GnuPG uses the preferred keyserver URL in document signatures for retrieving the
public key of the signature maker, if not available. This is a very nice
feature, since it fixes an important shortcoming of OpenPGP. However, its
usefulness is limited by the fact that unhashed subpackets are ignored even
though -- unlike in the case of certifications -- there is no good reason for
this. No harm can be done by a party without the private key adding a pointer to
the public key to a signature (possibly long) after the signature has been
calculated.
Description
Description
Details
Details
- Version
- gpg (GnuPG) 1.4.10
Event Timeline
Comment Actions
That is not correct. An attacker may point to a source with a copy of the key
before a revocation has been issued. Granted, if the revocation has been done
becuase of a proven private key compromise, this does not help. In all other
cases it is useful.
Comment Actions
I respectfully disagree:
What you write is true for certification signatures, but not for document
signatures. Updates of keys should be driven by keyserver preference indications
on self-signatures on that key and those must obviously be hashed.
However, OpenPGP very cleverly allows for keyserver URLs in document signatures
and does take them into account. They are used for only one purpose: do download
the key if it is not known. In this case, unhashed subpackets are as good as
hashed ones (actually, better), because the cryptographic binding between the
signature and the public key can be verified anyway, there is no such thing as a
wrong source for the public key, if it does correspond to the signature.
Comment Actions
Revocations are an issue as I explained. I also don't see a point in not
putting them ins signed subpackets. There is no technical problem with that.
I guess your use case is to add a keyserver URL to a signature later to have an
easier way to retrieve the key. Tinkering with a signature after it has been
created is not a good idea - you can't easily explain it to people.
Comment Actions
Revocations are only an issue with key updates, which must be (and, in fact,
are) made on the basis of preferred keyserver URL's in self-signatures on keys.
With document signatures, the only important issue is to have the key retrieved
from somewhere, if it is not known to the verifier. I cannot see any way in
which an attacker can make things worse for anyone, if retrieval is attempted
from URL's in unhashed subpackets if the key is not available.
The application that I am working on is a pontentially very large archive of
signed documents (financial transaction authorizations) that also contains the
corresponding keys. The archive is supposed to be distributed/redundant, with
both the documents and the keys available from multiple servers and it can also
be migrated from one server to another. Servers can go online and offline all
the time, no address is permanent. It is trivially easy for a server to include
its own address into an unhashed subpacket and very useful, too. The server does
not have access to private keys.
Nothing needs to be explained to users if they can simply
gpg --verify document.asc
after retrieving it from the server. Much more needs to be explained if
instructions are necessary where to retrieve the corresponding public key.
Polluting the HKP/SKS infrastructure with all the keys (most of which are
disposable) that we use would impose an unfair burden on the infrastructure and
as such would be a very irresponsible thing to do.
Comment Actions
In addition to Werner's concerns, making network requests to unverified URLs can be harmful in many ways. For example, it would allow a third-party to detect when the signature was verified, among other even nastier things.