[Sks-devel] Re: Key strangeness

David Shaw dshaw at jabberwocky.com
Wed Dec 15 04:36:19 CET 2004


On Tue, Dec 14, 2004 at 09:34:20PM -0500, Yaron Minsky wrote:
> On Tue, 14 Dec 2004 20:04:32 -0500, David Shaw <dshaw at jabberwocky.com> wrote:
> > On Tue, Dec 14, 2004 at 07:17:48PM -0500, Jason Harris wrote:
> > 
> > > Not "the entire Public Key packet starting with the version field,
> > > with whatever fixes you have to make so the key is fully
> > > RFC-compliant."
> > 
> > At this point I think you're just trolling so I'm going to stop
> > replying.  Needless to say, you've misunderstood what the RFC
> > requires, and what noncompliant actually means in this case.
> 
> At the risk of trolling myself, Jason's reading appears to me at first
> blush to be right.  It says, hash the entire public key packet,
> starting with the version field.  It seems like a mistake to calculate
> the fingerprint of a "corrected" version of the key.

The RFC does say that, but it is not the whole story.  It also says:

  The length field of an MPI describes the length starting from its
  most significant non-zero bit. Thus, the MPI [00 02 01] is not
  formed correctly. It should be [00 01 01].

MPIs with leading zeros are not RFC compliant.

> That said, I do appear to be alone in PGP implementations to handle it
> this way. That said, I'm not eager to fix it, since the keys in
> question are clearly broken, and, I'm hoping, quite rare.

Which is exactly my point.  The keys are made up of noncompliant MPIs.
The keys are thus corrupt/broken/not RFC compliant.  Whatever we call
it, the keys are outside the purview of the RFC.  There is no language
in the RFC that dictates how a program should handle a noncompliant
key.  This is a good thing, since questions like this can rapidly
spiral out of control - how much corruption is too much?

So given that noncompliant keys are outside the purview of the RFC, it
is correct to canonicalize the MPIs in an effort to "rescue" the key.
It is also correct to do nothing.  It is also correct to reject the
key altogether.

While I think it would be nice if SKS canonicalized as PGP and GnuPG
does, I would also be happy if it just rejected corrupt keys.  I do
think it would be a kindness to the community if SKS did not store
keys under the "wrong" key ID (and I use "wrong" carefully here since
it is not clear what is "right").

But this is just me expressing a preference.  The RFC does not mandate
any particular outcome here.

David



More information about the Gnupg-users mailing list