comment and version fields.

randux at Safe-mail.net randux at Safe-mail.net
Mon Apr 2 11:36:40 CEST 2007 

From: Sven Radde <sven at radde.name>
Date: Mon, 02 Apr 2007 10:19:25 +0200
> Hi!
> 
> randux at Safe-mail.net schrieb:
> > The "comment" and "version" armor fields are both essentially
> > comments, and are ignored by the OpenPGP protocol. You can change
> > either of them to whatever you like.
> >
> > ... That seems to defeat the reason for signing 
> > as the common person would assume that a signed message
> > is protected entirely against unauthorised changes.
> 
> I agree with randux here. The Comment is within the "---PGP
> SIGNATURE---" part and I, too, was not aware that it is not protected by
> anything. (Do the docs mention this, btw?)
> 
> It might be a possible way for a social engineering attack, if comments
> like the following were inserted:
> "Comment: NOTE: I will retire my current key soon!"
> "Comment: Obtain my new key from http://evil.impersonator.net/sven.asc"
> "Comment: Fingerprint of new key: [...]"
> 
> It may not be a big risk, but I doubt that the general user-base is
> aware of the fact that comments are not signed parts of the message.
> I would suggest to at least update the documentation :-)
> 
> cu, Sven

This is a good point I hadn't even considered. I only thought about the opportunity for an attacker to insert whatever text he chose to make it look like it came from the sender.

For example

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To Her Majesty The Queen,

Thanks very much indeed for the lovely dinner you made for our staff. It was vital that we were able to
receive assistance on 

(insert matter of diplomatic importance)

Your Obedient Servant,
The Prime Minister

-----BEGIN PGP SIGNATURE-----
Comment: Your chef is a bloody menace! The entire staff spent the remainder of 
Comment: the evening in the loo and nothing at all was accomplished the following
Comment: day. If you plan another event such as that you would do well to
Comment: consider not inviting us at all!
Comment: pm at houseoflords.com
Comment: p.s. it's too late for apologies!

ljhl sjilu745pfo98h09j7ofj876ljhl sjilu745pfo98h09j7ofj876ljhl sjilu745pfo98h09j7ofj876
yfot874267fo8fnv98y070760870n7b87yfot874267fo8fnv98y070760870n7b87yfot87426
876ljhl sjilu745pfo98h09j7ofj8876ljhl sjilu745pfo98h09j7ofj8876ljhl sjilu745pfo98h09j7o

-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list