Hi! [EMAIL PROTECTED] schrieb: > The "comment" and "version" armor fields are both essentially > comments, and are ignored by the OpenPGP protocol. You can change > either of them to whatever you like. > > --- > > ... That seems to defeat the reason for signing > as the common person would assume that a signed message > is protected entirely against unauthorised changes.
I agree with randux here. The Comment is within the "---PGP SIGNATURE---" part and I, too, was not aware that it is not protected by anything. (Do the docs mention this, btw?) It might be a possible way for a social engineering attack, if comments like the following were inserted: "Comment: NOTE: I will retire my current key soon!" "Comment: Obtain my new key from http://evil.impersonator.net/sven.asc"; "Comment: Fingerprint of new key: [...]" It may not be a big risk, but I doubt that the general user-base is aware of the fact that comments are not signed parts of the message. I would suggest to at least update the documentation :-) cu, Sven _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
