GPG PGP S/Mime vulnerability

Guy Van Sanden
Fri Aug 3 12:52:01 2001

I've read through Don Davis' whitepaper about the disadvanteges of the=20=

current sign (and encrypt) features in all common standards to do so.

His basic reasoning (and I've tried it, it works!) is:
I send a signed message to someone stating "you're fired".  He gets=20
angry and decides to get even with another collegue...
Using SMPT he puts my address in the from header, then pastes the=20
entire source of my signed message to him in the body (including the=20=

signatures), and sends it of to someone else...

That last person opens a message, which he thinks comes from me, and=20=

trusts the contents because the signature is verified!

More info is over here:

Kind regards