1995-12-30 - Re: A weakness in PGP signatures, and a suggested solution (long)

Header Data

From: hajo@quijote.in-berlin.de (Hans-Joachim Zierke)
To: N/A
Message Hash: 67c67404673a8ababac330f40db409d82be358fda15df4482a0a67993277ac2a
Message ID: <5-oG4BKKYgB@quijote.in-berlin.de>
Reply To: <oTTsgD7w165w@bwalk.dm.com>
UTC Datetime: 1995-12-30 00:35:44 UTC
Raw Date: Sat, 30 Dec 1995 08:35:44 +0800

Raw message

From: hajo@quijote.in-berlin.de (Hans-Joachim Zierke)
Date: Sat, 30 Dec 1995 08:35:44 +0800
Subject: Re: A weakness in PGP signatures, and a suggested solution (long)
In-Reply-To: <oTTsgD7w165w@bwalk.dm.com>
Message-ID: <5-oG4BKKYgB@quijote.in-berlin.de>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

Dr. Dimitri Vulis writes:

> I suggest to the kind folks working on PGP 3 that there should be a
> standard protocol to include within the signed portion the information on
> when and for whom this text is written: i.e. the list of e-mail recipients
> and/or Usenet newsgroups, which could be easily compared with the RFC
> 822/1036 headers of an e-mail/Usenet article.


This assumes that every Usenet site uses RFC 822/1036 headers locally. This
is no real-world assumption. 

And the clearsign problem can be solved with MIME only, since currently, 
the MIME 8-bit character set conversion will kill the validity of 
signatures, regardless whether being forged or not.

Since I know this, I seldom use clearsigning. Quite simply, it does not 
work, and that's a more severe problem. If an error on signature validation
is the normality, not the exception, the whole stuff does not make any 
sense.



hajo


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Sig validation of clearsigned 8 bit text is uncertain.

iQCVAwUBMORRda1Qa39mIA0ZAQELEAQAryOaVDZIhnYQETxhmHyJktRei3080gXV
77Oy5Qo3/WdO7cvFdR+CKytbZQlV7GHS4lQ+N0MCPHH79+vLnw8xvQ+3htkzerjF
u6tgjiEnbR/YNCvjEq01aU2RVHgycg680WVOH4DqUNTi7yAY2G5Sc6K2LAD4AQrp
toniWTWanyY=
=+LZR
-----END PGP SIGNATURE-----






Thread