comment and version fields.
randux at Safe-mail.net
randux at Safe-mail.net
Mon Apr 2 17:15:45 CEST 2007
-------- Original Message --------
From: "Robert J. Hansen" <rjh at sixdemonbag.org>
Cc: GnuPG users <gnupg-users at gnupg.org>
Subject: Re: comment and version fields.
Date: Mon, 2 Apr 2007 09:46:12 -0500
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > p.s. of course I've altered his clearsigned post in this example.
> > But it would still
> > verify properly. This is my point.
>
> This is a nonissue. I can't think of a stronger way to put it. The
> mutability of the comment and version string is well known and
> clearly documented in the RFC.
>
> If you wish to use a tool, you are responsible for knowing the
> operation of that tool. If you wish to be ignorant, you will remain
> forever exploitable. There is no technological cure for this. All
> technological attempts to cure this are doomed to fail.
>
> For every human-factors problem there exist technological solutions
> which are cheap, easy and wrong.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
>
> iQEcBAEBCAAGBQJGERc1AAoJELcA9IL+r4EJEgEIAONnqma05JYq7phSi85pCaPO
> 0z0DHlAzAbgyYWB410aLEJvWhV1kW7g8FpMUxayTEk4Le8fS4i2tj10v3YrEta3N
> viQ7yoYRDKUTTRD0TnpfUr+pjGvBEpgE4eEm+uzF7Gw961u71SgwCJtKwzvCy3f/
> BeLLVsv8mWaC6m+iNCm1ICUEUOv32mN1TgTCNa0l+XCupP8z1qFkJb7919kGEU7r
> 3g/bxJ+u/ZNjIZcykCN5E7mTF9bYE3C8PjyNIpkBs7U5yLpsjtsGkSB04sOB2p4R
> Rw+zfYAQtxerva721zHOU0XlXd82Ny5WhYY1tJ7EB4+gbhgTFCUGljSDnu/fUcg=
> =StmC
> -----END PGP SIGNATURE-----
No, you're misunderstanding me. I'm not concerned with the technical user who posts a question to a news list and understands the issue. I'm wondering about the non-technical (business) user who gets a plug-in for his email client and then misinterprets a modified signature block that someone tampered with.
More information about the Gnupg-users
mailing list