-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Monday, October 15, 2001, 5:27:33 PM, you wrote: > It occurred to me today what a bad idea the Comment Field is in PGP > signed messages. Altering the Comment filed does not affect the > validity of the signature, but to the non experienced PGP/GPG user > it certainly appears to be part of the message. The risk depends on the way of signature verification. I can give a simple example when such "comment field" can really spoof the unexperienced user: Mail client: TheBat! with PGP 6.0.x/6.5.x plug-in installed. When you check PGP signature of some message, it DOESN'T show up the text of verified message. It only says whether the signature is good or bad, shows the name of mailer, signer, validity status and date/time. So, in any case you read the whole text of signed message including all fields. ____________________________________________ Sincerely, Dennis V. Kudin Ukrainian Information Security Center Coordinator of Internet-portal BEZPEKA e-mail: kudinat_private web-sites: http://www.bezpeka.com http://www.bezpeka.net http://www.bezpeka.org phone: +380-612-12-92-83 fax: +380-612-12-92-82 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQA/AwUBO805DTRm6ItERtt2EQJFEACfa0N+e2SsKiGH/PTc1FSzUQ/QoUQAnRBJ jQck+9JcZBrA4FofFVwPk1C/ =fYAo -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 11:21:46 PDT