David Shaw
Fri Jul 19 00:17:02 2002

On Thu, Jul 18, 2002 at 09:54:31PM +0000, Brian M. Carlson wrote:
> On Thu, Jul 18, 2002 at 05:22:14PM -0400, David Shaw wrote:
> > On Wed, Jul 17, 2002 at 02:35:58AM +0000, Brian M. Carlson wrote:
> > 
> > > I noticed that the Issuer KeyID is not a hashed subpacket. Is there
> > > a particular reason this is so? Is there a reason to not hash any
> > > subpacket?
> > 
> > I imagine it is because there is no real benefit to protecting it (no
> > harm either, of course).
> Well, it would be detected if it were changed, wouldn't it? I see that
> as a benefit.

Either way it is detected if it is changed.  Since the OpenPGP program
needs the keyid to find the key to check the signature, changing the
keyid (hashed or not) either results in an unverifiable signature (if
the keyid does not exist) or an invalid signature (if it does exist).

It's rather like a chicken-or-the-egg problem.  Its certainly true
that changing a hashed keyid renders the signature invalid - but who
can say if it is invalid because we're now using the wrong keyid to
verify it, or because we changed the hash?  Or both :)

Basically, you can only detect the modification if you can use the key
to verify the signature... and if you could use the key to verify the
signature, it wouldn't have been changed in the first place.

Using a hashed issuer subpacket could be useful when using multiple
issuers for a given signature, but GnuPG does not support that.

> I also remember seeing something somewhere in the code (I don't remember
> where, and I couldn't find it) that showed which subpackets were
> protected, and which weren't. Perhaps you could point me to the right
> file or so?

Look at build_sig_subpkt() in build-packet.c.  In short, all
subpackets are protected except issuer subpackets.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson