comment and version fields.
Robert J. Hansen
rjh at sixdemonbag.org
Sun Apr 1 22:05:37 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
> fields. I suppose its futile to try to change a standard but it
> seems that it might be very damaging indeed to have a signed
> message altered after signing. That seems to defeat the reason for
> signing as the common person would assume that a signed message is
> protected entirely against unauthorised changes.
The signed message _is_ protected entirely against unauthorized
changes. Or, rather, as close to "entirely" as you can get with our
current level of cryptography.
The signature block is just a private-key encryption of the digest of
the message, plus a few additional bits of information of use to
OpenPGP. That private-key encryption of the digest of the message is
the signature. Everything else is, to some degree, irrelevant, with
some things being more irrelevant than others.
If you alter a comment field, you're not altering either the original
message nor the private-key encryption of the digest of the message.
So what's the complaint? How is this tampering with the signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
-----END PGP SIGNATURE-----
More information about the Gnupg-users