Anderson's attack?

Matthias Bruestle mlist at
Wed Feb 6 22:58:01 CET 2002


On Wed, Feb 06, 2002 at 01:10:32PM -0500, Ben Pearre wrote:
> Has this been addressed in GnuPG?

I don't think this is the correct location to fix this. GnuPG does sign
the message. That's it. To understand this, you can look how it is done
in the paper world, where the same attack is possible. The way to prevent
it here is not to encode the recepient of a letter in your own signature,
but to write it onto the letter. So the correct play to fix this would
be IMO e.g. the MUA (mutt, etc.). This can include some header lines
before signing. Or if you write a contract with some editor, you write
the parties yourself into it.

endergone Zwiebeltuete

More information about the Gnupg-devel mailing list