comment and version fields.

Remco Post at
Mon Apr 2 17:25:44 CEST 2007

Robert J. Hansen wrote:
>> p.s. of course I've altered his clearsigned post in this example.  
>> But it would still
>> verify properly. This is my point.
> This is a nonissue.  I can't think of a stronger way to put it.  The  
> mutability of the comment and version string is well known and  
> clearly documented in the RFC.
> If you wish to use a tool, you are responsible for knowing the  
> operation of that tool.  If you wish to be ignorant, you will remain  
> forever exploitable.  There is no technological cure for this.  All  
> technological attempts to cure this are doomed to fail.
> For every human-factors problem there exist technological solutions  
> which are cheap, easy and wrong.

I partly agree, this is a human problem, that is, the human being to
much exposed to the workings of the protocol. To me (a simple human
being) I want to know just one thing: did this message come unaltered
from the person who claims to have send it (signature), and can anybody
but the intended recepients read it (encrypted). Now as how openpgp
accomplishes this is not my problem, I don't want to know anything about
it. Version and Comment fiellds are not part of the message, so I should
not see them...

Met vriendelijke groeten,

Remco Post

SARA - Reken- en Netwerkdiensten            
High Performance Computing  Tel. +31 20 592 3000    Fax. +31 20 668 3167
PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16  B3F6 048A 02BF DC93 94EC

"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams

More information about the Gnupg-users mailing list