comment and version fields. [Long]

Remco Post r.post at sara.nl
Wed Apr 4 00:10:06 CEST 2007 

Robert J. Hansen wrote:
>> Does it say that the comment lines I read
>> in the (clearsigned) message before running it through GPG are not
>> part
>> of the signed message, that any third party between the sender and me
>> could have altered them?
> 
> I would think the line "----- BEGIN PGP SIGNATURE -----" would be a
> tipoff to the fact that the signed portion of the message has ended
> and data meant for an OpenPGP application's internal use is now
> beginning.  Thus, yes, I do think it's flamingly obvious that
> anything in the signature block is not part of the signed message.
> 

Now, this is true for you and me. Now, take my secretary as an example.
She has not installed any pgp/gpg aware software, nor is she an
experienced user of cryptographic tools. Do you expect her to correctly
interpret these hints? I don't. Now, usually I don't sign messages to
people who can't do anything with those signatures to prevent confusion.

> 
> Which is the entire reason why we have those "----- BEGIN" lines.  So
> that people can see the markers delineating which portions of the
> message are protected.
> 



> As has been repeated here ad nauseam, this is not a GnuPG problem.
> This is not a PGP problem.  This is not an RFC problem.  This is, at
> best, an MUA problem and should be brought up with MUA authors who
> present signed data in a format that makes it easy to mistake things.
> 

So now it's blame somebody else? I guess that comments might not be the
best idea for the rfc/protocol. Do they serve any purpose in the
protocol? No? So maybe they are a problem in the protocol after al.
IMNSHO, the comments taint the very purpose of the digital signature.

Now as to this being the right mailinglist, this list is for discussions
amongst users of gnupg for discussions about the problems they see in
the use of gnupg. Yes in an ideal world all MUAs allways hide all gnupg
internals for all users all of the time. I guess you are now
volunteering to start convincing the people in Redmont? In the mean
time, maybe it's easier to think about what the protocol is intended to
do and conclude that maybe a comment field is not very useful, and could
be counterproductive.

(ps, if I want something to be part of a message, I can put it in the
signed part of the message just as well... eg. my sig.)



-- 
Met vriendelijke groeten,

Remco Post

SARA - Reken- en Netwerkdiensten                      http://www.sara.nl
High Performance Computing  Tel. +31 20 592 3000    Fax. +31 20 668 3167
PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16  B3F6 048A 02BF DC93 94EC

"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams

More information about the Gnupg-users mailing list