comment and version fields. [Long]

Werner Koch wk at gnupg.org
Wed Apr 4 10:22:29 CEST 2007


On Tue,  3 Apr 2007 17:57, yaverot at nerdshack.com said:

> It is well known to people who have followed PGP & GPG for years, some
> who didn't watch as well will see that this 'flaw' has been patched on
> multiple occasions so it is nothing to worry about.

It is not a flaw but a requirement of the standard.  With the same
reasoning you could complain about the subject of mail or any other mail
header is not encrypted (actuaqlly people do that from time to time).
Or well, that gpg does not help you against raffic analysis.

> Now I haven't read the OpenPGP RFC, but if it is anything like the other
> RFCs that I've looked at (but been unable to read) its language is the
> worst possible combination between a lawyer and an engineer. Designed to

I can't agree here.  Except for the copyright notice the OpenPGP RFC is
very on topic and does only the language used in the domain of applied
cryptography.  Compare that to ISOs and decide what is easier for an
engineer to understand.

> Now I just double checked, but the RFC wasn't included as the
> documentation of the last GPG release I received. There are man pages,

RFCs are easily available.  It just does not make any sense to keep
copies of a dozen RFCs used to implement GnuPG.

> in the (clearsigned) message before running it through GPG are not part
> of the signed message, that any third party between the sender and me
> could have altered them?

You feed stuff to gpg top sign it and -depending on the used options -
gpg creates a signed message in some format and adds some more data
(lines of text) to it for its internal purpose.  Given clear text signed
messages you see your orginal text and thus you can deduce that the
comment lines are not part of it.

Anyway, proper use of gpg will show you exacly what you signed - even
with --clearsign:

  $ fortune >plain
  
  $ cat plain
  I really hate this damned machine
  I wish that they would sell it.
  It never does quite what I want
  But only what I tell it.
  
  $ gpg --clearsign <plain >plain.asc
  
  $ cat plain.asc
  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  
  I really hate this damned machine
  I wish that they would sell it.
  It never does quite what I want
  But only what I tell it.
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.7 (GNU/Linux)
  
  iEYEARECAAYFAkYTXr8ACgkQYHhOlAEKV+1VmgCgu5Ed8O7s9wBam150DTXOniCa
  PNoAn2wycvuBgdB9HDUSDJE1a41NhdPj
  =rvX0
  -----END PGP SIGNATURE-----
  
  $ gpg <plain.asc >x
  gpg: Signature made Wed Apr  4 10:15:59 2007 CEST using DSA key ID 010A57ED
  gpg: Good signature from "Werner Koch <wk at gnupg.org>"
  gpg:                 aka "Werner Koch <wk at g10code.com>"
  gpg:                 aka "Werner Koch"
  gpg:                 aka "Werner Koch <werner at fsfe.org>"
  
  $ cat x
  I really hate this damned machine
  I wish that they would sell it.
  It never does quite what I want
  But only what I tell it.

So where do you see a problem?


Shalom-Salam,

   Werner




More information about the Gnupg-users mailing list