comment and version fields.

randux at Safe-mail.net randux at Safe-mail.net
Mon Apr 2 11:40:18 CEST 2007 

-------- Original Message --------
From: "Robert J. Hansen" <rjh at sixdemonbag.org>
Cc: GnuPG users <gnupg-users at gnupg.org>
Subject: Re: comment and version fields.
Date: Sun, 1 Apr 2007 15:05:37 -0500

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > fields. I suppose its futile to try to change a standard but it  
> > seems that it might be very damaging indeed to have a signed  
> > message altered after signing. That seems to defeat the reason for  
> > signing as the common person would assume that a signed message is  
> > protected entirely against unauthorised changes.
> 
> The signed message _is_ protected entirely against unauthorized  
> changes.  Or, rather, as close to "entirely" as you can get with our  
> current level of cryptography.
> 
> The signature block is just a private-key encryption of the digest of  
> the message, plus a few additional bits of information of use to  
> OpenPGP.  That private-key encryption of the digest of the message is  
> the signature.  Everything else is, to some degree, irrelevant, with  
> some things being more irrelevant than others.
> 
> If you alter a comment field, you're not altering either the original  
> message nor the private-key encryption of the digest of the message.   
> So what's the complaint?  How is this tampering with the signature  
> scheme?
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
> Comment: only an idiot would think this is a problem!
> Comment: go post your problems on /dev/null!!!
> 
> iQEcBAEBCAAGBQJGEBCSAAoJELcA9IL+r4EJzS4IANXJtvWSKnxWBA4oowoyaRtG
> QrQGSv1LQJ9sreJ0c+GmxTF8K9Hi+gTRPeoIy5NUN4HJV5x+TbxmkTpO1QvcVsgN
> DfZYYf3sZugMOIdzQzbp0F63Z0SAV2Lz4NtRMiD6HflvQHovdE0V8k6M6G23XvcY
> QLstIn+XMRWBdIXX2zE7RZxNGY73TOSobNI0lDcjMyoBrSkMSdkJ4QdJv07ChI5t
> 5X+/mwpdh4KU41DE/osuqwcV/vUCqJ7+EKhdKlvHNqlhWMvJnabL3ssvopgTU9yv
> 1oqLR14toInTrUZGJ8mxkEmzdDKRm53qEfGKEmmsTNS0w5QBUgDRBOJY3ZgDis4=
> =8OOA
> -----END PGP SIGNATURE-----

I think it's a bit worse on a clearsigned document such as your post for example.
BTW There wasn't any need for name calling!

;)

Rand

p.s. of course I've altered his clearsigned post in this example. But it would still 
verify properly. This is my point.

More information about the Gnupg-users mailing list