Self-signatures on OpenPGP userids

Quote from: nutildah on March 12, 2020, 04:37:38 AM

Quote from: Ploni Almoni on March 11, 2020, 04:13:55 PM

The fact that I could create a "bitcointalk.org u=2778290" userid (self-signed by the primary key, with the signature's embedded creation time) proves everything that a signed "I am bitcointalk.org u=2778290" statement could, at the time of initial publication of the key. That is the reason for self-signatures on userids... a point that most people miss. Please learn how PGP works before explaining it to others.

dragon is absolutely correct.

You didn't actually provide proof of ownership of the public key.

Everything else you just said isn't proof of ownership.

No, you and dragonvslinux are both incorrect. (And dragonvslinuxs prior post also conflated the term public key with private key.)

Plonis PGP userid is strong cryptographic evidence that the owner of the key claims ownership of the forum identity. It is indeed how PGP works.

I myself have been critical of some of the security-theatre rituals on this thread; I have intended to speak up more about that. I especially dislike the claims by users to have verified other users signed statements. That is worse than meaningless: It is outright damaging, insofar as it inculcates in users a tendency to trust Gavin-style verification. Everybody should independently verify all the signatures that they care about! The custom here of inventing ad hoc half-baked substitutes for the functionality of OpenPGP standard features does not help, either. And it certainly does not help to deny that OpenPGP self-signatures do what they actually do.

Although traditionally, the self-signature on a userid is used for strong cryptographic evidence that the possessor of a private key claims ownership of an e-mail address, the same concept properly applies to any identifier. This is proof that the owner of the key claims the other identifier, not vice versa. Unfortunately, by the nature of such things, there is no elegant cryptographic means for the owner of a non-cryptographic identifier (such as an e-mail address or forum uid) to claim ownership of the key. The WKS proposal tests an e-mail account holders ability to decrypt a message encrypted to a key, then trusts the server to publish the correct key through WKD (with trust partly based on the pessimistic assumption that the owner of an Internet domain can always play monkey-games with mailboxes at that domain, anyway). I think that a users posting of a key through his forum account is the best that can be reasonably done here, for attesting that the account claims the key.

If, in the future, the user wishes to demonstrate that the person controlling the account continues to be the person possessing the PGP private key, a signed statement would be helpful. This is a related, but distinct use case for PGP. He could also bump the timestamp on the pertinent PGP userids self-signature; but that would require modifying his key, it would be difficult for most users to verify, and it would invoke a long theoretical discussion of exactly what it does and does not prove. For that purpose, I think that the best practical way with readily available software would be a signed statement containing current-events information, such as a quote of a recent forum post by somebody elseor better, the most recent few Bitcoin block hashes. This would provide evidence of the freshness of the statement.

No special action is required to verify the self-signature on a PGP userid, because gpg or any other reasonable OpenPGP software will refuse to accept the userid if the self-signature didnt verify. The signature is required.

(N.b. in this context that reasonable OpenPGP software excludes traditional keyservers, which verify nothing at all. You are supposed to verify these things with your own software, not trust the server (or a forum user) to do it for you.)

I just empirically tested what gpg with its default settings actually does when the signature is broken. I created a copy of Plonis key, with exactly one bit flipped in the signature on his forum uid:

Code:

$ gpg --export -o ploni.bin ploni
cp -p ploni.bin ploni_broken.bin
[...use a hex editor to flip one bit inside the self-sig in question...]
$ cmp -l ploni.bin ploni_broken.bin
503 161 121

gpg automatically drops the userid with the broken signature; it emits a warning, but exits with a success code:

Code:

$ mkdir -m0700 /tmp/gpgtest
$ gpg --homedir /tmp/gpgtest --import ploni_broken.bin ; echo "gpg: exit code $?"
gpg: keybox '/tmp/gpgtest/pubring.kbx' created
gpg: key D50ED7B480AC5F96: 1 bad signature
gpg: /tmp/gpgtest/trustdb.gpg: trustdb created
gpg: key D50ED7B480AC5F96: public key "Ploni Almoni (הוי האמרים לרע טוב, ולטוב רע: שמים חשך לאור ואור לחשך, שמים מר למתוק ומתוק למר.)" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: exit code 0
$ gpg --homedir /tmp/gpgtest -k
/tmp/gpgtest/pubring.kbx
------------------------
pub ed25519 2020-03-10 [C]
C79DD6973572969A0C2CFC9BD50ED7B480AC5F96
uid [ unknown] Ploni Almoni (הוי האמרים לרע טוב, ולטוב רע: שמים חשך לאור ואור לחשך, שמים מר למתוק ומתוק למר.)
uid [ unknown] bc1qaux6ajvglvm3y3cxvtu0gc2es6fx6wlcheqgjq
uid [ unknown] zs15m7tjrxelc6tmnsamt5lmymh48c95g4rtylx36xpjyn6t4wffue56kwflar7qvp4sc3vy3ladtl
sub ed25519 2020-03-10 [S]
sub cv25519 2020-03-10 [E]

Note the lack of any claim to a Bitcoin Forum userid.

Thus, if you see the bitcointalk.org u=2778290 imported to your gpg keyring, you may rest assured that gpg has already verified a signature on that statement by the holder of the primary key. Other user-facing OpenPGP software should behave as strictly, or moreso; if your preferred OpenPGP implementation accepts the userid with the broken signature, then you should file a bug report!

Now, how does this actually work? Read RFC 4880 to understand what all this means:

Code:

$ gpg -v -v < ploni.asc 2>&1 | less
[...interesting stuff...]
# off=354 ctb=b4 tag=13 hlen=2 plen=25
:user ID packet: "bitcointalk.org u=2778290"
# off=381 ctb=88 tag=2 hlen=2 plen=142
:signature packet: algo 22, keyid D50ED7B480AC5F96
version 4, created 1583879873, md5len 0, sigclass 0x13
digest algo 10, begin of digest c0 e3
hashed subpkt 33 len 21 (issuer fpr v4 C79DD6973572969A0C2CFC9BD50ED7B480AC5F96)
hashed subpkt 2 len 4 (sig created 2020-03-10)
[...more interesting stuff...]

His key is a work of art. The primary key, all subkeys, and all self-signatures have a timestamp of the exact second when his forum account was created. He uses a primary key split from subkeys, which can support good security practices (protip: generate and store the primary key on an airgap machine, `man gpg` and look for `--export-secret-subkeys`). I also noticed that he copied my unusual cipher preferences. LOL. I exercised the same attention to detail when I made my own Faketoshi key. Anyway, I think its clear that Ploni has a deep understanding of OpenPGP internals.