Daniel Kahn Gillmor
2017-08-15 15:00:03 UTC
Package: hopenpgp-tools
Version: 0.19.4-3
Severity: wishlist
I'd like hopenpgp-tools to produce a simple signature validation
binary, which validates a signature against a set of curated keyrings.
let's call it hov (for "hopenpgp validator").
Synopsis
--------
The proposed syntax is:
hov -k KEYRING [-k OTHERKEYRING ...] [options] SIGNATURE BLOB
Where options include:
--not-before TIMESPEC
--not-after TIMESPEC
if not present, --not-before defaults to NULL, and --not-after
defaults to "now".
It should return 0 (success) if the the signature is valid over the
blob, and was issued correctly from one of the keys in the set of
keyrings offered, and some non-zero code otherwise.
Details
-------
It should take into account at least the following concerns:
* key usage flags (signatures made by keys not with the "signing"
capability are not valid)
* signature time (signatures made before the --not-before timespec
(if non-NULL) or after the --not-after timespec are not valid)
* key validity time (signatures made before key creation or after key
expiry are not valid)
* key revocation (signatures made by revoked keys are not valid)
* key strength and signature strength (signatures over MD5 and SHA1
are not valid; signatures made by RSA keys less than 2048 bits are
not valid -- maybe there's a possible extension here to mark other
algorithms as unacceptable)
* subkey bindings (signatures made by a signing-capable subkey must
have a cross-sig to the primary key; binding sigs and cross-sigs
must be made with a reasonable signature algorithm; binding sigs
and cross-sigs must be valid, non-revoked, non-expired, not in the
past, etc)
Freshness
---------
[ rationale for --not-before and --not-after ]
In some cases, the user expects signatures to be made within a certain
temporal window. For example, in e-mail validation, if i think the
e-mail was sent at time T (e.g. if it has a "Date: T" header), i
expect the signature to be made in a little window of time around T,
or else something is clearly amiss.
For software package validation, i might have some prior version of
the software package from the same vendor, and i want to ensure that
the Date is explicitly *after* the date of that previous signature.
The user should be able to express this preference simply to the
validator and have the validator do the right thing.
Open questions
==============
here are some open questions about the proposed design and possible
future enhancements to keep in mind:
TIMESPEC format
---------------
How should hov expect the user to entire time information? With what
precision? OpenPGP has 1sec granularity. Should we bake that choice
of precision into hov?
Covert Channels
---------------
What if the SIGNATURE blob contains something other than an OpenPGP
signature? Should hov reject it or ignore the cruft?
Multiple Signatures
-------------------
What if the user wants to ensure that there are signatures from
multiple signers in the curated keyrings (e.g. 2 of 5 signers)? the
proposed interface doesn't have any way to represent that.
Info about the signature
------------------------
In the event that a signature is validated, it's possible that the
person doing verification wants to learn something about it (e.g. to
record details in a log, like date of signature). In the event that
it is not successful, it's possible that they want to learn more about
it for debugging purposes. The above simple proposal doesn't provide
any means for emitting this information for those who want it.
perhaps just logging in machine-readable form to stderr is sufficient
for the first crack at this?
--dkg
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages hopenpgp-tools depends on:
ii libbz2-1.0 1.0.6-8.1
ii libc6 2.24-12
ii libffi6 3.2.1-6
ii libgmp10 2:6.1.2+dfsg-1
ii libncursesw5 6.0+20170715-2
ii libnettle6 3.3-1+b1
ii libtinfo5 6.0+20170715-2
ii libyaml-0-2 0.1.7-2
ii zlib1g 1:1.2.8.dfsg-5
hopenpgp-tools recommends no packages.
hopenpgp-tools suggests no packages.
-- no debconf information
Version: 0.19.4-3
Severity: wishlist
I'd like hopenpgp-tools to produce a simple signature validation
binary, which validates a signature against a set of curated keyrings.
let's call it hov (for "hopenpgp validator").
Synopsis
--------
The proposed syntax is:
hov -k KEYRING [-k OTHERKEYRING ...] [options] SIGNATURE BLOB
Where options include:
--not-before TIMESPEC
--not-after TIMESPEC
if not present, --not-before defaults to NULL, and --not-after
defaults to "now".
It should return 0 (success) if the the signature is valid over the
blob, and was issued correctly from one of the keys in the set of
keyrings offered, and some non-zero code otherwise.
Details
-------
It should take into account at least the following concerns:
* key usage flags (signatures made by keys not with the "signing"
capability are not valid)
* signature time (signatures made before the --not-before timespec
(if non-NULL) or after the --not-after timespec are not valid)
* key validity time (signatures made before key creation or after key
expiry are not valid)
* key revocation (signatures made by revoked keys are not valid)
* key strength and signature strength (signatures over MD5 and SHA1
are not valid; signatures made by RSA keys less than 2048 bits are
not valid -- maybe there's a possible extension here to mark other
algorithms as unacceptable)
* subkey bindings (signatures made by a signing-capable subkey must
have a cross-sig to the primary key; binding sigs and cross-sigs
must be made with a reasonable signature algorithm; binding sigs
and cross-sigs must be valid, non-revoked, non-expired, not in the
past, etc)
Freshness
---------
[ rationale for --not-before and --not-after ]
In some cases, the user expects signatures to be made within a certain
temporal window. For example, in e-mail validation, if i think the
e-mail was sent at time T (e.g. if it has a "Date: T" header), i
expect the signature to be made in a little window of time around T,
or else something is clearly amiss.
For software package validation, i might have some prior version of
the software package from the same vendor, and i want to ensure that
the Date is explicitly *after* the date of that previous signature.
The user should be able to express this preference simply to the
validator and have the validator do the right thing.
Open questions
==============
here are some open questions about the proposed design and possible
future enhancements to keep in mind:
TIMESPEC format
---------------
How should hov expect the user to entire time information? With what
precision? OpenPGP has 1sec granularity. Should we bake that choice
of precision into hov?
Covert Channels
---------------
What if the SIGNATURE blob contains something other than an OpenPGP
signature? Should hov reject it or ignore the cruft?
Multiple Signatures
-------------------
What if the user wants to ensure that there are signatures from
multiple signers in the curated keyrings (e.g. 2 of 5 signers)? the
proposed interface doesn't have any way to represent that.
Info about the signature
------------------------
In the event that a signature is validated, it's possible that the
person doing verification wants to learn something about it (e.g. to
record details in a log, like date of signature). In the event that
it is not successful, it's possible that they want to learn more about
it for debugging purposes. The above simple proposal doesn't provide
any means for emitting this information for those who want it.
perhaps just logging in machine-readable form to stderr is sufficient
for the first crack at this?
--dkg
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages hopenpgp-tools depends on:
ii libbz2-1.0 1.0.6-8.1
ii libc6 2.24-12
ii libffi6 3.2.1-6
ii libgmp10 2:6.1.2+dfsg-1
ii libncursesw5 6.0+20170715-2
ii libnettle6 3.3-1+b1
ii libtinfo5 6.0+20170715-2
ii libyaml-0-2 0.1.7-2
ii zlib1g 1:1.2.8.dfsg-5
hopenpgp-tools recommends no packages.
hopenpgp-tools suggests no packages.
-- no debconf information