Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID:
 <ME2PR01MB36500CA1987170A857BCF637EEB9A@ME2PR01MB3650.ausprd01.prod.outlook.com>
Date: Sun, 4 Jan 2026 11:56:06 +0000
From: Peter Gutmann <pgut001@...auckland.ac.nz>
To: Demi Marie Obenour <demiobenour@...il.com>,
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, Collin
 Funk <collin.funk1@...il.com>
CC: "kf503bla@...k.com" <kf503bla@...k.com>
Subject: Re: Re: Best practices for signature verifcation

Demi Marie Obenour writes:

>My understanding is that most people here are looking for purpose-built
>formats, rather than specializations of general-purpose formats. For
>instance, here is something based on OpenSSH signatures as a building block.

You're still missing the point: The exact bit-bagging scheme used is
irrelevant, firstly because we already have a universally-deployed one
(OpenPGP and its tooling via GPG) and secondly because it's something that any
vaguely competent cryptoplumber should be able to throw together in under a
minute and as long as it doesn't involve XML in which case you may as well
pre-register the CVEs before you start it should be fine.

What we don't have is all the stuff needed to address the "keys and signatures
fall from the sky and the timestamping fairy blesses them" issue.  We've got,
for example, the Debian CA-root-equivalent keyring, but how are the resulting
signatures timestamped?  How are the TSA keys distributed?  How is a signature
on malware revoked once it's been timestamped?  What happens if the signing
key is revoked due to compromise but after its been countersigned by a TSA
(this is different to revoking a signature on malware)?  etc.

That would in fact be one argument for going with CMS, you can use any off-
the-shelf TSA whereas doing it with OpenPGP would require an org like the
Linux Foundation to run a PGP TSA, but I get the feeling the GPL-or-death
subgroup won't agree to the use of CMS.

As an aside, is anyone aware of a single-source design document for what
Authenticode does?   There's a million web pages related to the business of
selling signing certs, and less than a million on using it, but I can't find a
single-source design doc, just lots of stuff in various places that I've
picked up over the years.  By "single-source doc" I mean something that
addresses all of the above issues and related ones in one place.

Peter.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.