-------- Original Message -------- From: "Robert J. Hansen" <[EMAIL PROTECTED]> Cc: GnuPG users <gnupg-users@gnupg.org> Subject: Re: comment and version fields. Date: Sun, 1 Apr 2007 15:05:37 -0500
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > fields. I suppose its futile to try to change a standard but it > > seems that it might be very damaging indeed to have a signed > > message altered after signing. That seems to defeat the reason for > > signing as the common person would assume that a signed message is > > protected entirely against unauthorised changes. > > The signed message _is_ protected entirely against unauthorized > changes. Or, rather, as close to "entirely" as you can get with our > current level of cryptography. > > The signature block is just a private-key encryption of the digest of > the message, plus a few additional bits of information of use to > OpenPGP. That private-key encryption of the digest of the message is > the signature. Everything else is, to some degree, irrelevant, with > some things being more irrelevant than others. > > If you alter a comment field, you're not altering either the original > message nor the private-key encryption of the digest of the message. > So what's the complaint? How is this tampering with the signature > scheme? > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (Darwin) > Comment: only an idiot would think this is a problem! > Comment: go post your problems on /dev/null!!! > > iQEcBAEBCAAGBQJGEBCSAAoJELcA9IL+r4EJzS4IANXJtvWSKnxWBA4oowoyaRtG > QrQGSv1LQJ9sreJ0c+GmxTF8K9Hi+gTRPeoIy5NUN4HJV5x+TbxmkTpO1QvcVsgN > DfZYYf3sZugMOIdzQzbp0F63Z0SAV2Lz4NtRMiD6HflvQHovdE0V8k6M6G23XvcY > QLstIn+XMRWBdIXX2zE7RZxNGY73TOSobNI0lDcjMyoBrSkMSdkJ4QdJv07ChI5t > 5X+/mwpdh4KU41DE/osuqwcV/vUCqJ7+EKhdKlvHNqlhWMvJnabL3ssvopgTU9yv > 1oqLR14toInTrUZGJ8mxkEmzdDKRm53qEfGKEmmsTNS0w5QBUgDRBOJY3ZgDis4= > =8OOA > -----END PGP SIGNATURE----- I think it's a bit worse on a clearsigned document such as your post for example. BTW There wasn't any need for name calling! ;) Rand p.s. of course I've altered his clearsigned post in this example. But it would still verify properly. This is my point. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
