
Message-ID: <871u4r23d5.fsf@vigenere.g10code.de>

On Wed, 11 Sep 2013 23:46, dkg at fifthhorseman.net said:

> As i reported earlier, this fix works fine.  I've backported it against
> 1.4.14 and it works there too (below).  It does not seem to be applied
> to the stable branches (1.4 and 2.0).  I think it needs to be applied
> to the stable branches.

It is quite possible that I lost track of it.

> Without this patch, if a subkey with a usage flags subpacket that is
> all-zero appears, GnuPG thinks that the key is valid for all
> capabilities (usage: SCEA).

Yes.  It is the key owner's decision.

>  * if it's someone else's key, GnuPG may be willing to rely on OpenPGP
>    certifications made by the key, despite the owner having clearly

No.  Key signatures (certifications) are only allowed by the primary
key.  This is an OpenPGP requirement.

> sent a message to an automated service which requires signed mail, and
> the message was rejected because it was made by this subkey).

Old PGP versions (iirc < 6.58) were not abale to handle sugnature
subkeys.  Same hoes for old keyservers.

> I'm inclined to see this as a security vulnerability (because of the
> confidentiality and certification-following concerns); i'd like to see

Sorry, I don't understand.  Only the owner of the key can create a
subkey.  We can't forbid him to shoot in his own foot.

> it fixed in the stable branches and assigned a CVE, so that i can push
> for getting it resolved in those distros that care about CVE coverage.

Huh?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From dkg at fifthhorseman.net  Sat Sep 14 17:44:44 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Sat, 14 Sep 2013 11:44:44 -0400
Subject: subkey binding signature with no usage flags
In-Reply-To: <871u4r23d5.fsf@vigenere.g10code.de>
References: <87obeo2vg7.fsf@alice.fifthhorseman.net>
 <A01620E8-2FA2-4BE0-909D-4D44E0D039BA@JABBERWOCKY.COM>
 <5141F550.5020702@fifthhorseman.net> <874ngc1zrz.fsf@vigenere.g10code.de>
 <87bo3zm3pa.fsf@alice.fifthhorseman.net> <871u4r23d5.fsf@vigenere.g10code.de>
Message-ID: <5234846C.80208@fifthhorseman.net>

On 09/14/2013 04:51 AM, Werner Koch wrote:
> On Wed, 11 Sep 2013 23:46, dkg at fifthhorseman.net said:
>> Without this patch, if a subkey with a usage flags subpacket that is
>> all-zero appears, GnuPG thinks that the key is valid for all
>> capabilities (usage: SCEA).
> 
> Yes.  It is the key owner's decision.

Please consider a keyholder who makes their subkey with a tool other
than GnuPG, and that tool deliberately marks the subkey with a key flags
subpacket with none of the standard usage flags set -- the intent here
is to say "do not use this subkey for your standard uses".

When that subkey is seen by GnuPG, GnuPG fails to interpret it correctly.

It is the key owner's decision to make such a subkey, but GnuPG is
misinterpreting the key owner's stated intent if GnuPG uses it to
encrypt a message.

> No.  Key signatures (certifications) are only allowed by the primary
> key.  This is an OpenPGP requirement.

Oh!  that's good to know, thanks.  Can you point me to the part of the
standard that says it?  I looked but all i could find was
(https://tools.ietf.org/html/rfc4880#page-71):

   In a V4 key, the primary key MUST be a key capable of certification.
   The subkeys may be keys of any other type.  There may be other
   constructions of V4 keys, too.

This seems to require that the primary key be certification-capable, but
doesn't explicitly exclude certification-capable subkeys (i admit i find
this paragraph pretty unclear, though, particularly as it seems to avoid
any explicit requirements with that last sentence; any guidance in
interpreting it would be much appreciated)

At any rate, if the intention is that subkeys cannot be
certification-capable, it seems odd that gpg would mark a subkey as
certification-capable, which is what happens if the key flags subpacket
is all-zeros:

 Usage: ECSA

>> I'm inclined to see this as a security vulnerability (because of the
>> confidentiality and certification-following concerns); i'd like to see
> 
> Sorry, I don't understand.  Only the owner of the key can create a
> subkey.  We can't forbid him to shoot in his own foot.

I hear you, but gpg *can* avoid misinterpreting explicitly-structured
data that indicates that a key is *not* for some specific use.  It
should do that.

>> it fixed in the stable branches and assigned a CVE, so that i can push
>> for getting it resolved in those distros that care about CVE coverage.
> 
> Huh?

I'm not sure which part doesn't make sense, so i'll expand them both a
bit.  I'm happy to try to clarify further if i've missed the point of
confusion.

GnuPG is currently willing to encrypt a message to a key that is marked
explicitly by the keyholder as *not* acceptable for encryption.  This
violates the assumption (which i suspect most GnuPG users have) that
GnuPG will only encrypt messages to keys that are marked by their
keyholders as encryption-capable.  This is a security vulnerability
because it exposes messages that should be confidential to decryption by
keys that are not intended or designated for that purpose.  Granted,
this is not a huge problem due to the current rarity of the situation
and the requirement that the other subkey must also somehow be
compromised by the attacker.

re: "those distros that care about CVE coverage" -- this is a relatively
small patch (thank you for sorting it out!) and I would like to
encourage organizations like debian to adopt it even in cases where they
would need to backport it, to avoid the risk described above.

Thanks for taking these concerns seriously, and thanks (as ever) for all
your work on GnuPG.  It's very much appreciated.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130914/5966e598/attachment.sig>

From rjh at sixdemonbag.org  Sat Sep 14 18:26:54 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 14 Sep 2013 12:26:54 -0400
Subject: subkey binding signature with no usage flags
In-Reply-To: <5234846C.80208@fifthhorseman.net>
References: <87obeo2vg7.fsf@alice.fifthhorseman.net>
 <A01620E8-2FA2-4BE0-909D-4D44E0D039BA@JABBERWOCKY.COM>
 <5141F550.5020702@fifthhorseman.net> <874ngc1zrz.fsf@vigenere.g10code.de>
 <87bo3zm3pa.fsf@alice.fifthhorseman.net> <871u4r23d5.fsf@vigenere.g10code.de>
 <5234846C.80208@fifthhorseman.net>
Message-ID: <52348E4E.8070900@sixdemonbag.org>

On 9/14/2013 11:44 AM, Daniel Kahn Gillmor wrote:
> This is a security vulnerability because it exposes messages that
> should be confidential to decryption by keys that are not intended or
> designated for that purpose.

You have not discovered a security vulnerability in either GnuPG or SKS.
 You have discovered that users who are not as clever as they think can
use the --expert flag to do foolish things, and that some of these
foolish things have consequences attached.

To this, all I can say is I hope the GnuPG developers triage this as
NOTABUG and WONTFIX.


From dkg at fifthhorseman.net  Sat Sep 14 18:45:13 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Sat, 14 Sep 2013 12:45:13 -0400
Subject: subkey binding signature with no usage flags
In-Reply-To: <52348E4E.8070900@sixdemonbag.org>
References: <87obeo2vg7.fsf@alice.fifthhorseman.net>
 <A01620E8-2FA2-4BE0-909D-4D44E0D039BA@JABBERWOCKY.COM>
 <5141F550.5020702@fifthhorseman.net> <874ngc1zrz.fsf@vigenere.g10code.de>
 <87bo3zm3pa.fsf@alice.fifthhorseman.net> <871u4r23d5.fsf@vigenere.g10code.de>
 <5234846C.80208@fifthhorseman.net> <52348E4E.8070900@sixdemonbag.org>
Message-ID: <52349299.9050402@fifthhorseman.net>

On 09/14/2013 12:26 PM, Robert J. Hansen wrote:
> On 9/14/2013 11:44 AM, Daniel Kahn Gillmor wrote:
>> This is a security vulnerability because it exposes messages that
>> should be confidential to decryption by keys that are not intended or
>> designated for that purpose.
> 
> You have not discovered a security vulnerability in either GnuPG or SKS.

The issue under discussion in this thread has nothing to do with SKS.

>  You have discovered that users who are not as clever as they think can
> use the --expert flag to do foolish things, and that some of these
> foolish things have consequences attached.

This also has nothing to do with gnupg's --expert flag.  Neither stable
branch of GnuPG can in its current form generate keys with all the usage
flags set to zero.

This is about interoperability with other OpenPGP implementations
(including possible future versions of GnuPG, but that's a separate
issue) that may include the ability to set an all-zero key flags
subpacket in their subkey binding signatures.

> To this, all I can say is I hope the GnuPG developers triage this as
> NOTABUG and WONTFIX.

This bug is already fixed in the master branch.  Are you suggesting that
the fix should be reverted?

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130914/8d624a4e/attachment.sig>

From rjh at sixdemonbag.org  Sat Sep 14 19:00:26 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 14 Sep 2013 13:00:26 -0400
Subject: subkey binding signature with no usage flags
In-Reply-To: <52349299.9050402@fifthhorseman.net>
References: <87obeo2vg7.fsf@alice.fifthhorseman.net>
 <A01620E8-2FA2-4BE0-909D-4D44E0D039BA@JABBERWOCKY.COM>
 <5141F550.5020702@fifthhorseman.net> <874ngc1zrz.fsf@vigenere.g10code.de>
 <87bo3zm3pa.fsf@alice.fifthhorseman.net> <871u4r23d5.fsf@vigenere.g10code.de>
 <5234846C.80208@fifthhorseman.net> <52348E4E.8070900@sixdemonbag.org>
 <52349299.9050402@fifthhorseman.net>
Message-ID: <5234962A.1010208@sixdemonbag.org>

On 9/14/2013 12:45 PM, Daniel Kahn Gillmor wrote:
> This bug is already fixed in the master branch.  Are you suggesting that
> the fix should be reverted?

My apologies: I read that message and (erroneously) believed it was the
current thread on sks-devel at nongnu.org.  Mea culpa!




From nicholas.cole at gmail.com  Sat Sep 14 19:42:39 2013
From: nicholas.cole at gmail.com (Nicholas Cole)
Date: Sat, 14 Sep 2013 18:42:39 +0100
Subject: subkey binding signature with no usage flags
In-Reply-To: <52349299.9050402@fifthhorseman.net>
References: <87obeo2vg7.fsf@alice.fifthhorseman.net>
 <A01620E8-2FA2-4BE0-909D-4D44E0D039BA@JABBERWOCKY.COM>
 <5141F550.5020702@fifthhorseman.net>
 <874ngc1zrz.fsf@vigenere.g10code.de>
 <87bo3zm3pa.fsf@alice.fifthhorseman.net>
 <871u4r23d5.fsf@vigenere.g10code.de>
 <5234846C.80208@fifthhorseman.net>
 <52348E4E.8070900@sixdemonbag.org>
 <52349299.9050402@fifthhorseman.net>
Message-ID: <CAAu18hfxS=Whz0_vWTfQP6f30Fk_4S4kmbSXrig8=RWine9PrA@mail.gmail.com>

On Sat, Sep 14, 2013 at 5:45 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> On 09/14/2013 12:26 PM, Robert J. Hansen wrote:
>> On 9/14/2013 11:44 AM, Daniel Kahn Gillmor wrote:
>>> This is a security vulnerability because it exposes messages that
>>> should be confidential to decryption by keys that are not intended or
>>> designated for that purpose.
>>
>> You have not discovered a security vulnerability in either GnuPG or SKS.
>
> The issue under discussion in this thread has nothing to do with SKS.
>
>>  You have discovered that users who are not as clever as they think can
>> use the --expert flag to do foolish things, and that some of these
>> foolish things have consequences attached.
>
> This also has nothing to do with gnupg's --expert flag.  Neither stable
> branch of GnuPG can in its current form generate keys with all the usage
> flags set to zero.
>
> This is about interoperability with other OpenPGP implementations
> (including possible future versions of GnuPG, but that's a separate
> issue) that may include the ability to set an all-zero key flags
> subpacket in their subkey binding signatures.
>
>> To this, all I can say is I hope the GnuPG developers triage this as
>> NOTABUG and WONTFIX.
>
> This bug is already fixed in the master branch.  Are you suggesting that
> the fix should be reverted?

This wasn't a bug, it was a new feature request.  I still don't
understand the wisdom of it. As far as I know there are no other
implementations that do anything like this. As such, there is no
'interoperability' issue, and for that matter I don't know how other
implementations handle keys with no usage flags set.   It all seems a
bit too clever.  If I remember correctly, you want this so that you
can have subkeys reserved for specific protocols.  I've never quite
understood what the benefit of this is.  Moreover, I never understood
why it couldn't have been achieved with a critically flagged notation,
without needing to change anything about the key usage flags.

I really don't mean to sound unduly negative - but key management is
already very complicated in gpg.  I'm all for adding things with a
genuine utility, but not really for adding things that add complexity
without really adding security.

But, as you say, it's in the Master now.

N


From dkg at fifthhorseman.net  Sat Sep 14 21:02:23 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Sat, 14 Sep 2013 15:02:23 -0400
Subject: subkey binding signature with no usage flags
In-Reply-To: <CAAu18hfxS=Whz0_vWTfQP6f30Fk_4S4kmbSXrig8=RWine9PrA@mail.gmail.com>
References: <87obeo2vg7.fsf@alice.fifthhorseman.net>
 <A01620E8-2FA2-4BE0-909D-4D44E0D039BA@JABBERWOCKY.COM>
 <5141F550.5020702@fifthhorseman.net> <874ngc1zrz.fsf@vigenere.g10code.de>
 <87bo3zm3pa.fsf@alice.fifthhorseman.net> <871u4r23d5.fsf@vigenere.g10code.de>
 <5234846C.80208@fifthhorseman.net> <52348E4E.8070900@sixdemonbag.org>
 <52349299.9050402@fifthhorseman.net>
 <CAAu18hfxS=Whz0_vWTfQP6f30Fk_4S4kmbSXrig8=RWine9PrA@mail.gmail.com>
Message-ID: <5234B2BF.9090509@fifthhorseman.net>

On 09/14/2013 01:42 PM, Nicholas Cole wrote:

> This wasn't a bug, it was a new feature request.

i'm sorry, but i don't agree with this.  I have made a (related) feature
request, which was to enable gpg to *create* subkeys without any usage
flags set for --expert users.  (and yes, that's been merged in master as
well, and i recognize that it is less likely to be adopted in the stable
branches -- that's fine)

That was separate and distinct issue from what i'm asking about here.

Here, i'm asking GnuPG to properly interpret received signatures that
have the usage flags subpacket present but empty.

This latter issues is a bug report, not a feature request.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130914/97d5970c/attachment-0001.sig>

From mailinglisten at hauke-laging.de  Sat Sep 14 23:50:25 2013
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Sat, 14 Sep 2013 23:50:25 +0200
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvWGKcu2+qHmVfunL7tM343_xjR3kmqOu1feR0GhzJuoMA@mail.gmail.com>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <CAAJ3AvVqKdxEsH6OF6CgOGEyWGJ+BrpmaNacygqTJ_VNrTt0MA@mail.gmail.com>
 <CAAJ3AvWGKcu2+qHmVfunL7tM343_xjR3kmqOu1feR0GhzJuoMA@mail.gmail.com>
Message-ID: <2635874.688q42dYUf@inno.berlin.laging.de>

Am Do 12.09.2013, 12:42:21 schrieb Tim Prepscius:

> Malicious hacker replaces key with different key.

You don't even need hackers. How do you prove when a key has changed on the 
keyservers (even if they were not compromised)?


> So other servers can detect the change, and Bob can detect the change
> through other servers.

To me that is a strange argument in the context of cryptography.


Hauke
-- 
Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130914/e283fb5f/attachment.sig>

From mailinglisten at hauke-laging.de  Sun Sep 15 00:55:08 2013
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Sun, 15 Sep 2013 00:55:08 +0200
Subject: looking up pgp keys
In-Reply-To: <523247A8.2030408@sixdemonbag.org>
References: <CAAJ3AvXASDf5WiYeaPHE+cLXmHNxDHWHUUizvv7Zu=-kxcKU6Q@mail.gmail.com>
 <2105948.iL5G3P1axX@inno.berlin.laging.de> <523247A8.2030408@sixdemonbag.org>
Message-ID: <14077284.gAtzDleRZD@inno.berlin.laging.de>

Am Do 12.09.2013, 19:00:56 schrieb Robert J. Hansen:
> On 9/12/2013 10:10 AM, Hauke Laging wrote:
> > The answer is above. An unreliable system is inacceptable from legal
> > perspective.
> 
> Your definition of 'unreliable' is interesting.

Of course, there are several levels of reliability. I don't redefine it I just 
look at the legal level.


> The keyservers make *absolutely no assurances* about the certificate
> they're giving you.

That is the current and former situation but that does not mean that it would 
be enough for the future. Don't forget that one of the reasons for the 
keyserver design was to keep the requirements low and thus the number of 
keyserver providers up.


> The certificate itself is what gives confidence and reliability.

About its content but not about its being up-to-date. Except for the age of 
the newest timestamp. But it is not convenient to create new selfsigs every 
day (with offline mainkeys).


> If we were to add strong crypto to the keyserver network, the size of
> the SKS codebase would explode -- and with it, the bug count.  Complex
> systems are fragile systems.

That is correct but we have to assess the whole situation and not just the 
parts we like. The same is true for e.g. web servers with static content only 
vs. those with e.g. PHP and connected databases. The relevant point is not 
"Software for static content is safer" but "We need dynamic content".

So either I am right or not. But the software quality argument will not revert 
that decision. The task is to get the quality of the needed software to an 
acceptable level.

The good news is though that many more people and much more money is going to 
get involved.


> > But the public must be capable of proving that he didn't.
> 
> Can't be done, bang, period, end of sentence.  Some people like to think
> OpenPGP provides nonrepudiability, but that's an ephemera.  If you don't
> control your PC -- if you're playing host to malware -- it's very easy
> to say, "but I didn't write that!" and have it be completely credible.

OpenPGP keys are not limited to weak systems. Your argument is close to "Let's 
throw all that useless crypto stuff away".


> In an era where about one desktop in three is compromised, you cannot
> rely on cryptographic protocols to provide nonrepudiability.

That's why I demand 

1) a standardized security scale so that we know at once what security level 
we are talking about for a given key

2) several keys for everyone (and the same email address) at different 
security levels

But even for high security keys (like the smartcard-only keys under the 
signature law) there must be a *reliable* (and provable) way for validity 
checks.


> keyservers we've got each one of them serving as its own timestamp
> authority.  What happens when two of them conflict?

That is not possible (in the sense of a problem) because the timestamp says 
only "This is what the key looked like in my storage at this point of time". 
There is no need for the key servers to make that statement at the same time. 
Trying to sync this may cause heavy timing problems with the synchronization 
itself.


Hauke
-- 
Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130915/c5e5f320/attachment.sig>

From tomanek at internet-sicherheit.de  Sun Sep 15 22:57:48 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Sun, 15 Sep 2013 22:57:48 +0200
Subject: [PATCH 3/3 v2] filter and verify keyserver responses
Message-ID: <20130915205748.GL21970@zirkel.wertarbyte.de>

This changes introduces import functions that apply a constraining
filter to imported keys. These filters can verify the fingerprints of
the keys returned before importing them into the keyring, ensuring that
the keys fetched from the keyserver are in fact those selected by the
user beforehand.

It also prevents the accidental import of secret keys through key server
responses.

Signed-off-by: Stefan Tomanek <tomanek at internet-sicherheit.de>
---
 g10/import.c    |   78 +++++++++++++++++++++++++++++++++++++++++++++++++------
 g10/keyserver.c |   45 ++++++++++++++++++++++++++++++--
 g10/main.h      |    4 +++
 3 files changed, 117 insertions(+), 10 deletions(-)

diff --git a/g10/import.c b/g10/import.c
index 90fc2d6..c08dd1e 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -58,6 +58,9 @@ struct stats_s {
 };
 
 
+static int import_constr( IOBUF inp, const char* fname,struct stats_s *stats,
+	unsigned char **fpr,size_t *fpr_len,unsigned int options,
+	import_filter filter, void *filter_arg );
 static int import( IOBUF inp, const char* fname,struct stats_s *stats,
 		   unsigned char **fpr,size_t *fpr_len,unsigned int options );
 static int read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root );
@@ -65,8 +68,16 @@ static void revocation_present(KBNODE keyblock);
 static int import_one(const char *fname, KBNODE keyblock,struct stats_s *stats,
 		      unsigned char **fpr,size_t *fpr_len,
 		      unsigned int options,int from_sk);
+static int import_one_constr(const char *fname, KBNODE keyblock,struct stats_s *stats,
+		      unsigned char **fpr,size_t *fpr_len,
+		      unsigned int options,int from_sk,
+		      import_filter filter, void *filter_arg);
+
 static int import_secret_one( const char *fname, KBNODE keyblock,
                               struct stats_s *stats, unsigned int options);
+static int import_secret_one_constr( const char *fname, KBNODE keyblock,
+                              struct stats_s *stats, unsigned int options,
+                              import_filter filter, void *filter_arg );
 static int import_revoke_cert( const char *fname, KBNODE node,
                                struct stats_s *stats);
 static int chk_self_sigs( const char *fname, KBNODE keyblock,
@@ -161,9 +172,10 @@ import_release_stats_handle (void *p)
  *
  */
 static int
-import_keys_internal( IOBUF inp, char **fnames, int nnames,
+import_keys_internal_constr( IOBUF inp, char **fnames, int nnames,
 		      void *stats_handle, unsigned char **fpr, size_t *fpr_len,
-		      unsigned int options )
+		      unsigned int options,
+		      import_filter filter, void *filter_arg )
 {
     int i, rc = 0;
     struct stats_s *stats = stats_handle;
@@ -172,7 +184,7 @@ import_keys_internal( IOBUF inp, char **fnames, int nnames,
         stats = import_new_stats_handle ();
 
     if (inp) {
-        rc = import( inp, "[stream]", stats, fpr, fpr_len, options);
+        rc = import_constr( inp, "[stream]", stats, fpr, fpr_len, options, filter, filter_arg);
     }
     else {
         int once = (!fnames && !nnames);
@@ -219,6 +231,14 @@ import_keys_internal( IOBUF inp, char **fnames, int nnames,
     return rc;
 }
 
+static int
+import_keys_internal( IOBUF inp, char **fnames, int nnames,
+		      void *stats_handle, unsigned char **fpr, size_t *fpr_len,
+		      unsigned int options )
+{
+  return import_keys_internal_constr(inp, fnames, nnames, stats_handle, fpr, fpr_len, options, NULL, NULL);
+}
+
 void
 import_keys( char **fnames, int nnames,
 	     void *stats_handle, unsigned int options )
@@ -227,15 +247,24 @@ import_keys( char **fnames, int nnames,
 }
 
 int
+import_keys_stream_constr( IOBUF inp, void *stats_handle,
+		    unsigned char **fpr, size_t *fpr_len,unsigned int options,
+	            import_filter filter, void *filter_arg )
+{
+  return import_keys_internal_constr(inp,NULL,0,stats_handle,fpr,fpr_len,options,filter,filter_arg);
+}
+
+int
 import_keys_stream( IOBUF inp, void *stats_handle,
 		    unsigned char **fpr, size_t *fpr_len,unsigned int options )
 {
-  return import_keys_internal(inp,NULL,0,stats_handle,fpr,fpr_len,options);
+  return import_keys_stream_constr(inp,stats_handle,fpr,fpr_len,options,NULL,NULL);
 }
 
 static int
-import( IOBUF inp, const char* fname,struct stats_s *stats,
-	unsigned char **fpr,size_t *fpr_len,unsigned int options )
+import_constr( IOBUF inp, const char* fname,struct stats_s *stats,
+	unsigned char **fpr,size_t *fpr_len,unsigned int options,
+	import_filter filter, void *filter_arg )
 {
     PACKET *pending_pkt = NULL;
     KBNODE keyblock = NULL;
@@ -252,9 +281,10 @@ import( IOBUF inp, const char* fname,struct stats_s *stats,
 
     while( !(rc = read_block( inp, &pending_pkt, &keyblock) )) {
 	if( keyblock->pkt->pkttype == PKT_PUBLIC_KEY )
-	    rc = import_one( fname, keyblock, stats, fpr, fpr_len, options, 0);
+	    rc = import_one_constr( fname, keyblock, stats, fpr, fpr_len, options, 0,
+	                            filter, filter_arg);
 	else if( keyblock->pkt->pkttype == PKT_SECRET_KEY )
-                rc = import_secret_one( fname, keyblock, stats, options );
+                rc = import_secret_one_constr( fname, keyblock, stats, options, filter, filter_arg );
 	else if( keyblock->pkt->pkttype == PKT_SIGNATURE
 		 && keyblock->pkt->pkt.signature->sig_class == 0x20 )
 	    rc = import_revoke_cert( fname, keyblock, stats );
@@ -278,6 +308,12 @@ import( IOBUF inp, const char* fname,struct stats_s *stats,
     return rc;
 }
 
+static int
+import( IOBUF inp, const char* fname,struct stats_s *stats,
+	unsigned char **fpr,size_t *fpr_len,unsigned int options )
+{
+	return import_constr(inp, fname, stats, fpr, fpr_len, options, NULL, NULL);
+}
 
 void
 import_print_stats (void *hd)
@@ -740,6 +776,15 @@ import_one( const char *fname, KBNODE keyblock, struct stats_s *stats,
 	    unsigned char **fpr,size_t *fpr_len,unsigned int options,
 	    int from_sk )
 {
+  return import_one_constr(fname, keyblock, stats, fpr,
+    fpr_len, options, from_sk, NULL, NULL);
+}
+
+static int
+import_one_constr( const char *fname, KBNODE keyblock, struct stats_s *stats,
+	    unsigned char **fpr,size_t *fpr_len,unsigned int options,
+	    int from_sk, import_filter filter, void *filter_arg)
+{
     PKT_public_key *pk;
     PKT_public_key *pk_orig;
     KBNODE node, uidnode;
@@ -778,6 +823,10 @@ import_one( const char *fname, KBNODE keyblock, struct stats_s *stats,
 	return 0;
       }
 
+    if (filter && filter(pk, NULL, filter_arg)) {
+        log_error( _("key %s: rejected by import filter\n"), keystr_from_pk(pk));
+        return 0;
+    }
     if (opt.interactive) {
         if(is_status_enabled())
 	  print_import_check (pk, uidnode->pkt->pkt.user_id);
@@ -1148,6 +1197,14 @@ static int
 import_secret_one( const char *fname, KBNODE keyblock,
                    struct stats_s *stats, unsigned int options)
 {
+    return import_secret_one_constr(fname, keyblock, stats, options, NULL, NULL);
+}
+
+static int
+import_secret_one_constr( const char *fname, KBNODE keyblock,
+                          struct stats_s *stats, unsigned int options,
+                          import_filter filter, void *filter_arg )
+{
     PKT_secret_key *sk;
     KBNODE node, uidnode;
     u32 keyid[2];
@@ -1162,6 +1219,11 @@ import_secret_one( const char *fname, KBNODE keyblock,
     keyid_from_sk( sk, keyid );
     uidnode = find_next_kbnode( keyblock, PKT_USER_ID );
 
+    if (filter && filter(NULL, sk, filter_arg)) {
+        log_error( _("secret key %s: rejected by import filter\n"), keystr_from_sk(sk));
+        return 0;
+    }
+
     if( opt.verbose )
       {
 	log_info( "sec  %4u%c/%s %s   ",
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 440c6a1..caa64b5 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -971,6 +971,46 @@ direct_uri_map(const char *scheme,unsigned int is_direct)
 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
 
+static int
+keyserver_retrieval_filter(PKT_public_key *pk, PKT_secret_key *sk, void *arg)
+{
+  KEYDB_SEARCH_DESC *desc = arg;
+  u32 keyid[2];
+  byte fpr[MAX_FINGERPRINT_LEN];
+  size_t fpr_len = 0;
+
+  /* we definitely do not want to import secret keys! */
+  if (sk) {
+    return 1;
+  }
+
+  fingerprint_from_pk(pk, fpr, &fpr_len);
+  keyid_from_pk(pk, keyid);
+
+  /* compare requested and returned fingerprints if available */
+  if (desc->mode == KEYDB_SEARCH_MODE_FPR20) {
+    if (fpr_len != 20 || memcmp(fpr, desc->u.fpr, 20)) {
+      return 1;
+    }
+  }
+  else if (desc->mode == KEYDB_SEARCH_MODE_FPR16) {
+    if (fpr_len != 16 || memcmp(fpr, desc->u.fpr, 16)) {
+      return 1;
+    }
+  }
+  else if (desc->mode == KEYDB_SEARCH_MODE_LONG_KID) {
+    if (memcmp(keyid, desc->u.kid, sizeof(keyid))) {
+      return 1;
+    }
+  }
+  else if (desc->mode == KEYDB_SEARCH_MODE_SHORT_KID) {
+    if (memcmp(&keyid[1], &desc->u.kid[1], 1)) {
+      return 1;
+    }
+  }
+  return 0;
+}
+
 static int 
 keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
 		int count,int *prog,unsigned char **fpr,size_t *fpr_len,
@@ -1517,8 +1557,9 @@ keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
 	     way to do this could be to continue parsing this
 	     line-by-line and make a temp iobuf for each key. */
 
-	  import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len,
-			     opt.keyserver_options.import_options);
+	  import_keys_stream_constr(spawn->fromchild,stats_handle,fpr,fpr_len,
+			     opt.keyserver_options.import_options,
+			     &keyserver_retrieval_filter, desc);
 
 	  import_print_stats(stats_handle);
 	  import_release_stats_handle(stats_handle);
diff --git a/g10/main.h b/g10/main.h
index eadac1f..a729327 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -207,11 +207,15 @@ MPI encode_md_value( PKT_public_key *pk, PKT_secret_key *sk,
 		     MD_HANDLE md, int hash_algo );
 
 /*-- import.c --*/
+typedef int (*import_filter)(PKT_public_key *pk, PKT_secret_key *sk, void *arg);
 int parse_import_options(char *str,unsigned int *options,int noisy);
 void import_keys( char **fnames, int nnames,
 		  void *stats_hd, unsigned int options );
 int import_keys_stream( IOBUF inp,void *stats_hd,unsigned char **fpr,
 			size_t *fpr_len,unsigned int options );
+int import_keys_stream_constr( IOBUF inp,void *stats_hd,unsigned char **fpr,
+			size_t *fpr_len,unsigned int options,
+			import_filter constr, void *filter_arg);
 void *import_new_stats_handle (void);
 void import_release_stats_handle (void *p);
 void import_print_stats (void *hd);
-- 
1.7.10.4


From tomanek at internet-sicherheit.de  Sun Sep 15 23:22:50 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Sun, 15 Sep 2013 23:22:50 +0200
Subject: Checking key server response against the request parameters
In-Reply-To: <20130913064854.GZ21970@zirkel.wertarbyte.de>
References: <20130913064854.GZ21970@zirkel.wertarbyte.de>
Message-ID: <20130915212250.GM21970@zirkel.wertarbyte.de>

Dies schrieb Stefan Tomanek (tomanek at internet-sicherheit.de):

> While working with the gnupg source code, I noticed that gnupg does not take
> the query itself into consideration when retrieving key data from a server
> (--search-key, --recv-key); regardless of the query issued, gnupg will happily
> import anything returned.

I just noticed that gnupg will even import secret keys from any keyserver
response if the key data is prefixed with "BEGIN PGP PUBLIC KEY DATA".
My newly submitted patch (v2) fixes this issue as well.

Any feedback is welcome :-)
-- 
if(is) - Institut f?r Internet-Sicherheit
Westf?lische Hochschule, Gelsenkirchen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: </pipermail/attachments/20130915/246ea77e/attachment.sig>

From John at enigmail.net  Mon Sep 16 00:20:29 2013
From: John at enigmail.net (John Clizbe)
Date: Sun, 15 Sep 2013 17:20:29 -0500
Subject: [PATCH 3/3 v2] filter and verify keyserver responses
In-Reply-To: <20130915205748.GL21970@zirkel.wertarbyte.de>
References: <20130915205748.GL21970@zirkel.wertarbyte.de>
Message-ID: <523632AD.2010909@enigmail.net>

Stefan Tomanek wrote:
> This changes introduces import functions that apply a constraining
> filter to imported keys. These filters can verify the fingerprints of
> the keys returned before importing them into the keyring, ensuring that
> the keys fetched from the keyserver are in fact those selected by the
> user beforehand.

IIRC, gpg fetches keys by the most specific ID possible, for V4 keys it uses
the fingerprint.

Are fingerprint collisions so prevalent that they must be protected against?

> It also prevents the accidental import of secret keys through key server
> responses.

That would certainly be more than an accident as no keyserver I know will
store a private key.

This looks like code for code's sake. It's "protecting" against nonproblems.
More code --> more complexity --> more bugs.

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130915/6b704f11/attachment-0001.sig>

From John at enigmail.net  Mon Sep 16 00:29:13 2013
From: John at enigmail.net (John Clizbe)
Date: Sun, 15 Sep 2013 17:29:13 -0500
Subject: Checking key server response against the request parameters
In-Reply-To: <20130915212250.GM21970@zirkel.wertarbyte.de>
References: <20130913064854.GZ21970@zirkel.wertarbyte.de>
 <20130915212250.GM21970@zirkel.wertarbyte.de>
Message-ID: <523634B9.4040907@enigmail.net>

Stefan Tomanek wrote:
> Dies schrieb Stefan Tomanek (tomanek at internet-sicherheit.de):
> 
>> While working with the gnupg source code, I noticed that gnupg does not take
>> the query itself into consideration when retrieving key data from a server
>> (--search-key, --recv-key); regardless of the query issued, gnupg will happily
>> import anything returned.
> 
> I just noticed that gnupg will even import secret keys from any keyserver
> response if the key data is prefixed with "BEGIN PGP PUBLIC KEY DATA".
> My newly submitted patch (v2) fixes this issue as well.
> 
> Any feedback is welcome :-)

It looks like you are working from a solution back to a problem instead of
from a problem to a solution.

Before you need this solution, you need to be able to fetch a secret key from
a keyserver, and before you can do that, you need a keyserver that will accept
and store a secret key. None that I know of will (PKS, CKS, ONAK, OpenPKSd,
SKS, LDAP implementations).

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130915/7cd3bf38/attachment.sig>

From timprepscius at gmail.com  Mon Sep 16 00:46:56 2013
From: timprepscius at gmail.com (Tim Prepscius)
Date: Sun, 15 Sep 2013 18:46:56 -0400
Subject: looking up pgp keys
Message-ID: <CAAJ3AvXPDcwCyvibgRg5e7Jqo7Nim474Wowi37cQ=ObPvfFiWw@mail.gmail.com>

>> Malicious hacker replaces key with different key.

> You don't even need hackers. How do you prove when a key has changed on the
> keyservers (even if they were not compromised)?


Well the underlying theme is that everyone is responsible and in
charge of their own key.

The key servers are just as dumb as they are now, however there is an
understanding that the key server would only allow the mail-user to
change his key.


So Bob is responsible for checking his pub-key on "SuperMail
mail-server." where bob has an account.  Bob does this regularly.
Bob's friends do this too, and they tell Bob if his key has changed.


SuperMail is responsible for *trying* to broadcast Bob's key as he has
set it, but it doesn't need to say this with any assurance, because
Bob would be checking. (as other people would be).  Bob could check
through a variety of means, to possibly thwart a MITM attack.


If SuperMail is subverting Bob's key, then Bob would find out, and
make a public statement, in some sort of forum such as this one,
saying, "SuperMail is hacked."


If Bob's account on SuperMail has been hacked, then when Bob talks to
SuperMail accusing them of subverting his key, SuperMail would find
out that indeed Bob's key was changed, they would apologize and try to
fix whatever security hole there was.

Bob would then go on a forum such as this one saying, "SuperMail got hacked."



Or perhaps Bob's password is "boB" and SuperMail would tell bob, "look
, we see there were 1,000 password attempts on your account last week.
 (which SuperMail should possibly have stopped).  1,000 should not
have been enough to break your password, your password is probably
really weak."



Mail servers which effectively broadcast keys would stick around, mail
servers which get hacked would die off.



Actually, I'm not even sure why there needs to be a PGP key server pool.

Perhaps I am missing something of great importance?

This happens to me often, so I am already prepared to be flabbergasted
by my own stupidity.  Lol.


-tim


From John at enigmail.net  Mon Sep 16 01:22:10 2013
From: John at enigmail.net (John Clizbe)
Date: Sun, 15 Sep 2013 18:22:10 -0500
Subject: looking up pgp keys
In-Reply-To: <CAAJ3AvXPDcwCyvibgRg5e7Jqo7Nim474Wowi37cQ=ObPvfFiWw@mail.gmail.com>
References: <CAAJ3AvXPDcwCyvibgRg5e7Jqo7Nim474Wowi37cQ=ObPvfFiWw@mail.gmail.com>
Message-ID: <52364122.7050805@enigmail.net>

Tim Prepscius wrote:
> Actually, I'm not even sure why there needs to be a PGP key server pool.
> 
> Perhaps I am missing something of great importance?

Strictly speaking, keyservers are not required to use OpenPGP. What they do
allow is more along the lines greasing the wheels of ease of use.

Bob signs his posts to a mailing list you have started to follow. You would
like to verify those signatures. You need his public key. You may either send
an email to Bob and request it, or some part of your email configuration can
automagically check the keyservers for the key, fetch it, and verify the
message for you.

You know who Alice is, she operates a well-known web site. You wish to pass on
a tip to her about a soon to break story, but do not want to send it in the
clear. You need Alice's public key. As with Bob, you may send an email and
request it or you may look for it on the keyservers. But which is the correct
key, there are several with a matching email address.  Alice has thoughtfully
taken care of this for you by listing her preferred key's fingerprint on her
web site along with a link to pool.sks-keyservers.net that will fetch the key
for you.

> 
> This happens to me often, so I am already prepared to be flabbergasted
> by my own stupidity.  Lol.
> 

No, it's a very good question.

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130915/daa5ad42/attachment.sig>

From tomanek at internet-sicherheit.de  Mon Sep 16 05:22:44 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Mon, 16 Sep 2013 05:22:44 +0200
Subject: Checking key server response against the request parameters
In-Reply-To: <523634B9.4040907@enigmail.net>
References: <20130913064854.GZ21970@zirkel.wertarbyte.de>
 <20130915212250.GM21970@zirkel.wertarbyte.de>
 <523634B9.4040907@enigmail.net>
Message-ID: <20130916032244.GN21970@zirkel.wertarbyte.de>

Dies schrieb John Clizbe (John at enigmail.net):

> It looks like you are working from a solution back to a problem instead of
> from a problem to a solution.
> 
> Before you need this solution, you need to be able to fetch a secret key from
> a keyserver, and before you can do that, you need a keyserver that will accept
> and store a secret key. None that I know of will (PKS, CKS, ONAK, OpenPKSd,
> SKS, LDAP implementations).

And it looks like you are working under the assumption that a) the keyserver is
playing nice with you and b) you are actually talking to the keyserver you
specified. Both assumptions are completely bogus, considering that is trivial
to mount an man-in-the-middle attack against keyserver traffic.

No real keyserver will store secret keys, at least I hope so. But I've written
a PoC keyserver proxy that will happily put himself between a real keyserver
and the client - and believe me, this one *does* deliver secret keys.

Well, to be honest, I have to "mask" the secret key, since gpg in fact does
reject data starting with "BEGIN PGP PRIVATE KEY DATA", but s/PRIVATE/PUBLIC/
does the trick.  Oddly enough, gpg then only imports the secret key, not the
public part - weird.

Never, ever, trust incoming data. 
-- 
if(is) - Institut f?r Internet-Sicherheit
Westf?lische Hochschule, Gelsenkirchen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: </pipermail/attachments/20130916/fcfbf53a/attachment.sig>

From tomanek at internet-sicherheit.de  Mon Sep 16 05:29:50 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Mon, 16 Sep 2013 05:29:50 +0200
Subject: [PATCH 3/3 v2] filter and verify keyserver responses
In-Reply-To: <523632AD.2010909@enigmail.net>
References: <20130915205748.GL21970@zirkel.wertarbyte.de>
 <523632AD.2010909@enigmail.net>
Message-ID: <20130916032950.GO21970@zirkel.wertarbyte.de>

Dies schrieb John Clizbe (John at enigmail.net):

> Stefan Tomanek wrote:
> > This changes introduces import functions that apply a constraining
> > filter to imported keys. These filters can verify the fingerprints of
> > the keys returned before importing them into the keyring, ensuring that
> > the keys fetched from the keyserver are in fact those selected by the
> > user beforehand.
> 
> IIRC, gpg fetches keys by the most specific ID possible, for V4 keys it uses
> the fingerprint.
> 
> Are fingerprint collisions so prevalent that they must be protected against?

No, but fingerprint collisions are not necessary since gpg does not actually
check the returned data. It does not matter what gpg uses to fetch the data. I
can just send you *any* key, gpg will import it. And creating keys with
colliding short IDs has become trivial.

> > It also prevents the accidental import of secret keys through key server
> > responses.
> 
> That would certainly be more than an accident as no keyserver I know will
> store a private key.
>
> This looks like code for code's sake. It's "protecting" against nonproblems.
> More code --> more complexity --> more bugs.

Please, it doesn't matter if we encounter an "accident" or malicious behaviour:
If I issue a command like "gpg --refreshkeys", I don't expect any new keys to be
added to my keyring, and gpg should never ever touch my secret keyring. The same
goes for a specific key retrieval command by fingerprint, which should at *most*
add one new key matching that fingerprint, nothing more.

Relying on the key server playing by the rules is just a bad idea.
-- 
if(is) - Institut f?r Internet-Sicherheit
Westf?lische Hochschule, Gelsenkirchen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: </pipermail/attachments/20130916/6b83a2f7/attachment.sig>

From dkg at fifthhorseman.net  Mon Sep 16 06:50:41 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 16 Sep 2013 00:50:41 -0400
Subject: [PATCH 3/3 v2] filter and verify keyserver responses
In-Reply-To: <20130916032950.GO21970@zirkel.wertarbyte.de>
References: <20130915205748.GL21970@zirkel.wertarbyte.de>
 <523632AD.2010909@enigmail.net> <20130916032950.GO21970@zirkel.wertarbyte.de>
Message-ID: <52368E21.4080509@fifthhorseman.net>

Hi Stefan--

Thanks for your work on this.  I agree with you that client-side OpenPGP
implementations that pull data from keyservers should filter not just
for syntax but also for whether the received data matches the data
requested.

On 09/15/2013 11:29 PM, Stefan Tomanek wrote:

> Please, it doesn't matter if we encounter an "accident" or malicious behaviour:
> If I issue a command like "gpg --refreshkeys", I don't expect any new keys to be
> added to my keyring,

If you mean "any new primary keys", then i agree with this sentiment.
However, i would expect GnuPG to add new subkeys to my keyring if the
new subkeys are properly bound to the primary keys.

That is, it's possible for your keyring to gain new keys (with new
fingerprints) during a refresh; it's just that those keys are subkeys
attached to pre-existing primary keys.  right?

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130916/edd69ccd/attachment.sig>

From wk at gnupg.org  Wed Sep 18 15:15:15 2013
From: wk at gnupg.org (Werner Koch)
Date: Wed, 18 Sep 2013 15:15:15 +0200
Subject: How to help with GnuPG documentation?
In-Reply-To: <522BBFD2.3020006@sixdemonbag.org> (Robert J. Hansen's message of
 "Sat, 07 Sep 2013 20:07:46 -0400")
References: <20130906133159.GA67631@DATLANDREWK.local>
 <87zjrogbbc.fsf@vigenere.g10code.de> <522B1B82.40402@sixdemonbag.org>
 <87bo44fpsh.fsf@vigenere.g10code.de>
 <522BBFD2.3020006@sixdemonbag.org>
Message-ID: <87vc1yuv8c.fsf@vigenere.g10code.de>

On Sun,  8 Sep 2013 02:07, rjh at sixdemonbag.org said:
> On 9/7/2013 2:30 PM, Werner Koch wrote:
>> To avoid breaking links to the existing FAQ, we should keep the
>> anchors which are already known.  Those answers might be moved to an
>> old-stuff section andd updated with a link to a more appropriate
>> Q+A.
>
> I'll see about making a first stab at this.

Okay.  Do not put too much work into it.

> It's already in org-mode.  Or, rather, it's in a *really* kludged up XML
> that I convert to org-mode via a Python script (which is part of the git
> repo).

Yes, I rembered that only after my mail.

> There are reasons to prefer XML right now -- basically, it makes it much
> easier for me to keep a table of contents together.  But yes, it was
> always my understanding that it would be submitted as org-mode text.

org-mode does the content for free and modern versions also have an
index feature.

>> CC-by-sa 3.0 unported and GPLv2+.  This allows to reuse it in
>> Wikipedia other manuals as well as in GPL code.
>
> Point.  I can see about making that change.  Since I'm the only author,
> relicensing isn't a problem.

That would really be great.

Given that our HOWTOs are way too old, we should have at least a decent
FAQ.  I would even like to send an announcement as soon as we have it
online.

Our disagreement over PGP/MIME can be discussed after the release of
your FAQ.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From tomanek at internet-sicherheit.de  Wed Sep 18 15:53:04 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Wed, 18 Sep 2013 15:53:04 +0200
Subject: Checking key server response against the request parameters
In-Reply-To: <20130916032244.GN21970@zirkel.wertarbyte.de>
References: <20130913064854.GZ21970@zirkel.wertarbyte.de>
 <20130915212250.GM21970@zirkel.wertarbyte.de>
 <523634B9.4040907@enigmail.net>
 <20130916032244.GN21970@zirkel.wertarbyte.de>
Message-ID: <20130918135304.GG6981@zirkel.wertarbyte.de>

Dies schrieb Stefan Tomanek (tomanek at internet-sicherheit.de):

> And it looks like you are working under the assumption that a) the keyserver is
> playing nice with you and b) you are actually talking to the keyserver you
> specified. Both assumptions are completely bogus, considering that is trivial
> to mount an man-in-the-middle attack against keyserver traffic.

After investigating the issue further, even more attack scenarios come to mind.

Consider this:

John H. Newuser installs gnupg and enigmail.

He fetches the public keys from his coworkers (to verify their signatures),
using the keyserver.

He then generates a key pair for himself and transmits confidential material
to someone, of course checking the fingerprint of the recipient's key first.

Well, at this point, he might have already run into trouble without even
noticing. At every key server action, it is possible for the server (or anyone
in the middle) to poison his keyring.

In this scenario, the malign keyserver sent an additional key with its replies,
matching the User ID of our victim. GnuPG will in fact add this key to the
keyring, disregarding the fact that the user has never asked for it.

The fun fact: The secret key remains in control of the attacker, while enigmail
(and many other MUAs as well) encrypts every mail using the injected public key
(encrypt-to-self), since gnupg will search in a linear fashion through the
pubring for matching keys.

I guess that this scenario can be mitigated in many ways, but in my opinion
gnupg should never add keys to my secring/pubring without me explicitly asking
for it.

-- 
if(is) - Institut f?r Internet-Sicherheit
Westf?lische Hochschule, Gelsenkirchen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: </pipermail/attachments/20130918/d1542791/attachment.sig>

From nicholas.cole at gmail.com  Wed Sep 18 18:28:18 2013
From: nicholas.cole at gmail.com (Nicholas Cole)
Date: Wed, 18 Sep 2013 17:28:18 +0100
Subject: Checking key server response against the request parameters
In-Reply-To: <20130918135304.GG6981@zirkel.wertarbyte.de>
References: <20130913064854.GZ21970@zirkel.wertarbyte.de>
 <20130915212250.GM21970@zirkel.wertarbyte.de>
 <523634B9.4040907@enigmail.net>
 <20130916032244.GN21970@zirkel.wertarbyte.de>
 <20130918135304.GG6981@zirkel.wertarbyte.de>
Message-ID: <CAAu18hfQDsg7JaBAj-=2KwZr4QXosXbo+poPS+qORL6uicZO7Q@mail.gmail.com>

On Wed, Sep 18, 2013 at 2:53 PM, Stefan Tomanek
<tomanek at internet-sicherheit.de> wrote:
> Dies schrieb Stefan Tomanek (tomanek at internet-sicherheit.de):
>
>> And it looks like you are working under the assumption that a) the keyserver is
>> playing nice with you and b) you are actually talking to the keyserver you
>> specified. Both assumptions are completely bogus, considering that is trivial
>> to mount an man-in-the-middle attack against keyserver traffic.
>
> After investigating the issue further, even more attack scenarios come to mind.
>
> Consider this:
>
> John H. Newuser installs gnupg and enigmail.
>
> He fetches the public keys from his coworkers (to verify their signatures),
> using the keyserver.
>
> He then generates a key pair for himself and transmits confidential material
> to someone, of course checking the fingerprint of the recipient's key first.
>
> Well, at this point, he might have already run into trouble without even
> noticing. At every key server action, it is possible for the server (or anyone
> in the middle) to poison his keyring.
>
> In this scenario, the malign keyserver sent an additional key with its replies,
> matching the User ID of our victim. GnuPG will in fact add this key to the
> keyring, disregarding the fact that the user has never asked for it.
>
> The fun fact: The secret key remains in control of the attacker, while enigmail
> (and many other MUAs as well) encrypts every mail using the injected public key
> (encrypt-to-self), since gnupg will search in a linear fashion through the
> pubring for matching keys.
>
> I guess that this scenario can be mitigated in many ways, but in my opinion
> gnupg should never add keys to my secring/pubring without me explicitly asking
> for it.


Stefan,

I've been following the other patches - but I don't quite follow this
last scenario at all.  The whole point of keyservers is that they
don't have to be trusted. Malicious users can (and have) upload fake
keys all the time.  As long as users check fingerprints and assign
introducer trust with care, there is no problem.  If I search for John
H. Newuser's key and get back 1 real and 2 fake ones, the only harm
that is done is if I fail to check the fingerprints before signing the
correct one, and my HD has a couple of extra keys on it that I
probably ought to delete, but which will do no harm, unless I adopt
the "always trust" trust model and then fail to do any external
checking.

N.


From tomanek at internet-sicherheit.de  Wed Sep 18 19:49:35 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Wed, 18 Sep 2013 19:49:35 +0200
Subject: Checking key server response against the request parameters
In-Reply-To: <CAAu18hfQDsg7JaBAj-=2KwZr4QXosXbo+poPS+qORL6uicZO7Q@mail.gmail.com>
References: <20130913064854.GZ21970@zirkel.wertarbyte.de>
 <20130915212250.GM21970@zirkel.wertarbyte.de>
 <523634B9.4040907@enigmail.net>
 <20130916032244.GN21970@zirkel.wertarbyte.de>
 <20130918135304.GG6981@zirkel.wertarbyte.de>
 <CAAu18hfQDsg7JaBAj-=2KwZr4QXosXbo+poPS+qORL6uicZO7Q@mail.gmail.com>
Message-ID: <20130918174935.GH6981@zirkel.wertarbyte.de>

Dies schrieb Nicholas Cole (nicholas.cole at gmail.com):

> I've been following the other patches - but I don't quite follow this
> last scenario at all.  The whole point of keyservers is that they
> don't have to be trusted. Malicious users can (and have) upload fake
> keys all the time.  As long as users check fingerprints and assign
> introducer trust with care, there is no problem.  If I search for John
> H. Newuser's key and get back 1 real and 2 fake ones, the only harm
> that is done is if I fail to check the fingerprints before signing the
> correct one, and my HD has a couple of extra keys on it that I
> probably ought to delete, but which will do no harm, unless I adopt
> the "always trust" trust model and then fail to do any external
> checking.

I just did the actual check and have to agree that the scenario did not work
as expected, since enigmail does not accept keys with unknown trust by default.

But as you said, trusting the key server is not an option, so I still think
that checking their responses against the issued requests is a good thing. I
certainly don't want anyone injecting their spoofed keys into the pubring und
secring of my home directory. While it might not be an immediate threat due to
the seperate trustdb, it is annoying at least. But perhaps that would be a nice
way to distribute my key at conferences, just MitM every keyserver request and
insert my public key material :-)

-- 
if(is) - Institut f?r Internet-Sicherheit
Westf?lische Hochschule, Gelsenkirchen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: </pipermail/attachments/20130918/33a8c459/attachment.sig>

From tomanek at internet-sicherheit.de  Fri Sep 20 00:16:10 2013
From: tomanek at internet-sicherheit.de (Stefan Tomanek)
Date: Fri, 20 Sep 2013 00:16:10 +0200
Subject: [PATCH 3/3 v3] filter and verify keyserver responses
Message-ID: <20130919221610.GN6981@zirkel.wertarbyte.de>

This changes introduces import functions that apply a constraining
filter to imported keys. These filters can verify the fingerprints of
the keys returned before importing them into the keyring, ensuring that
the keys fetched from the keyserver are in fact those selected by the
user beforehand.

It also prevents the accidental import of secret keys through key server
responses.

Signed-off-by: Stefan Tomanek <tomanek at internet-sicherheit.de>
---
 g10/import.c    |   47 ++++++++++++++++++++++++++++++++---------------
 g10/keyserver.c |   45 +++++++++++++++++++++++++++++++++++++++++++--
 g10/main.h      |    4 +++-
 3 files changed, 78 insertions(+), 18 deletions(-)

diff --git a/g10/import.c b/g10/import.c
index 90fc2d6..75f211a 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -59,14 +59,17 @@ struct stats_s {
 
 
 static int import( IOBUF inp, const char* fname,struct stats_s *stats,
-		   unsigned char **fpr,size_t *fpr_len,unsigned int options );
+		   unsigned char **fpr,size_t *fpr_len,unsigned int options,
+		   import_filter filter, void *filter_arg );
 static int read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root );
 static void revocation_present(KBNODE keyblock);
 static int import_one(const char *fname, KBNODE keyblock,struct stats_s *stats,
 		      unsigned char **fpr,size_t *fpr_len,
-		      unsigned int options,int from_sk);
+		      unsigned int options,int from_sk,
+		      import_filter filter, void *filter_arg);
 static int import_secret_one( const char *fname, KBNODE keyblock,
-                              struct stats_s *stats, unsigned int options);
+                              struct stats_s *stats, unsigned int options,
+                              import_filter filter, void *filter_arg );
 static int import_revoke_cert( const char *fname, KBNODE node,
                                struct stats_s *stats);
 static int chk_self_sigs( const char *fname, KBNODE keyblock,
@@ -163,7 +166,8 @@ import_release_stats_handle (void *p)
 static int
 import_keys_internal( IOBUF inp, char **fnames, int nnames,
 		      void *stats_handle, unsigned char **fpr, size_t *fpr_len,
-		      unsigned int options )
+		      unsigned int options,
+		      import_filter filter, void *filter_arg )
 {
     int i, rc = 0;
     struct stats_s *stats = stats_handle;
@@ -172,7 +176,7 @@ import_keys_internal( IOBUF inp, char **fnames, int nnames,
         stats = import_new_stats_handle ();
 
     if (inp) {
-        rc = import( inp, "[stream]", stats, fpr, fpr_len, options);
+        rc = import( inp, "[stream]", stats, fpr, fpr_len, options, filter, filter_arg);
     }
     else {
         int once = (!fnames && !nnames);
@@ -192,7 +196,7 @@ import_keys_internal( IOBUF inp, char **fnames, int nnames,
 	        log_error(_("can't open `%s': %s\n"), fname, strerror(errno) );
 	    else
 	      {
-	        rc = import( inp2, fname, stats, fpr, fpr_len, options );
+	        rc = import( inp2, fname, stats, fpr, fpr_len, options, NULL, NULL );
 	        iobuf_close(inp2);
                 /* Must invalidate that ugly cache to actually close it. */
                 iobuf_ioctl (NULL, 2, 0, (char*)fname);
@@ -223,19 +227,21 @@ void
 import_keys( char **fnames, int nnames,
 	     void *stats_handle, unsigned int options )
 {
-  import_keys_internal(NULL,fnames,nnames,stats_handle,NULL,NULL,options);
+  import_keys_internal(NULL,fnames,nnames,stats_handle,NULL,NULL,options,NULL,NULL);
 }
 
 int
 import_keys_stream( IOBUF inp, void *stats_handle,
-		    unsigned char **fpr, size_t *fpr_len,unsigned int options )
+		    unsigned char **fpr, size_t *fpr_len,unsigned int options,
+	            import_filter filter, void *filter_arg )
 {
-  return import_keys_internal(inp,NULL,0,stats_handle,fpr,fpr_len,options);
+  return import_keys_internal(inp,NULL,0,stats_handle,fpr,fpr_len,options,filter,filter_arg);
 }
 
 static int
 import( IOBUF inp, const char* fname,struct stats_s *stats,
-	unsigned char **fpr,size_t *fpr_len,unsigned int options )
+	unsigned char **fpr,size_t *fpr_len,unsigned int options,
+	import_filter filter, void *filter_arg )
 {
     PACKET *pending_pkt = NULL;
     KBNODE keyblock = NULL;
@@ -252,9 +258,10 @@ import( IOBUF inp, const char* fname,struct stats_s *stats,
 
     while( !(rc = read_block( inp, &pending_pkt, &keyblock) )) {
 	if( keyblock->pkt->pkttype == PKT_PUBLIC_KEY )
-	    rc = import_one( fname, keyblock, stats, fpr, fpr_len, options, 0);
+	    rc = import_one( fname, keyblock, stats, fpr, fpr_len, options, 0,
+	                            filter, filter_arg);
 	else if( keyblock->pkt->pkttype == PKT_SECRET_KEY )
-                rc = import_secret_one( fname, keyblock, stats, options );
+                rc = import_secret_one( fname, keyblock, stats, options, filter, filter_arg );
 	else if( keyblock->pkt->pkttype == PKT_SIGNATURE
 		 && keyblock->pkt->pkt.signature->sig_class == 0x20 )
 	    rc = import_revoke_cert( fname, keyblock, stats );
@@ -738,7 +745,7 @@ check_prefs(KBNODE keyblock)
 static int
 import_one( const char *fname, KBNODE keyblock, struct stats_s *stats,
 	    unsigned char **fpr,size_t *fpr_len,unsigned int options,
-	    int from_sk )
+	    int from_sk, import_filter filter, void *filter_arg)
 {
     PKT_public_key *pk;
     PKT_public_key *pk_orig;
@@ -778,6 +785,10 @@ import_one( const char *fname, KBNODE keyblock, struct stats_s *stats,
 	return 0;
       }
 
+    if (filter && filter(pk, NULL, filter_arg)) {
+        log_error( _("key %s: rejected by import filter\n"), keystr_from_pk(pk));
+        return 0;
+    }
     if (opt.interactive) {
         if(is_status_enabled())
 	  print_import_check (pk, uidnode->pkt->pkt.user_id);
@@ -1146,7 +1157,8 @@ sec_to_pub_keyblock(KBNODE sec_keyblock)
  */
 static int
 import_secret_one( const char *fname, KBNODE keyblock,
-                   struct stats_s *stats, unsigned int options)
+                   struct stats_s *stats, unsigned int options,
+                   import_filter filter, void *filter_arg )
 {
     PKT_secret_key *sk;
     KBNODE node, uidnode;
@@ -1162,6 +1174,11 @@ import_secret_one( const char *fname, KBNODE keyblock,
     keyid_from_sk( sk, keyid );
     uidnode = find_next_kbnode( keyblock, PKT_USER_ID );
 
+    if (filter && filter(NULL, sk, filter_arg)) {
+        log_error( _("secret key %s: rejected by import filter\n"), keystr_from_sk(sk));
+        return 0;
+    }
+
     if( opt.verbose )
       {
 	log_info( "sec  %4u%c/%s %s   ",
@@ -1235,7 +1252,7 @@ import_secret_one( const char *fname, KBNODE keyblock,
 	    if(pub_keyblock)
 	      {
 		import_one(fname,pub_keyblock,stats,
-			   NULL,NULL,opt.import_options,1);
+			   NULL,NULL,opt.import_options,1,NULL,NULL);
 		release_kbnode(pub_keyblock);
 	      }
 	  }
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 440c6a1..4d4d708 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -971,6 +971,46 @@ direct_uri_map(const char *scheme,unsigned int is_direct)
 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
 
+static int
+keyserver_retrieval_filter(PKT_public_key *pk, PKT_secret_key *sk, void *arg)
+{
+  KEYDB_SEARCH_DESC *desc = arg;
+  u32 keyid[2];
+  byte fpr[MAX_FINGERPRINT_LEN];
+  size_t fpr_len = 0;
+
+  /* we definitely do not want to import secret keys! */
+  if (sk) {
+    return 1;
+  }
+
+  fingerprint_from_pk(pk, fpr, &fpr_len);
+  keyid_from_pk(pk, keyid);
+
+  /* compare requested and returned fingerprints if available */
+  if (desc->mode == KEYDB_SEARCH_MODE_FPR20) {
+    if (fpr_len != 20 || memcmp(fpr, desc->u.fpr, 20)) {
+      return 1;
+    }
+  }
+  else if (desc->mode == KEYDB_SEARCH_MODE_FPR16) {
+    if (fpr_len != 16 || memcmp(fpr, desc->u.fpr, 16)) {
+      return 1;
+    }
+  }
+  else if (desc->mode == KEYDB_SEARCH_MODE_LONG_KID) {
+    if (memcmp(keyid, desc->u.kid, sizeof(keyid))) {
+      return 1;
+    }
+  }
+  else if (desc->mode == KEYDB_SEARCH_MODE_SHORT_KID) {
+    if (memcmp(&keyid[1], &desc->u.kid[1], 1)) {
+      return 1;
+    }
+  }
+  return 0;
+}
+
 static int 
 keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
 		int count,int *prog,unsigned char **fpr,size_t *fpr_len,
@@ -1518,7 +1558,8 @@ keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
 	     line-by-line and make a temp iobuf for each key. */
 
 	  import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len,
-			     opt.keyserver_options.import_options);
+			     opt.keyserver_options.import_options,
+			     &keyserver_retrieval_filter, desc);
 
 	  import_print_stats(stats_handle);
 	  import_release_stats_handle(stats_handle);
@@ -2050,7 +2091,7 @@ keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
       opt.no_armor=1;
 
       rc=import_keys_stream(key,NULL,fpr,fpr_len,
-			    opt.keyserver_options.import_options);
+			    opt.keyserver_options.import_options,NULL,NULL);
 
       opt.no_armor=armor_status;
 
diff --git a/g10/main.h b/g10/main.h
index eadac1f..73a5529 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -207,11 +207,13 @@ MPI encode_md_value( PKT_public_key *pk, PKT_secret_key *sk,
 		     MD_HANDLE md, int hash_algo );
 
 /*-- import.c --*/
+typedef int (*import_filter)(PKT_public_key *pk, PKT_secret_key *sk, void *arg);
 int parse_import_options(char *str,unsigned int *options,int noisy);
 void import_keys( char **fnames, int nnames,
 		  void *stats_hd, unsigned int options );
 int import_keys_stream( IOBUF inp,void *stats_hd,unsigned char **fpr,
-			size_t *fpr_len,unsigned int options );
+			size_t *fpr_len,unsigned int options,
+			import_filter constr, void *filter_arg);
 void *import_new_stats_handle (void);
 void import_release_stats_handle (void *p);
 void import_print_stats (void *hd);
-- 
1.7.10.4


From John at enigmail.net  Fri Sep 20 03:36:29 2013
From: John at enigmail.net (John Clizbe)
Date: Thu, 19 Sep 2013 20:36:29 -0500
Subject: Checking key server response against the request parameters
In-Reply-To: <CAAu18hfQDsg7JaBAj-=2KwZr4QXosXbo+poPS+qORL6uicZO7Q@mail.gmail.com>
References: <20130913064854.GZ21970@zirkel.wertarbyte.de>
 <20130915212250.GM21970@zirkel.wertarbyte.de> <523634B9.4040907@enigmail.net>
 <20130916032244.GN21970@zirkel.wertarbyte.de>
 <20130918135304.GG6981@zirkel.wertarbyte.de>
 <CAAu18hfQDsg7JaBAj-=2KwZr4QXosXbo+poPS+qORL6uicZO7Q@mail.gmail.com>
Message-ID: <523BA69D.6090005@enigmail.net>

Nicholas Cole wrote
> I've been following the other patches - but I don't quite follow this
> last scenario at all.  The whole point of keyservers is that they
> don't have to be trusted. Malicious users can (and have) upload fake
> keys all the time.  As long as users check fingerprints and assign
> introducer trust with care, there is no problem.  If I search for John
> H. Newuser's key and get back 1 real and 2 fake ones, the only harm
> that is done is if I fail to check the fingerprints before signing the
> correct one, and my HD has a couple of extra keys on it that I
> probably ought to delete, but which will do no harm, unless I adopt
> the "always trust" trust model and then fail to do any external
> checking.

EXACTLY. Aside from some aggravation and the nuisance value, I cannot see
where this "injection attack" with public or secret keys presents a security
risk.

A secret key without the passphrase is just extra bytes in the keyring. Ditto
unasked for public keys. I'll grant the "Where the hell did that come from?"
aggravation but that's the only value I see from this attack.

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 520 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130919/d91be338/attachment-0001.sig>

From gniibe at fsij.org  Thu Sep 26 04:45:59 2013
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Thu, 26 Sep 2013 11:45:59 +0900
Subject: True RNG and GnuPG / libgcrypt
In-Reply-To: <5230B97E.2080408@mirix.org>
References: <1377157444.3419.8.camel@cfw2.gniibe.org>
 <1378092424.3168.5.camel@cfw2.gniibe.org> <5230B97E.2080408@mirix.org>
Message-ID: <1380163559.3247.5.camel@cfw2.gniibe.org>

On 2013-09-11 at 20:42 +0200, Matthias-Christian Ott wrote:
> On 2013-09-02 05:27, NIIBE Yutaka wrote:
> > There are two issues for me, now.
> >
> >   (1) I don't find any method to feed entropy (for /dev/random) on
> >       *BSD system
> 
> From a quick look at the FreeBSD source code of /dev/random, you can
> feed entropy into it, if it uses Yarrow. If it uses the VIA Padlock RNG
> [1], it won't work.
> 
> As far as I can tell from the source code, on illumos, OpenBSD,
> DragonFlyBSD, NetBSD and XNU you can also feed entropy into /dev/random.
> 
> On Microsoft Windows it seems you can't feed entropy into the kernel.
> But there is the EGDW [2]. On ReactOS CryptGenRandom and RtlGenRandom
> don't use a CPRNG.
> 
> Minix 3 and Haiku allow you to feed entropy into /dev/random.
> 
> Plan 9 doesn't allow writes to /dev/random and doesn't use a CPRNG for
> /dev/random.
> 
> On HP-UX you can't write to /dev/random or /dev/urandom. On AIX you can
> feed entropy into /dev/random and /dev/urandom.
> 
> If you're concerned about some other obscure POSIX-like operating
> system, I'll try my best to find some information about its /dev/random.
> But I think it safe to say that on all major operating system except
> Microsoft Windows, you can write to /dev/random and the data written is
> feed into an entropy pool of the kernel.

Thanks a lot for your research.

It was my misunderstanding that we couldn't feed entropy on *BSD.

I also did some research.

I checked Debian GNU/kFreeBSD system, and find exactly same init
script which feeds entropy from a file at start up and saves random
data at shutdown.

I checked NetBSD's init scripts and found /etc/rc.d/random_seed which
does same thing (by rndctl command).

Well, it is possible for a user of standalone NeuG RNG device to feed
its random data to kernel (of most operating system), so that GnuPG
(or other applications) can get good random data.  That's good.

For me, it will be simple and solid if we can use the output of an RNG
device directly, for key generation operation of GnuPG, given the
condition where such an RNG device has best quality.

I mean, it would be good to have an interface which allows using RNG
device directly (even if /dev/random is available).
-- 




From gniibe at fsij.org  Thu Sep 26 07:27:28 2013
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Thu, 26 Sep 2013 14:27:28 +0900
Subject: ECC and smartcards
In-Reply-To: <1361163668.3183.9.camel@cfw2.gniibe.org>
References: <CAPqDu0P+ZZw2HbvNNLs_FetY4_k7M8qkZ901uANzqwcGYUoaCQ@mail.gmail.com>
 <1326243062.2015.1.camel@latx1.gniibe.org>
 <1360911825.12360.1.camel@cfw2.gniibe.org>
 <87ehghpwk9.fsf@vigenere.g10code.de>
 <1360937901.1886.2.camel@latx1.gniibe.org>
 <87y5epoa54.fsf@vigenere.g10code.de>
 <1361163668.3183.9.camel@cfw2.gniibe.org>
Message-ID: <1380173248.3247.8.camel@cfw2.gniibe.org>

In February, we talked supporting ECC for OpenPGP card.

Since then, I did some part of ECDSA in GnuPG 2.1.x.  I tested it with
Gnuk development version for authentication.

This time, I'd like to talk (and will implement) ECDH part.

Currently, "7.2.9 PSO: DECIPHER" in the OpenPGP card specification
v2.0, decryption is defined as:

    Command:
    CLA           00 / 10
    INS           2A
    P1            80 = Return plain value
    P2            86 = Enciphered data present in the data field
    Lc            xx = Length of subsequent data field
    Data field    Padding indicator byte (00) followed by cryptogram
    Le            00

    Response:
    Data field    Plain data
    SW1-SW2       9000 or specific status bytes

For ECDH, how about the following?

    Command:
    Data field    Ephemeral public key in format: 04 || X || Y

    Response:
    Data field    Shared secret: x coordinate only

In the terms of RFC6637, host sends the ephemeral public key V (point
on the curve) to card, then, asks card to compute shared secret S = rV
where r is the private key (scalar), then, card responds by x
coordinate of the point S.  KDF and AESKeyUnwrap computation is done
on host.

Considering this command/response interaction, I have two references.

One is NIST SP 800-73-3, Interfaces for Personal Identity Verification
Part 2, section A.4.2 Elliptic Curve Cryptography Diffie-Hellman.
It's definition of command data field is:

    '7C' - L1 {'82' '00' '85' L2 {'04' || X || Y}}

Response data field is:

    '7C' - L1 {'82' L2 {shared secret Z}}
     Z is the X coordinate of point P as defined in SP 800-56A

Another is SmartCard-HSM by cardomatic.  I don't have its
specification at hand, but OpenSC has its support in
src/libopensc/card-sc-hsm.c.  It's response data field seems:

    '04' || X || Y

in the function sc_hsm_decipher.

			*	*	*

On 2013-02-18 at 14:01 +0900, NIIBE Yutaka wrote:
> In Japan, ECDH means C(2, 0, ECC CDH) by CRYPTREC.
> 
>     http://www.cryptrec.go.jp/english/method.html
> 
> Update of this specification is scheduled this year.

It was updated, but nothing has been changed for ECDH.  C(2, 0) means
two ephemeral keys model, which is irrelevant for message encryption
of S/MIME or OpenPGP (which use static key).  This means that there is
no reference in Japan for ECDH standard for message encryption with
static key, unfortunately.
--