From: Sven Radde <[EMAIL PROTECTED]> Date: Mon, 02 Apr 2007 10:19:25 +0200 > Hi! > > [EMAIL PROTECTED] schrieb: > > The "comment" and "version" armor fields are both essentially > > comments, and are ignored by the OpenPGP protocol. You can change > > either of them to whatever you like. > > > > ... That seems to defeat the reason for signing > > as the common person would assume that a signed message > > is protected entirely against unauthorised changes. > > I agree with randux here. The Comment is within the "---PGP > SIGNATURE---" part and I, too, was not aware that it is not protected by > anything. (Do the docs mention this, btw?) > > It might be a possible way for a social engineering attack, if comments > like the following were inserted: > "Comment: NOTE: I will retire my current key soon!" > "Comment: Obtain my new key from http://evil.impersonator.net/sven.asc"; > "Comment: Fingerprint of new key: [...]" > > It may not be a big risk, but I doubt that the general user-base is > aware of the fact that comments are not signed parts of the message. > I would suggest to at least update the documentation :-) > > cu, Sven
This is a good point I hadn't even considered. I only thought about the opportunity for an attacker to insert whatever text he chose to make it look like it came from the sender. For example -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To Her Majesty The Queen, Thanks very much indeed for the lovely dinner you made for our staff. It was vital that we were able to receive assistance on (insert matter of diplomatic importance) Your Obedient Servant, The Prime Minister -----BEGIN PGP SIGNATURE----- Comment: Your chef is a bloody menace! The entire staff spent the remainder of Comment: the evening in the loo and nothing at all was accomplished the following Comment: day. If you plan another event such as that you would do well to Comment: consider not inviting us at all! Comment: [EMAIL PROTECTED] Comment: p.s. it's too late for apologies! ljhl sjilu745pfo98h09j7ofj876ljhl sjilu745pfo98h09j7ofj876ljhl sjilu745pfo98h09j7ofj876 yfot874267fo8fnv98y070760870n7b87yfot874267fo8fnv98y070760870n7b87yfot87426 876ljhl sjilu745pfo98h09j7ofj8876ljhl sjilu745pfo98h09j7ofj8876ljhl sjilu745pfo98h09j7o -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
