From: "Brian C. Lane" <blane@eskimo.com>
Date: Thu, 18 Jan 1996 00:39:17 +0800
To: cypherpunks@toad.com
Subject: Re: A weakness in PGP signatures, and a suggested solution
Message-ID: <199601171613.IAA11904@mail.eskimo.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

> > In article <Pine.ULT.3.91.960110182255.18692H-100000@xdm011>, Jeffrey Goldberg <cc047@Cranfield.ac.uk> says:
> 
> But then the recipient has a PGP-signed message from you which
> isn't encrypted (using pgp -d). That person could then impersonate
> you. Eg Alice the jilted lover could resend the goodbye message
> with forged headers to Bob's new girlfriend to get back at him.

  Ah ha! Now I understand what this argument has been all about. This 
is not a flaw with PGP, but with the software doing the signing. It 
should/could add a line with a time and date stamp inside the 
signature envelope, or Bob could add more information, making the 
message more specific.

  I don't think PGP needs to be 'fixed', but the signing software 
does.

   Brian
 

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBMP0gGHIWObr6ZnuNAQFqpQMAhEDxcClXzwqS5QLSYgbGC0SdPwOSppgG
cbEcHEamA+C/fzlCRl1FoCkvA/SPHoZB29FNJSH8hnP6s5OZQfFf3LZXPL+/UFiL
64i7dlt6Ajtg58eDiMj/+qPsHd8hbAuV
=jj8n
-----END PGP SIGNATURE-----
--- <blane@eskimo.com> -------------------- <http://www.eskimo.com/~blane> ---
  Embedded System Programmer, EET Student, Interactive Fiction author (RSN!)
==============  11 99 3D DB 63 4D 0B 22  15 DC 5A 12 71 DE EE 36  ============