comment and version fields.

randux at randux at
Mon Apr 2 11:36:40 CEST 2007

From: Sven Radde <sven at>
Date: Mon, 02 Apr 2007 10:19:25 +0200
> Hi!
> randux at schrieb:
> > The "comment" and "version" armor fields are both essentially
> > comments, and are ignored by the OpenPGP protocol. You can change
> > either of them to whatever you like.
> >
> > ... That seems to defeat the reason for signing 
> > as the common person would assume that a signed message
> > is protected entirely against unauthorised changes.
> I agree with randux here. The Comment is within the "---PGP
> SIGNATURE---" part and I, too, was not aware that it is not protected by
> anything. (Do the docs mention this, btw?)
> It might be a possible way for a social engineering attack, if comments
> like the following were inserted:
> "Comment: NOTE: I will retire my current key soon!"
> "Comment: Obtain my new key from"
> "Comment: Fingerprint of new key: [...]"
> It may not be a big risk, but I doubt that the general user-base is
> aware of the fact that comments are not signed parts of the message.
> I would suggest to at least update the documentation :-)
> cu, Sven

This is a good point I hadn't even considered. I only thought about the opportunity for an attacker to insert whatever text he chose to make it look like it came from the sender.

For example

Hash: SHA1

To Her Majesty The Queen,

Thanks very much indeed for the lovely dinner you made for our staff. It was vital that we were able to
receive assistance on 

(insert matter of diplomatic importance)

Your Obedient Servant,
The Prime Minister

Comment: Your chef is a bloody menace! The entire staff spent the remainder of 
Comment: the evening in the loo and nothing at all was accomplished the following
Comment: day. If you plan another event such as that you would do well to
Comment: consider not inviting us at all!
Comment: pm at
Comment: p.s. it's too late for apologies!

ljhl sjilu745pfo98h09j7ofj876ljhl sjilu745pfo98h09j7ofj876ljhl sjilu745pfo98h09j7ofj876
876ljhl sjilu745pfo98h09j7ofj8876ljhl sjilu745pfo98h09j7ofj8876ljhl sjilu745pfo98h09j7o


More information about the Gnupg-users mailing list