From: Bryce <wilcoxb@nag.cs.colorado.edu>
Date: Thu, 18 Jan 1996 14:00:30 +0800
To: llurch@networking.stanford.edu
Subject: Re: A weakness in PGP signatures, and a suggested solution (long)
Message-ID: <199601172309.QAA12674@nag.cs.colorado.edu>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

 An entity calling itself Rich Graves 
 <llurch@Networking.Stanford.EDU> allegedly wrote:
>
> An easy short-term partial solution would be to modify mailcrypt, bap, or
> whatever front end you use to automatically put the current date and (a
> shortened form of) the To: or Newsgroups: header into the PGP signature
> Comments: line. 
 

 I wrote:
> 
> A good idea, and one I was about to implement for BAP, but 
> doesn't PGP itself stick a timestamp into the signature?  
> When I verify a signature it says "verified, signed at 
> XXX time & date.".


Whoops!  I misunderstood.  The fix I am considering is putting
some information inside the *body* of the message, probably at
the end just before the signature.


Regards,

Bryce



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01

iQCVAwUBMP2Bj/WZSllhfG25AQHxWwP/bHmOcuAPAHdCShaeZhpLYQPJEJWyApuV
EQhA/k1TSxmowH0cPff1rBZw4+2HFzfKiWHgBO12lf6gO+ihVGq/7GAJuwEVmMb6
aNKhSRESmb2YgV8/luj401KnknSP1x3xC56wzE1mhIiN8LOtav2J+rxM398DTzEc
8mzb7dETBRU=
=ZDiw
-----END PGP SIGNATURE-----