Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: devel

dealing with misplaced signatures

  

 
GnuPG devel RSS feed   Index | Next | Previous | View Threaded


dkg at fifthhorseman

Jul 30, 2012, 3:29 PM

Post #1 of 13 (225 views)
Permalink
dealing with misplaced signatures
Clint Adams reports in http://bugs.debian.org/683339:

--------------------------
This key has two signatures on a subkey:

http://keys.mayfirst.org/pks/lookup?op=get&search=0xED34CEABE27BAABC

gpg --edit-key will correctly detect them as being in the wrong place,
and move them to another wrong place, unless the uid/uat being moved
to happens to be the target of the signature.

Since sks appears to be buggy, those signatures will remain on the
subkey, and be replaced on a --recv-keys or --refresh. Then
a subsequent --edit-key will move them again.

It would be nice if something could prevent these things from happening.

--------------------------


The "sks appears to be buggy" remark refers to the fact that sks appears
to allow certain types of signature in places that they don't make sense:

http://bugs.debian.org/683328

This is why sks is willing to return regular identity certification
packets after a subkey binding cert.

--dkg
Attachments: signature.asc (1.01 KB)


guninski at guninski

Jul 30, 2012, 10:39 PM

Post #2 of 13 (215 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
Was the sig of the subkey made with vanilla gpg or was it manipulated?

On Mon, Jul 30, 2012 at 06:29:52PM -0400, Daniel Kahn Gillmor wrote:
> Clint Adams reports in http://bugs.debian.org/683339:
>
> --------------------------
> This key has two signatures on a subkey:
>
> http://keys.mayfirst.org/pks/lookup?op=get&search=0xED34CEABE27BAABC
>
> gpg --edit-key will correctly detect them as being in the wrong place,
> and move them to another wrong place, unless the uid/uat being moved
> to happens to be the target of the signature.
>
> Since sks appears to be buggy, those signatures will remain on the
> subkey, and be replaced on a --recv-keys or --refresh. Then
> a subsequent --edit-key will move them again.
>
> It would be nice if something could prevent these things from happening.
>
> --------------------------
>
>
> The "sks appears to be buggy" remark refers to the fact that sks appears
> to allow certain types of signature in places that they don't make sense:
>
> http://bugs.debian.org/683328
>
> This is why sks is willing to return regular identity certification
> packets after a subkey binding cert.
>
> --dkg
>



> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel [at] gnupg
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

Jul 31, 2012, 8:13 AM

Post #3 of 13 (215 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On 07/31/2012 01:39 AM, Georgi Guninski wrote:
> Was the sig of the subkey made with vanilla gpg or was it manipulated?

examining the sig, it happens to be byte-for-byte identical with a sig
on one of the User IDs.

As a result of gpg's (faulty) moving of the sig to the last user ID, we
see the same sig show up after several of the User IDs as well.

observe all the places where this particular sig shows up:

$ gpg --export 0xED34CEABE27BAABC | gpgsplit
$ md5sum * | egrep '(^848762|(attribute|id|key)$)'
95687f448844ff7144ae806a3d44059e 000001-006.public_key
f92637abe07b5fe3fcc48c384703c932 000002-013.user_id
925db22aabd790504bb80b8d0e1a6202 000019-013.user_id
8487624d4fd7292872c7de2c83ec895d 000041-002.sig
580775fce5bd929da507fc031969b891 000044-013.user_id
8487624d4fd7292872c7de2c83ec895d 000046-002.sig
12086b15b600f899937a91ec7fac99a7 000048-013.user_id
565800d7a2d5c675622a03829c9d8ef5 000090-013.user_id
ab2cf4addd27785fdbef507767d769a8 000134-013.user_id
0537fb472a556e7f441909014a5cb133 000156-013.user_id
cc5f36051c98ac72364e950ab0f18bf5 000191-013.user_id
8487624d4fd7292872c7de2c83ec895d 000194-002.sig
714723044960babc2a8ccaff426099f3 000196-013.user_id
b5e8df1259ef36974559aa865719ee63 000243-013.user_id
8487624d4fd7292872c7de2c83ec895d 000284-002.sig
0a15d0f11daff87b908ecc0e8aebbc0d 000289-013.user_id
e1aa33ca83b5d2f629ddb216c50c88c0 000340-013.user_id
8487624d4fd7292872c7de2c83ec895d 000385-002.sig
af4faed7d2101b27fdd0fb4ca819f420 000389-017.attribute
8487624d4fd7292872c7de2c83ec895d 000426-002.sig
7b65f1bbcf1c826bafec1b829d6b9530 000430-014.public_subkey
9c2e77755a1e3cce68d1f0d302f361fd 000432-014.public_subkey
8487624d4fd7292872c7de2c83ec895d 000435-002.sig
$

--dkg
Attachments: signature.asc (1.01 KB)


dshaw at jabberwocky

Jul 31, 2012, 2:29 PM

Post #4 of 13 (218 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On Jul 31, 2012, at 11:13 AM, Daniel Kahn Gillmor wrote:

> On 07/31/2012 01:39 AM, Georgi Guninski wrote:
>> Was the sig of the subkey made with vanilla gpg or was it manipulated?
>
> examining the sig, it happens to be byte-for-byte identical with a sig
> on one of the User IDs.
>
> As a result of gpg's (faulty) moving of the sig to the last user ID, we
> see the same sig show up after several of the User IDs as well.

What's happening here is that the key is mangled on SKS (whether SKS mangled it or it was imported already mangled doesn't matter). GPG fetches it, and there is some code to move misplaced packets to the right place. Unfortunately, as you noticed, that code does not work if there is more than one user ID.

This code actually dates to 1998. The comment: "* Note: This function does not work if there is more than one user ID."

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


kristian.fiskerstrand at sumptuouscapital

Jul 31, 2012, 3:04 PM

Post #5 of 13 (215 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On 2012-07-31 23:29, David Shaw wrote:

> What's happening here is that the key is mangled on SKS (whether SKS
> mangled it or it was imported already mangled doesn't matter). GPG
> fetches it, and there is some code to move misplaced packets to the
> right place. Unfortunately, as you noticed, that code does not work
> if there is more than one user ID.
>
> This code actually dates to 1998. The comment: "* Note: This
> function does not work if there is more than one user ID."
>

Hi David,

Any recommendation about how we should handle this scenario within SKS.
Currently we're having a debate about the existence of signatures not
0x18 and 0x28 on the subkey.

Currently we have a patch[0] ready that allows for these signatures to
be cleaned in the getting (and vindex) of the key, which at least would
reduce the problem of re-importing (--recv-key or --refresh) the mangled
signatures after they have been moved (resulting in duplication). This
is implemented [1] is in the cleaning layer for vindex and get, and not
on the data store, so the original data is available at [2] (and
respective clean=off for get). This approach means that no change is
necessary to the reconciliation process, and as such maintain backwards
compatibility.

However, before creating a Pull Request into the SKS Trunk, we have to
verify that this solution would not actually violating RFC4880. Although
there are implications that 0x10-0x13 signatures are for UID/UAT
packages, and as such would not belong to a subkey, would starting to
"hide information" be a violation of SKS's neutral way of storing data,
or is this mitigated by the ability to get the full data using clean=off
(which iirc is not officially in the HKP specs, or used by any
implementation).

What are your reflections around such an addition to SKS? does it make
sense for us to include something like this, or should we leave the
interpretation up to the OpenPGP implementation and keep the keys as
they are in SKS?


[0]
https://bitbucket.org/kristianf/sks-keyserver/changeset/b436e48dd8e08c247b841c5460786655d3e148bf

[1]
http://keys2.kfwebs.net:11371/pks/lookup?op=vindex&search=0xED34CEABE27BAABC

[2]
http://keys2.kfwebs.net:11371/pks/lookup?op=vindex&clean=off&search=0xED34CEABE27BAABC

--
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Corruptissima re publica plurimę leges
The greater the degeneration of the republic, the more of its laws
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is now
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
Attachments: signature.asc (0.88 KB)


dshaw at jabberwocky

Jul 31, 2012, 9:44 PM

Post #6 of 13 (217 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On Jul 31, 2012, at 6:04 PM, Kristian Fiskerstrand wrote:

> On 2012-07-31 23:29, David Shaw wrote:
>
>> What's happening here is that the key is mangled on SKS (whether SKS
>> mangled it or it was imported already mangled doesn't matter). GPG
>> fetches it, and there is some code to move misplaced packets to the
>> right place. Unfortunately, as you noticed, that code does not work
>> if there is more than one user ID.
>>
>> This code actually dates to 1998. The comment: "* Note: This
>> function does not work if there is more than one user ID."
>>
>
> Hi David,
>
> Any recommendation about how we should handle this scenario within SKS.
> Currently we're having a debate about the existence of signatures not
> 0x18 and 0x28 on the subkey.
>
> Currently we have a patch[0] ready that allows for these signatures to
> be cleaned in the getting (and vindex) of the key, which at least would
> reduce the problem of re-importing (--recv-key or --refresh) the mangled
> signatures after they have been moved (resulting in duplication). This
> is implemented [1] is in the cleaning layer for vindex and get, and not
> on the data store, so the original data is available at [2] (and
> respective clean=off for get). This approach means that no change is
> necessary to the reconciliation process, and as such maintain backwards
> compatibility.
>
> However, before creating a Pull Request into the SKS Trunk, we have to
> verify that this solution would not actually violating RFC4880. Although
> there are implications that 0x10-0x13 signatures are for UID/UAT
> packages, and as such would not belong to a subkey, would starting to
> "hide information" be a violation of SKS's neutral way of storing data,
> or is this mitigated by the ability to get the full data using clean=off
> (which iirc is not officially in the HKP specs, or used by any
> implementation).

I don't feel it violates RFC-4880 for SKS to hide incorrect packets. While SKS can't do a lot of validation as it doesn't have crypto, it certainly can rule out certain packets in certain places without needing the ability to check signatures or the like.

That said, I'm not 100% sure it's a good idea: hiding the packets is potentially harmful. If GPG could move the bad signature to the right place (and at the moment it cannot do this for a key with more than one user ID), then hiding the packets from GPG prevents this repair from happening. After all, if GPG doesn't get the packets, it can't move them to the right place. This means the signatures are effectively lost, which can change the interpretation of a key (a user ID can become not self-signed, and thus invalid, or a revoked user ID could become unrevoked, etc).

So my thought it that while SKS should be free to do this, I think a better solution to the original problem would be to fix GPG to do a better job repairing things.

Possibly a best of both worlds would be to have SKS do its cleaning, and then GPG, after it gained the ability to do a repair, would start requesting keys with "clean=off". This way, clients that could not repair would not get mangled keys, and clients that could repair would get the whole key and be able to repair it.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Jul 31, 2012, 9:51 PM

Post #7 of 13 (215 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On Tue, 31 Jul 2012 23:29, dshaw [at] jabberwocky said:

> mangled it or it was imported already mangled doesn't matter). GPG
> fetches it, and there is some code to move misplaced packets to the
> right place. Unfortunately, as you noticed, that code does not work

At least in master there is no code to move packet during import; we
only delete certain misplaced packets.

> This code actually dates to 1998. The comment: "* Note: This function
> does not work if there is more than one user ID."

That is only used by --edit-key as a fix to a bug in a very early
version of GnuPG.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dshaw at jabberwocky

Jul 31, 2012, 10:11 PM

Post #8 of 13 (216 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On Aug 1, 2012, at 12:51 AM, Werner Koch wrote:

> On Tue, 31 Jul 2012 23:29, dshaw [at] jabberwocky said:
>
>> mangled it or it was imported already mangled doesn't matter). GPG
>> fetches it, and there is some code to move misplaced packets to the
>> right place. Unfortunately, as you noticed, that code does not work
>
> At least in master there is no code to move packet during import; we
> only delete certain misplaced packets.
>
>> This code actually dates to 1998. The comment: "* Note: This function
>> does not work if there is more than one user ID."
>
> That is only used by --edit-key as a fix to a bug in a very early
> version of GnuPG.

I know this was the original reason for the function, but it's also the code that is fixing the mangled keys on SKS. When you import one of these keys, it is imported as-as (I did not mean to imply the repair happened as part of --import). The next time you run --edit-key, it is repaired. If the key has one user ID, the repair is as good as it can get. If the key has multiple user IDs, it's not a reliable repair as the signatures may end up on the wrong user ID.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Aug 1, 2012, 12:54 AM

Post #9 of 13 (215 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On Wed, 1 Aug 2012 07:11, dshaw [at] jabberwocky said:

> I know this was the original reason for the function, but it's also
> the code that is fixing the mangled keys on SKS. When you import one
> of these keys, it is imported as-as (I did not mean to imply the
> repair happened as part of --import). The next time you run
> --edit-key, it is repaired. If the key has one user ID, the repair is

If that problem happens more often now we should indeed try to clean it
up right during import (from file or keyserver). Detecting duplicated
signatures will be easy. If we need to verify a self-signature, we
probably need to add a post processing stage to the import.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

Aug 1, 2012, 9:33 AM

Post #10 of 13 (215 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On 08/01/2012 12:44 AM, David Shaw wrote:
> hiding the packets is potentially harmful. [...]
> hiding the packets from GPG prevents this repair from happening.
> After all, if GPG doesn't get the packets, it can't move them to the
right place. > This means the signatures are effectively lost,

fwiw, in the cases where i've seen this, the packets in question are
*already* in the correct place, they just happen to *also* be in the
incorrect place, causing noise.

We don't support "fixing" the problem where someone submits a signature
packet after the wrong User ID, or attached to the wrong key entirely,
and i don't believe we should. Submitting the packets in the correct
order for them to be properly interpreted is the job of the key
uploader, not the job of the keyservers.

--dkg
Attachments: signature.asc (1.01 KB)


dshaw at jabberwocky

Aug 1, 2012, 10:12 AM

Post #11 of 13 (215 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On Aug 1, 2012, at 12:33 PM, Daniel Kahn Gillmor wrote:

> On 08/01/2012 12:44 AM, David Shaw wrote:
>> hiding the packets is potentially harmful. [...]
>> hiding the packets from GPG prevents this repair from happening.
>> After all, if GPG doesn't get the packets, it can't move them to the
> right place. > This means the signatures are effectively lost,
>
> fwiw, in the cases where i've seen this, the packets in question are
> *already* in the correct place, they just happen to *also* be in the
> incorrect place, causing noise.
>
> We don't support "fixing" the problem where someone submits a signature
> packet after the wrong User ID, or attached to the wrong key entirely,
> and i don't believe we should.

I don't think anyone here has suggested that the keyservers repair anything. For a start, they're not capable of it.

The question is whether the keyservers should hide obviously incorrect things when passing keys back to clients, or pass back complete keys, including the obviously incorrect things. My point is that if you expect GPG to be able to fix a broken key, you need to pass back all the data, or GPG has nothing to work from. If you are stating that in every case of this corruption that the bad packets always exist in at least two places, and at least one of these is in the correct place, then why are we having this discussion? Drop the packets and be done with it.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

Aug 1, 2012, 10:29 AM

Post #12 of 13 (216 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On 08/01/2012 01:12 PM, David Shaw wrote:
> My point is that if you expect GPG to be able to fix a broken key, you need to pass back all the data, or GPG has nothing to work from.

well, you could expect the GPG of the original uploader to fix the
broken key before uploading it. Then the keyservers wouldn't have to
store and return obviously-incorrect data.

> If you are stating that in every case of this corruption that the bad packets always exist in at least two places, and at least one of these is in the correct place,

every case i've seen, yes. i don't know if that's a true universal,
though, or if it will be one going into the future. But i think it's
not relevant, if we consider it the job of the uploader to present a
well-formed public certificate package to the keyservers.

> then why are we having this discussion? Drop the packets and be done with it.

my sentiments exactly. :)

--dkg
Attachments: signature.asc (1.01 KB)


dshaw at jabberwocky

Aug 1, 2012, 10:42 AM

Post #13 of 13 (216 views)
Permalink
Re: dealing with misplaced signatures [In reply to]
On Aug 1, 2012, at 1:29 PM, Daniel Kahn Gillmor wrote:

> On 08/01/2012 01:12 PM, David Shaw wrote:
>> My point is that if you expect GPG to be able to fix a broken key, you need to pass back all the data, or GPG has nothing to work from.
>
> well, you could expect the GPG of the original uploader to fix the
> broken key before uploading it. Then the keyservers wouldn't have to
> store and return obviously-incorrect data.

It's an interesting question, as we don't really know how this corruption happened in the first place. We can't presume that the original uploader necessarily uploaded a corrupt key. Especially if the original uploader is the person who generated the key, it's rather hard to imagine the key was corrupt before it was uploaded.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

GnuPG devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.