Bug#985907: rnp: accepts weak cryptographic primitives

[Daniel Kahn Gillmor]

Control: close 985907 0.16.0-1

On Thu 2021-03-25 13:39:00 -0400, Daniel Kahn Gillmor wrote:
> rnp currently accepts signatures over weak or untrustworthy
> cryptographic primitives.

As of 0.16.0, rnp introduces the following relevant safeguards (from
upstream's CHANGELOG.md):

* Mark SHA1 signatures produced later than 2019-01-19, as invalid.
* Mark MD5 signatures produced later than 2012-01-01, as invalid.
* Use SHA1 collision detection code when using SHA1.

While we might debate whether these are the best possible defaults, it's
no longer completely insecure by default.

In addition, rnp now has the following APIs which can adjust the
underlying acceptable security primitives:

rnp_get_security_rule
rnp_add_security_rule
rnp_remove_security_rule

So it's possible to adjust the acceptable security levels directly if
the user wants to nudge the defaults.

I'm not convinced this is the ideal interface, but it should be at least
usable.

   --dkg


signature.asc
Description: PGP signature

Bug#985907: rnp: accepts weak cryptographic primitives

[Daniel Kahn Gillmor]

Package: src:rnp
Version: 0.14.0-6
Control: forwarded -1 https://github.com/rnpgp/rnp/issues/1281

rnp currently accepts signatures over weak or untrustworthy
cryptographic primitives.

At the moment, there is no API for adjusting which mechanisms are
acceptable, and all implemented algorithms are accepted, including (for
example) signatures from very small RSA keys, or made over known-broken
digests like MD5.

This is probably not a responsible way to ship the library.  maybe we
want to follow thunderbird's approach of baking in a more strict policy
via patches until upstream offers an API that lets the library user
select their desired policy.

   --dkg


signature.asc
Description: PGP signature