comment and version fields.

randux at randux at
Mon Apr 2 11:40:18 CEST 2007

-------- Original Message --------
From: "Robert J. Hansen" <rjh at>
Cc: GnuPG users <gnupg-users at>
Subject: Re: comment and version fields.
Date: Sun, 1 Apr 2007 15:05:37 -0500

> Hash: SHA256
> > fields. I suppose its futile to try to change a standard but it  
> > seems that it might be very damaging indeed to have a signed  
> > message altered after signing. That seems to defeat the reason for  
> > signing as the common person would assume that a signed message is  
> > protected entirely against unauthorised changes.
> The signed message _is_ protected entirely against unauthorized  
> changes.  Or, rather, as close to "entirely" as you can get with our  
> current level of cryptography.
> The signature block is just a private-key encryption of the digest of  
> the message, plus a few additional bits of information of use to  
> OpenPGP.  That private-key encryption of the digest of the message is  
> the signature.  Everything else is, to some degree, irrelevant, with  
> some things being more irrelevant than others.
> If you alter a comment field, you're not altering either the original  
> message nor the private-key encryption of the digest of the message.   
> So what's the complaint?  How is this tampering with the signature  
> scheme?
> Version: GnuPG v1.4.7 (Darwin)
> Comment: only an idiot would think this is a problem!
> Comment: go post your problems on /dev/null!!!
> QrQGSv1LQJ9sreJ0c+GmxTF8K9Hi+gTRPeoIy5NUN4HJV5x+TbxmkTpO1QvcVsgN
> DfZYYf3sZugMOIdzQzbp0F63Z0SAV2Lz4NtRMiD6HflvQHovdE0V8k6M6G23XvcY
> QLstIn+XMRWBdIXX2zE7RZxNGY73TOSobNI0lDcjMyoBrSkMSdkJ4QdJv07ChI5t
> 5X+/mwpdh4KU41DE/osuqwcV/vUCqJ7+EKhdKlvHNqlhWMvJnabL3ssvopgTU9yv
> 1oqLR14toInTrUZGJ8mxkEmzdDKRm53qEfGKEmmsTNS0w5QBUgDRBOJY3ZgDis4=
> =8OOA

I think it's a bit worse on a clearsigned document such as your post for example.
BTW There wasn't any need for name calling!



p.s. of course I've altered his clearsigned post in this example. But it would still 
verify properly. This is my point.

More information about the Gnupg-users mailing list