comment and version fields. [Long]

Todd Zullinger tmz at pobox.com
Tue Apr 3 21:33:14 CEST 2007


Matt wrote:
> Now I haven't read the OpenPGP RFC, but if it is anything like the other
> RFCs that I've looked at (but been unable to read) its language is the
> worst possible combination between a lawyer and an engineer. Designed to
> kill all interest in the subject before getting down to the subject.

Yes, you've found the true purpose of all RFCs.  Unfortunately they
aren't working as intended as numerous folks have managed to glean
just enough detail out of them to make working implementations based
on these documents. :)

> Now I just double checked, but the RFC wasn't included as the
> documentation of the last GPG release I received.

Nor should it be.  As an end user of the software you shouldn't need
to know the details of implementation.  And unless you have buggy
software that mixes the comment field in with the signed data, there
isn't really any problem here.

> There are man pages, which can't be read under windows

Not that I take much glee in knowing there are things I can read on
linux that Windows users can't, but I thought that the man pages were
generally included with the windows builds and you could open them
with a text editor.  But it's been a long time since I even looked at
a windows box with gpg installed.

> Does it say that the comment lines I read in the (clearsigned)
> message before running it through GPG are not part of the signed
> message, that any third party between the sender and me could have
> altered them?

If you're not comfortable with the tool, then that's why there are
many convenient wrappers/plugins that handle this automatically.  I
think it seems reasonable to assume that if you're running things
through gpg manually, on the command-line, that you ought to have a
little more understanding of the tool.

> Fixing the RFC is probably not an option, but being more clear in
> user documentation is. Not just the official GnuPG manual, but the
> OpenPGP help file in enigmail, and other MUA wrappers.

Since enigmail doesn't even show you the comment field, why would
anything need to be added to its help file about it?  Ditto for most
of the other mail plugins that I've seen and used.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
======================================================================
I never forget a face, but in your case I'll be glad to make an
exception.
    -- Groucho Marx

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 607 bytes
Desc: not available
Url : /pipermail/attachments/20070403/e76cefd6/attachment-0001.pgp 


More information about the Gnupg-users mailing list