comment and version fields. [Long]

Robert J. Hansen rjh at
Tue Apr 3 20:55:12 CEST 2007

Hash: SHA256

> Does it say that the comment lines I read
> in the (clearsigned) message before running it through GPG are not  
> part
> of the signed message, that any third party between the sender and me
> could have altered them?

I would think the line "----- BEGIN PGP SIGNATURE -----" would be a  
tipoff to the fact that the signed portion of the message has ended  
and data meant for an OpenPGP application's internal use is now  
beginning.  Thus, yes, I do think it's flamingly obvious that  
anything in the signature block is not part of the signed message.

> wouldn't be a problem. Okay, it would be less of a problem, but  
> clearly
> showing the signed portion is everything within the beginning and  
> ending
> markers (and only that within the markers) is the obvious way people
> think.

Which is the entire reason why we have those "----- BEGIN" lines.  So  
that people can see the markers delineating which portions of the  
message are protected.

As has been repeated here ad nauseam, this is not a GnuPG problem.   
This is not a PGP problem.  This is not an RFC problem.  This is, at  
best, an MUA problem and should be brought up with MUA authors who  
present signed data in a format that makes it easy to mistake things.

Please, if you want to continue to beat this drum, please beat it in  
front of the right people.

> Fixing the RFC is probably not an option, but being more clear in user
> documentation is. Not just the official GnuPG manual, but the OpenPGP
> help file in enigmail, and other MUA wrappers.

Then take it up on the Enigmail list.  This is the GnuPG-Users list.

Version: GnuPG v1.4.7 (Darwin)


More information about the Gnupg-users mailing list