Handling a TOFU conflict

Neal H. Walfield neal at walfield.org
Thu Dec 8 10:19:29 CET 2016 

On Thu, 08 Dec 2016 00:06:26 +0100,
Werner Koch wrote:
> On Wed,  7 Dec 2016 22:32, neal at walfield.org said:
> > As far as I can tell, whether the client uses the "GET_LINE
> > tofu.conflict" or not, whether to supply the list of conflicting keys
> > is orthogonal.
> 
> Yep.  But that is not how GPGME works, which is my primary concern.
> If EasyPG wants to handle this different, so be it - but changing
> our interface for this is a no-go.

So, your primary convern is that EPG is using --command-fd while gpgme
is using --batch.  I think this is reasonable.  Daiki will need to
decide how he wants to handle this, but I suspect it is a fair amount
of destabilizing work and won't make it into the next version of
Debian.

> Adding additional status information in
> case of conflicting keys is acceptable as long as we have this info
> already available.  In fact we already have all status lines for this
> available:
> 
>   TOFU_USER <fingerprint1> <mbox>  
>   TOFU_STATS 0 ....
>   TOFU_USER <fingerprint2> <mbox>  
>   TOFU_STATS 0 ....
> 
> indicates that the two keys FINGERPRINT1 and FINGERPRINT2 conflict on
> the address MBOX.  (The 0 is "conflict" value of that SUMMARY byte).

My experiments suggest that this information is not available (see
Message-ID: <87wpfd175i.wl-neal at walfield.org>).  My proposed patch
in that mail changes this.

> > Well, as far as I can tell, the TFS records and the TOFU_STATS contain
> > the same information.  Your approach also doesn't exclude keys that
> > are known now to conflict with the selected key (e.g., if they are
> > cross signed), and doesn't deal with the aliasing issue.
> 
> I have noticed that you put code in place to detect this and thus avoid
> a conflict.  What do you mean by aliasing?

Say we have a at example.org and a at example.org (the first a is a latin a
and the second a is a Cyrillic a) and we internally normalize them to
be the same thing (i.e., we decide that a at example.org and
a at example.org conflict even though a memcmp says they are not
identical), then doing gpg -k mbox won't find all of the conflicts,
because gpg doesn't do the same transformation.

> > about how this is supposed to work?  Why should the TOFU
> > implementation not try to detect homograph attacks?
> 
> Because that is not the duty of gpg - this is an entire different layer.
> A MUA _might_ care about this but most likely it can only support the
> user in detecting this.  This has nothing to do with with T0FU.
> 
> Mixing up layers is the cause of a lot of evil.

TOFU is about monitoring bindings to detect conflicts.  If we don't
try to actively detect conflicts, then we are left with
--always-trust.  Thus, this is precisely the type of thing that TOFU
is trying to do.

If you think TOFU is about something else, I'd like to hear your
definition.

> > I just tried this using the WoT and gpg doesn't handle this case
> > specially:
> 
> Right, but with T0FU we are going to improve this.  Before 2.1.16 we did
> not distinguish on how a key was specified.  Now a key specified by mail
> address is treated different than a key specified by other means.  This
> is to support our major goal of easily using the right key for a mail.
> With tofu and tofu+gpg we can and should drop the old checks and
> consider a key specified by fingerprint as DWIW-and-encrypt-to-this-key.
> For backward compatibility we can't do this for the pgp trust model.
> 
> Thus it will eventually be possible for MUAs to avoid the use of
> GPGME_ENCRYPT_ALWAYS_TRUST (--always-trust in gpg) after the keys have
> been selected and passed by fingerprint to gpg.

I missed this discussion.  Thanks for clarifying.  I need to think
about whether this is a good idea or not.

:) Neal

More information about the Gnupg-devel mailing list