comment and version fields. [Long]
Robert J. Hansen
rjh at sixdemonbag.org
Tue Apr 3 20:55:12 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
> Does it say that the comment lines I read
> in the (clearsigned) message before running it through GPG are not
> of the signed message, that any third party between the sender and me
> could have altered them?
I would think the line "----- BEGIN PGP SIGNATURE -----" would be a
tipoff to the fact that the signed portion of the message has ended
and data meant for an OpenPGP application's internal use is now
beginning. Thus, yes, I do think it's flamingly obvious that
anything in the signature block is not part of the signed message.
> wouldn't be a problem. Okay, it would be less of a problem, but
> showing the signed portion is everything within the beginning and
> markers (and only that within the markers) is the obvious way people
Which is the entire reason why we have those "----- BEGIN" lines. So
that people can see the markers delineating which portions of the
message are protected.
As has been repeated here ad nauseam, this is not a GnuPG problem.
This is not a PGP problem. This is not an RFC problem. This is, at
best, an MUA problem and should be brought up with MUA authors who
present signed data in a format that makes it easy to mistake things.
Please, if you want to continue to beat this drum, please beat it in
front of the right people.
> Fixing the RFC is probably not an option, but being more clear in user
> documentation is. Not just the official GnuPG manual, but the OpenPGP
> help file in enigmail, and other MUA wrappers.
Then take it up on the Enigmail list. This is the GnuPG-Users list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
-----END PGP SIGNATURE-----
More information about the Gnupg-users