-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Does it say that the comment lines I read > in the (clearsigned) message before running it through GPG are not > part > of the signed message, that any third party between the sender and me > could have altered them?
I would think the line "----- BEGIN PGP SIGNATURE -----" would be a tipoff to the fact that the signed portion of the message has ended and data meant for an OpenPGP application's internal use is now beginning. Thus, yes, I do think it's flamingly obvious that anything in the signature block is not part of the signed message. > wouldn't be a problem. Okay, it would be less of a problem, but > clearly > showing the signed portion is everything within the beginning and > ending > markers (and only that within the markers) is the obvious way people > think. Which is the entire reason why we have those "----- BEGIN" lines. So that people can see the markers delineating which portions of the message are protected. As has been repeated here ad nauseam, this is not a GnuPG problem. This is not a PGP problem. This is not an RFC problem. This is, at best, an MUA problem and should be brought up with MUA authors who present signed data in a format that makes it easy to mistake things. Please, if you want to continue to beat this drum, please beat it in front of the right people. > Fixing the RFC is probably not an option, but being more clear in user > documentation is. Not just the official GnuPG manual, but the OpenPGP > help file in enigmail, and other MUA wrappers. Then take it up on the Enigmail list. This is the GnuPG-Users list. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iQEcBAEBCAAGBQJGEqMRAAoJELcA9IL+r4EJALsIALe/MDIDNEeNsoMmd3bKh/lV qQZQjK/keV98AEPfkKYw0rYnH9uyc63FIRTth3o3PeF0fG+Vw5RFXDvi6tSS96wn 7w8qdasETHOazm4Lz34oEEqswTCYJWQGnVWYyktmtHLPhouWIR+wkx0pmlFiZc+i rv6FiOXzTdPZJg578U0nu3qsr5muvuJB56COjlG67tqdWLslZ4DKTl+ErF1Twlyk KypG3J/n/dyLOX2P/NN+JvyTd19b0PGOFDkFi3dff0k8tDeJKPfpjt83s5jtcIrN XjDEgQ+l7Z4ridfabNdZar0tn9c/hpXY35a+trLx+UgIKUXzD9Mgd/PiR23+KI8= =SD3N -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
