Date: Tue, 27 Mar 2007 23:25:58 -0400 On Wed, Mar 28, 2007 at 03:03:39AM +0300, [EMAIL PROTECTED] wrote: > Greetings all, >
> I came upon something a bit odd in gnupg 1.4.7. I found I can change > the comment field in a signed message to be whatever I like. I > should think this is a bad thing as an attacker could insert text in > a message presumably protected against all modifications if the > signature verifies properly. The "comment" and "version" armor fields are both essentially comments, and are ignored by the OpenPGP protocol. You can change either of them to whatever you like. David Thanks for your reply, David. I apologise for not responding sooner but I've been awaiting the list digest which came a week later! I understand your point as to the protocol ignoring changes to these fields. I suppose its futile to try to change a standard but it seems that it might be very damaging indeed to have a signed message altered after signing. That seems to defeat the reason for signing as the common person would assume that a signed message is protected entirely against unauthorised changes. Cheers, Rand _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
