[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A weakness in PGP signatures, and a suggested solution
-----BEGIN PGP SIGNED MESSAGE-----
> > In article <Pine.ULT.3.91.960110182255.18692H-100000@xdm011>, Jeffrey Goldberg <[email protected]> says:
>
> But then the recipient has a PGP-signed message from you which
> isn't encrypted (using pgp -d). That person could then impersonate
> you. Eg Alice the jilted lover could resend the goodbye message
> with forged headers to Bob's new girlfriend to get back at him.
Ah ha! Now I understand what this argument has been all about. This
is not a flaw with PGP, but with the software doing the signing. It
should/could add a line with a time and date stamp inside the
signature envelope, or Bob could add more information, making the
message more specific.
I don't think PGP needs to be 'fixed', but the signing software
does.
Brian
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQB1AwUBMP0gGHIWObr6ZnuNAQFqpQMAhEDxcClXzwqS5QLSYgbGC0SdPwOSppgG
cbEcHEamA+C/fzlCRl1FoCkvA/SPHoZB29FNJSH8hnP6s5OZQfFf3LZXPL+/UFiL
64i7dlt6Ajtg58eDiMj/+qPsHd8hbAuV
=jj8n
-----END PGP SIGNATURE-----
--- <[email protected]> -------------------- <http://www.eskimo.com/~blane> ---
Embedded System Programmer, EET Student, Interactive Fiction author (RSN!)
============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============