comment and version fields // doesn't need to be a 'comment'

[vedaal at hush.com]

have been away for a while, and did not have a chance to respond to 
the discussion about the comment and version fields

(and yes, i agree that the proper place would be the ietf wg
but they are currently involved in trying to get the rfc revision 
through,
and might not want to consider other issues at this time)

just wanted to point out that the 'comment' line doesn't need to 
have the word 'Comment:', it only needs to have a ':' 

so the following can be inserted instead of or in addition to,
the 'comment' and 'version' lines,

GNUPG WARNING: This signing key has been reported to be compromised


the signature would still verify,
but this could potentially be misleading to people just starting 
out with gnupg

maybe,
even though it is not strictly necessary,
it would certainly be helpful,
if a short statement could be included into the gnupg documentation
saying something like:

" In a clearsigned message, the only part that is authenticated is 
the 
text of the message. This is the part in between the dashed lines,
-----BEGIN PGP SIGNED MESSAGE-----
and
-----BEGIN PGP SIGNATURE-----

Any insertions between the line,
-----BEGIN PGP SIGNATURE-----
and the signature block itself, 
is *NOT* authenticated, and may be altered without affecting the 
verification.
If there is any question about such insertions, please check them 
with the sender. "

the above is only a 'suggested text',
and could probably be improved on,

because of backward compatibility,
it is unlikely that the comment/version/ etc. lines could now be 
changed to be part of the authenticated material,
so the most practical thing might be just a small explanatory note 
in the user manual.


vedaal

--
Click for free info on associates degrees and make $150K/ year
http://tagline.hushmail.com/fc/CAaCXv1JDCVzkVeKF0dkzPEhplFm4udA/