Robert J. Hansen wrote: >> Does it say that the comment lines I read >> in the (clearsigned) message before running it through GPG are not >> part >> of the signed message, that any third party between the sender and me >> could have altered them? > > I would think the line "----- BEGIN PGP SIGNATURE -----" would be a > tipoff to the fact that the signed portion of the message has ended > and data meant for an OpenPGP application's internal use is now > beginning. Thus, yes, I do think it's flamingly obvious that > anything in the signature block is not part of the signed message. >
Now, this is true for you and me. Now, take my secretary as an example. She has not installed any pgp/gpg aware software, nor is she an experienced user of cryptographic tools. Do you expect her to correctly interpret these hints? I don't. Now, usually I don't sign messages to people who can't do anything with those signatures to prevent confusion. > > Which is the entire reason why we have those "----- BEGIN" lines. So > that people can see the markers delineating which portions of the > message are protected. > > As has been repeated here ad nauseam, this is not a GnuPG problem. > This is not a PGP problem. This is not an RFC problem. This is, at > best, an MUA problem and should be brought up with MUA authors who > present signed data in a format that makes it easy to mistake things. > So now it's blame somebody else? I guess that comments might not be the best idea for the rfc/protocol. Do they serve any purpose in the protocol? No? So maybe they are a problem in the protocol after al. IMNSHO, the comments taint the very purpose of the digital signature. Now as to this being the right mailinglist, this list is for discussions amongst users of gnupg for discussions about the problems they see in the use of gnupg. Yes in an ideal world all MUAs allways hide all gnupg internals for all users all of the time. I guess you are now volunteering to start convincing the people in Redmont? In the mean time, maybe it's easier to think about what the protocol is intended to do and conclude that maybe a comment field is not very useful, and could be counterproductive. (ps, if I want something to be part of a message, I can put it in the signed part of the message just as well... eg. my sig.) -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
