Re: PGP Signed Messages

["Dennis V. Kudin" <kudin () bezpeka com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Monday, October 15, 2001, 5:27:33 PM, you wrote:
> It occurred to me today what a bad idea the Comment Field is in PGP
> signed messages. Altering the Comment filed does not affect the
> validity of the signature, but to the non experienced PGP/GPG user
> it certainly appears to be part of the message.

The risk depends on the way of signature verification. I can give a
simple example when such "comment field" can really spoof the
unexperienced user:

Mail client: TheBat! with PGP 6.0.x/6.5.x plug-in installed. When you
check PGP signature of some message, it DOESN'T show up the text of
verified message. It only says whether the signature is good or bad,
shows the name of mailer, signer, validity status and date/time. So,
in any case you read the whole text of signed message including all
fields.


____________________________________________
Sincerely,
Dennis V. Kudin
Ukrainian Information Security Center
Coordinator of Internet-portal BEZPEKA
e-mail:    kudin () bezpeka com
web-sites: http://www.bezpeka.com
           http://www.bezpeka.net
           http://www.bezpeka.org
phone:     +380-612-12-92-83
fax:       +380-612-12-92-82

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i

iQA/AwUBO805DTRm6ItERtt2EQJFEACfa0N+e2SsKiGH/PTc1FSzUQ/QoUQAnRBJ
jQck+9JcZBrA4FofFVwPk1C/
=fYAo
-----END PGP SIGNATURE-----