On 1/2/26 10:23, Peter Gutmann wrote: > Simon Josefsson writes: > >> I don't think CMS/PKCS#7 offers anything compelling that PGP doesn't, and the >> complexity is horrible (just think ASN1). > > That's a persistent myth dating back to 35-40 years ago when someone who > didn't understand ASN.1 very well tried to hand-code a parser for it, did a > not-very-good job, and said "gosh, this is so much harder than using XDR!". > Since everyone today will be using either an ASN.1 compiler or an ASN.1 > library, or more practically something that does CMS for you, it's pretty much > irrelevant.
Are you concerned about the attack surface of these libraries? OpenSSL has a substantial history of vulnerabilities. One of the goals of OpenSSH signatures is to be easy to correctly implement, even in languages like C. I'd be interested in what ASN.1 compilers and libraries you recommend, especially ones that support BER instead of only DER. I actually tried writing one myself and it's not easy, though definitely not impossible. I chose C both because of the challenge and because I wanted this to be usable in places where Rust is not an option. For CMS, do you have any recommendations that have good security records and are permissively licensed? > However, my suggestion was to use the Authenticode model for code signing > (which MS put a lot of thought into and which has had decades of real-world > testing by billions of users) but the OpenPGP data format. Everyone and > everything already expects OpenPGP signatures, they're just applied really > badly (think KEYEXPIRED). OpenPGP no doubt contains something usable for > timestamping since it also contains almost everything else on earth... let's > see: > > 5.2.1.14. Timestamp Signature (Type ID 0x40) > > This signature is only meaningful for the timestamp contained in it. > > "This notice is placed here to fulfil the statutory requirement that a notice > be placed here". So the building blocks are there, you'd just need to define > semantics for them. > > Peter. My understanding is that most people here are looking for purpose-built formats, rather than specializations of general-purpose formats. For instance, here is something based on OpenSSH signatures as a building block. It is much simpler than Authenticode model while fulfilling all of its requirements that I am aware of. To the best of my knowledge, it also fulfills the requirements for Advanced Electronic Signatures, except for being standardized. The only exception to both is that OpenSSH certificates currently cannot be chained. uint32 version uint64 timestamp string signature string certificate The signature is over the file itself. This is followed by zero or more timestamps, each of which have the following format: uint64 timestamp string signature string certificate Here the signatures are taken over all of the data before them. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
