On Jul 27, 2012, at 12:39 AM, Daniel Kahn Gillmor wrote:
Hi folks--
I think i'm seeing a discrepancy between packets generated by a popular
OpenPGP implementation (GnuPG) and RFC 4880. I'm wondering if anyone
can help clarify my understanding of the RFC.
https://tools.ietf.org/html/rfc4880#section-5.2.4 says:
[...]
When a signature is made over a key, the hash data starts with the
octet 0x99, followed by a two-octet length of the key, and then body
of the key packet. (Note that this is an old-style packet header for
a key packet with two-octet length.) A subkey binding signature
(type 0x18) or primary key binding signature (type 0x19) then hashes
the subkey using the same format as the main key (also using 0x99 as
the first octet). Key revocation signatures (types 0x20 and 0x28)
hash only the key being revoked.
[...]
Note that 0x28 is a subkey revocation signature.
The subkey revocation packet generated by GnuPG 1.4.12 appears to be
made over a digest that includes both the primary key and the subkey.
This seems to be in contrast to the idea that it "revocation signatures
hash only the key being revoked."
Interesting. Digging around a bit, it seems that this was noticed by Marc
Horowitz in 2000 (see
http://www.mhonarc.org/archive/html/ietf-openpgp/2000-12/msg00001.html ), but
for one reason or another it wasn't resolved before publication.
Nice catch! I think this would be a good errata item for the RFC.
http://www.rfc-editor.org/how_to_report.html
David
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp