I have a quality-of-implementation question (more in general than specifically about GnuPG). I am writing an implementation of OpenPGP that verifies signatures, among other things.
Signatures contain the left two bytes of the hash as a quick check. I've noticed that a small number of signatures are in fact valid even though this quick check does not match the hash. Is it considered acceptable to fix up this value if it is wrong? If not, is it acceptable to treat two signatures as the same signature if they are identical but for the left two? Does GnuPG (or any other implementation) actually give any credence to the left two whatsoever? If there's an OpenPGP implementers' list or another, more appropriate forum, please feel free to point me in that direction. I couldn't find one, so I posted here. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
