Series of minor questions about OpenPGP 3

David Shaw dshaw at jabberwocky.com
Tue Jan 27 16:48:09 CET 2009 

On Jan 27, 2009, at 7:46 AM, Peter Thomas wrote:

> Hi again.
>
> Ok this is a first bunch of questions on signatures (again both
> specific for gnupg but perhaps also common for OpenPGP).
> Would be glad if someone could help me with answering these (David?!  
> xD).
>
> 1) For the 0x11 signature the RFC says "...has not done any
> verification of the claim that ..." which as far as I understand means
> "The signer simply signed the key without checking the keyholders
> identity".

Pretty much, yes.  It's "the keyholder claims to be X and I believe  
them, but didn't check."

> Does gpg include this signature type in its trust-calculations or is
> it simply ignored (no matter whether I directly signed another key
> with a 0x11 or whether its "in the middle" of a trust-path between me
> and someone else?

In GPG, by default, it is simply ignored.  A 0x11 signature has no  
value anywhere in a trust calculation.  You can change the default if  
you like (or even make it more strict, by, say, ignoring 0x12  
signatures as well) with the --min-cert-level option.

> And if so, is this generally claimed by the RFC? I mean will every
> implementation behave like this (ignoring 0x11s) when it follows the
> RFC?

The RFC is really a file format document more so than a "how to use  
trust" document.  Every now and then it is suggested that a trust  
document or something like an OpenPGP best practices document should  
be written, but nobody has taken up the suggestion yet.  So the RFC  
that we have (4880) does not specify or deny this behavior: it simply  
lists the signature types for reference.  So all that said, I don't  
know if any other products ignore 0x11 signatures.  Keep in mind that  
few products draw any distinction between 0x10, 0x11, 0x12, and 0x13  
at all.  They treat all of the types identically and issue only 0x10  
signatures.

> 2) Why are the 0x19 signatures only used as embedded signatures? I
> mean wouldn't it be the same to simply add them as another "top level"
> signature packet?

0x19 lives inside a signature subpacket on a signature that the 0x19  
is making a statement about.  This makes it easy to find (it's always  
on the subkey binding signature), and makes it naturally travel along  
with the subkey that it is issued by (if you delete the subkey, the  
0x19 vanishes along with it).  Semantically, it could be a top-level  
signature.

> 3) I've understood why we need a "backsignature" (the 0x19) for
> signature subkeys, but why don't we need one for encryption subkeys?

The purpose of the back signature is to prevent "stealing" a signature  
subkey.  For example, say Alice has a key with a signing subkey (but  
no back signature).  She signs a document with her subkey and later  
tries to prove that it is her work.  Baker, however, takes Alice's  
subkey and attaches it to his key.  He can now try and prove that it  
is his work.  To be sure, he doesn't have the passphrase for the key  
and can't make more signatures, but he can verify signatures, and  
verifying signatures would look like they were verified by  
"his" (really Alice's) subkey.

One fix for this attack would be to ask both Alice and Baker to sign  
something for you as only Alice could, but back signatures avoids the  
whole shebang by having the subkey sign the primary key, making it  
obvious which primary "owns" the subkey.

This attack isn't meaningful for encryption subkeys.  Baker can choose  
to steal Alice's encryption subkey, but without the passphrase he  
can't decrypt anything with it, and he can't claim anything in  
particular after he has stolen it.  In any event, you couldn't make a  
back signature with, say, an Elgamal encryption-only key.

> 4) I've looked at the different revocation signature types. It seems
> that it's not possible to revoke 0x00, 0x01, 0x02, 0x40 and 0x50
> signature types?
> Is this desired? I mean I understand that these signature types can
> also be applied to casual data (and not just keys) but one could think
> of "revocation servers" like keyservers that could be asked whether
> some signature is still considered to be valid.

There is no current means to do this in the standard.  There is no  
reason for this beyond that nobody, as yet, has needed the ability.

> 5) I've looked at the layout of v4 signatures, which lead me to two  
> questions:
> a) What does gnupg put in this unhashed area. I mean which subpacket
> types (at maximum).

The basic rule for this is put it in the hashed area unless there is a  
reason not to.  The only subpackets that can safely live in the  
unhashed area are those where, if they are modified, the security  
semantics of the signature do not change, or the signature is broken.   
Note that some programs put some things in one area that other  
programs would put in the other.  All that said, GPG puts the Issuer  
and Signature subpackets in the unhashed area.  These are the two  
subpackets that are naturally tamper-proof.  Sure, an attacker can  
tamper with them - but all they would accomplish is make the signature  
not work (either because the signing key could not be found if they  
mess with the Issuer, or invalidate the backsig for the Signature).

> b) This two octet field containing the left 16 bits of the signed
> hash, doesn't this allow some kind of DoS attack? In the sense that
> someone that captures and modifies the OpenPGP message can change
> these two octets and an implementation that looks at these would
> immediately say "invalid signature"?

Yes and no.  Sure, if someone has the ability to modify the message  
they can mangle the 16 bit "quick check" field.  But then, if they  
have the ability to modify the message, they can mangle anything they  
like.  Why restrain themselves to those particular 16 bits?  Mangling  
- of any part of a signature - should cause the signature to be invalid.

David

More information about the Gnupg-users mailing list