comment and version fields.

randux at randux at
Mon Apr 2 17:15:45 CEST 2007

-------- Original Message --------
From: "Robert J. Hansen" <rjh at>
Cc: GnuPG users <gnupg-users at>
Subject: Re: comment and version fields.
Date: Mon, 2 Apr 2007 09:46:12 -0500

> Hash: SHA256
> > p.s. of course I've altered his clearsigned post in this example.  
> > But it would still
> > verify properly. This is my point.
> This is a nonissue.  I can't think of a stronger way to put it.  The  
> mutability of the comment and version string is well known and  
> clearly documented in the RFC.
> If you wish to use a tool, you are responsible for knowing the  
> operation of that tool.  If you wish to be ignorant, you will remain  
> forever exploitable.  There is no technological cure for this.  All  
> technological attempts to cure this are doomed to fail.
> For every human-factors problem there exist technological solutions  
> which are cheap, easy and wrong.
> Version: GnuPG v1.4.7 (Darwin)
> 0z0DHlAzAbgyYWB410aLEJvWhV1kW7g8FpMUxayTEk4Le8fS4i2tj10v3YrEta3N
> viQ7yoYRDKUTTRD0TnpfUr+pjGvBEpgE4eEm+uzF7Gw961u71SgwCJtKwzvCy3f/
> BeLLVsv8mWaC6m+iNCm1ICUEUOv32mN1TgTCNa0l+XCupP8z1qFkJb7919kGEU7r
> 3g/bxJ+u/ZNjIZcykCN5E7mTF9bYE3C8PjyNIpkBs7U5yLpsjtsGkSB04sOB2p4R
> Rw+zfYAQtxerva721zHOU0XlXd82Ny5WhYY1tJ7EB4+gbhgTFCUGljSDnu/fUcg=
> =StmC

No, you're misunderstanding me. I'm not concerned with the technical user who posts a question to a news list and understands the issue. I'm wondering about the non-technical (business) user who gets a plug-in for his email client and then misinterprets a modified signature block that someone tampered with.

More information about the Gnupg-users mailing list