comment and version fields. [Long]

Robert J. Hansen rjh at sixdemonbag.org
Tue Apr 3 20:55:12 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Does it say that the comment lines I read
> in the (clearsigned) message before running it through GPG are not  
> part
> of the signed message, that any third party between the sender and me
> could have altered them?

I would think the line "----- BEGIN PGP SIGNATURE -----" would be a  
tipoff to the fact that the signed portion of the message has ended  
and data meant for an OpenPGP application's internal use is now  
beginning.  Thus, yes, I do think it's flamingly obvious that  
anything in the signature block is not part of the signed message.

> wouldn't be a problem. Okay, it would be less of a problem, but  
> clearly
> showing the signed portion is everything within the beginning and  
> ending
> markers (and only that within the markers) is the obvious way people
> think.

Which is the entire reason why we have those "----- BEGIN" lines.  So  
that people can see the markers delineating which portions of the  
message are protected.

As has been repeated here ad nauseam, this is not a GnuPG problem.   
This is not a PGP problem.  This is not an RFC problem.  This is, at  
best, an MUA problem and should be brought up with MUA authors who  
present signed data in a format that makes it easy to mistake things.

Please, if you want to continue to beat this drum, please beat it in  
front of the right people.

> Fixing the RFC is probably not an option, but being more clear in user
> documentation is. Not just the official GnuPG manual, but the OpenPGP
> help file in enigmail, and other MUA wrappers.

Then take it up on the Enigmail list.  This is the GnuPG-Users list.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQEcBAEBCAAGBQJGEqMRAAoJELcA9IL+r4EJALsIALe/MDIDNEeNsoMmd3bKh/lV
qQZQjK/keV98AEPfkKYw0rYnH9uyc63FIRTth3o3PeF0fG+Vw5RFXDvi6tSS96wn
7w8qdasETHOazm4Lz34oEEqswTCYJWQGnVWYyktmtHLPhouWIR+wkx0pmlFiZc+i
rv6FiOXzTdPZJg578U0nu3qsr5muvuJB56COjlG67tqdWLslZ4DKTl+ErF1Twlyk
KypG3J/n/dyLOX2P/NN+JvyTd19b0PGOFDkFi3dff0k8tDeJKPfpjt83s5jtcIrN
XjDEgQ+l7Z4ridfabNdZar0tn9c/hpXY35a+trLx+UgIKUXzD9Mgd/PiR23+KI8=
=SD3N
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list