[Top] [All Lists]

Re: Notary signatures

2002-04-26 09:46:37

I don't think we have had to hash a signature packet before.  That means
that we have to canonicalize the header.  Following our wonderful OpenPGP
tradition, we of course have completely different canonicalization rules
for key and userid packets.  Here is what we do for userids:

   A certification signature (type 0x10 through 0x13) hashes the user id
   being bound to the key into the hash context after the above data. A
   V3 certification hashes the contents of the name packet, without any
   header. A V4 certification hashes the constant 0xb4 (which is an
   old-style packet header with the length-of-length set to zero), a
   four-octet number giving the length of the username, and then the
   username data.

I suppose we want to follow the same rules as the V4 case, for signature
packets.  We would hash the constant 0x84 (an old-style packet header
with length-of-length set to zero), a four-octet length, and then the
packet contents.  Since sigs-on-sigs need a target subpacket, it would
not be legal to do a V3 sig on a sig.  So we only need to consider the
V4 case.

BTW I notice we don't say here how to hash attribute packets.  In the NAI
PGP code we do as above except instead of the constant 0xb4 we use 0xd1,
a new-style packet header for attribute packets.  If the signature is a
V3 certification on the attribute packet we do as with userid packets,
and just hash the contents, without hashing the packet header.  That was
probably a mistake; since we had no need for backwards compatibility
with V3 sigs on attribute packets, we should have used the V4 rules for
both V3 and V4 signatures.


<Prev in Thread] Current Thread [Next in Thread>