Message-ID: <4D124D68.6060300@fifthhorseman.net>
Date: Wed, 22 Dec 2010 14:11:36 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.2.12) Gecko/20101110 Icedove/3.1.6
MIME-Version: 1.0
To: Sebastian Spaeth <Sebastian@SSpaeth.de>
Subject: Re: PGP/MIME signature verification
References: <4CF15D67.1070904@fifthhorseman.net>
	<87aak08fu8.fsf@servo.finestructure.net>
	<87zkrz314j.fsf@SSpaeth.de> <4D10C97C.7060602@fifthhorseman.net>
	<87mxnx3mb9.fsf@SSpaeth.de>
In-Reply-To: <87mxnx3mb9.fsf@SSpaeth.de>
OpenPGP: id=D21739E9
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature";
	boundary="------------enig83760AE24DDB8E65EA18B507"
Cc: notmuch <notmuch@notmuchmail.org>
Precedence: list
Reply-To: notmuch <notmuch@notmuchmail.org>

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig83760AE24DDB8E65EA18B507
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 12/22/2010 09:38 AM, Sebastian Spaeth wrote:
>>> "sigstatus": [{"status": "error","keyid": "ED34CEABE27BAABC", "errors=
":
>>> 2}]
>>> (perhaps due to me not having your key???)
>>
>> yup, that is why you get that error.
>=20
> Is there a possibility to squeeze a nicer error message out of it? :-)

that's a good question -- i'm not sure libgmime gives us much else to
work with (it is itself calling out to gpg, which in turn might not give
*it* much to work with), but i'll see if there's anything we can do
about that.

One potential concern with this kind of reporting is that (due to the
dirty details of the OpenPGP data signature format), differentiating
"you don't have this key in your keyring" from "you have this key, but
the signature is bad" is not fully possible.

For those who want the details:

 0) an OpenPGP signature contains the signature data itself, plus an
indicator of what key made the signature (the "issuer"):

  https://tools.ietf.org/html/rfc4880#section-5.2.3.5

 1) The indicator is the lower 64-bits of the OpenPGP fingerprint of the
signing key.

 2) OpenPGP fingerprints themselves are SHA-1 sums of (some fiddly
concatenation of) the creation time of the key and the public key
material itself:

  https://tools.ietf.org/html/rfc4880#section-12.2

However, the 64 bits of the key ID (while longer than the 32-bit pattern
commonly expressed like "0xDEADBEEF") isn't really a big-enough search
space to resist collision attacks by moderately-well-resourced adversarie=
s.

That is, it's currently possible to have a computer farm powerful enough
to crank through the search space to create a valid OpenPGP key with any
chosen 64-bit key ID.

So if Alice has her legitimate key with key ID 0x0000DECAFBAD0000, and
Eve has a big computer, Eve can create a new OpenPGP key with the same
Key ID.  If Eve convinces Bob to load her own key into his keyring, then
what happens when Bob receives a signed message from Alice?

Bob's verifier will look at the message, see that it's signed by a key
with key ID 0x0000DECAFBAD0000, and then check the signature against his
copy of Eve's key.  But the signature doesn't verfiy!  This is actually
because Bob doesn't have Alice's key, of course, but his client has no
way of knowing that -- it just sees that it has a matching key that
doesn't verify.

So an attacker can convert a "you don't have this key" to a "you have
this key but the signature doesn't validate" without even tampering with
the message in transit (of course, an attacker who can tamper with the
message in transit can *also* make a signature fail to validate, just by
flipping a bit or two in either the message or the signature).

(note: don't despair!  the full 160-bit OpenPGP fingerprint space is not
currently under threat; only the 64-bit "key ID" has the above problem,
given our current understanding of cryptanalysis and the power of our
computing hardware).

	--dkg


--------------enig83760AE24DDB8E65EA18B507
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJNEk1oAAoJEMzS7ZTSFznpwtoP/2oWg6zfUJQ5+WLTr7hIGaax
anJLrexylzLczEZ0BVlA+m+v3YGGkXDaU+VMFqsjHQMvEoCiIuGcrj53NQV4ICbj
s18FjTepjkr3/x+3Xseug1afDc6+DG80+fXyUUEkLpuvCJwA1zdcn8fu/Jl/fgsA
tgGU7q/lv4HoMH3kQB3t6i4cFaOwk4W4NySqVWjuS06+7DXqLBmZ5Pe8/2vB6dic
zmr/j/W4waDBK9wkqZ4YAfwrABaKuvCfT367/0tYKKPDpG7XPnkbuaVNleUXoT4c
4tLp0MAV0Wgn331jrqT7w1Yh37ZaR2usAJ0WICi62F3yQkeB95XcfOVxmEcrgzdj
EA6qGi/9P0x559SvLMW/+e4KaniaC18aHNwSU7rP4D942d16hDpukyvOrey9+5BB
g1J3Lu581J5/MoUka0LuxebiqqdOXWzNbV9AETYx7drqMx7RrgiIfffE9etjlYPA
pqr3JZf4PLeF+aFqWtMjmLH9P6hlEbolnzqoL/QXNAzFjuE6fqI/R8rQNo3UD6r9
R7oGbr3LDCDs0GDOv1UEq3CBJ8P5VsPdAAcqn2xM2Foyc6A0v8mfr0XfMWfKesFA
xDIApjmNA/8i5v25XwWSs/EYyEqub6ndKnfvE/pbjn6TwzvwKixktCID4MgaptzK
SDe0fT0MN+NeK+sDJ1dN
=XwoT
-----END PGP SIGNATURE-----

--------------enig83760AE24DDB8E65EA18B507--