[openpgp] subkey revocation signatures -- RFC compliance?

Hi folks--

I think i'm seeing a discrepancy between packets generated by a popular
OpenPGP implementation (GnuPG) and RFC 4880.  I'm wondering if anyone
can help clarify my understanding of the RFC.

https://tools.ietf.org/html/rfc4880#section-5.2.4 says:

[...]
   When a signature is made over a key, the hash data starts with the
   octet 0x99, followed by a two-octet length of the key, and then body
   of the key packet.  (Note that this is an old-style packet header for
   a key packet with two-octet length.)  A subkey binding signature
   (type 0x18) or primary key binding signature (type 0x19) then hashes
   the subkey using the same format as the main key (also using 0x99 as
   the first octet).  Key revocation signatures (types 0x20 and 0x28)
   hash only the key being revoked.
[...]

Note that 0x28 is a subkey revocation signature.

The subkey revocation packet generated by GnuPG 1.4.12 appears to be
made over a digest that includes both the primary key and the subkey.

This seems to be in contrast to the idea that it "revocation signatures
hash only the key being revoked."

Attached is a test key with a single subkey that has been revoked by gpg
1.4.12.  I haven't been able to figure out how to revoke a subkey with
any other OpenPGP implementation yet.

I tried loading the attached key into PGP 6.5.8 (fetched from [0]) and
GnuPG 1.4.12 (in an otherwise clean gpg home), and it does look like
that version of pgp is willing to accept this form of subkey revocation:

0 wt215@pip:~/src/pgp/pgp-6.5.8$ GNUPGHOME=../gpgtest gpg --check-sigs --verbose
gpg: using PGP trust model
../gpgtest/pubring.gpg
----------------------
pub   1024D/51902F1E 2012-07-27
uid                  test key <testkey(_at_)example(_dot_)net>
sig!3        51902F1E 2012-07-27  test key <testkey(_at_)example(_dot_)net>
sub   1024g/02CA3054 2012-07-27 [revoked: 2012-07-27]
sig!         51902F1E 2012-07-27  test key <testkey(_at_)example(_dot_)net>
rev!         51902F1E 2012-07-27  test key <testkey(_at_)example(_dot_)net>

0 wt215@pip:~/src/pgp/pgp-6.5.8$ LD_PRELOAD=./x/usr/lib/libstdc++.so.2.8 ./pgp 
-kvv
Pretty Good Privacy(tm) Version 6.5.8
(c) 1999 Network Associates Inc.
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Export of this software may be restricted by the U.S. government.


Type bits      keyID      Date       User ID
DSS  1024      0x51902F1E 2012/07/27 
 DH  1024      0x51902F1E 2012/07/27 *** KEY REVOKED ***
                                      test key <testkey(_at_)example(_dot_)net>
sig            0x51902F1E             test key <testkey(_at_)example(_dot_)net>
1 matching key found.
0 wt215@pip:~/src/pgp/pgp-6.5.8$ 

I also made a bogus subkey revocation packet and tried loading that into
a clean PGP 6.5.8 profile instead of the gpg-generated one, and PGP did
*not* think that the subkey was properly revoked.

So it looks to me like there are at least two implementations that hash
more than the key being revoked for subkey revocations.

Any pointers to something i've missed in the spec?  Or does this warrant
an errata?

Regards,

        --dkg

[0] http://www.pgpi.org/cgi/download.cgi?filename=PGPcmdln_6.5.8.Lnx_FW.tar.gz

revoked-subkey.pgp
Description: example key with revoked subkey

pgpIPoyVkVDaz.pgp
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp