Alan Barret <barrett@daisy.ee.und.ac.za> wrote to Cypherpunks:
Yes, this was a deliberate design decision, most probably so the same code could be used to parse --- BEGIN PGP ENCRYPTED MESSAGE --- and --- BEGIN PGP SIGNATURE ---. However, this is a _huge_ security hole, as it allows the nearly-undetectable modification of PGP-signed messages.
It's nowhere near undetectable. When you ask pgp to check the signature, pgp writes the signed message to a file (or to stdout), and that output does not include the {header/junk/extra stuff} between the BEGIN line and the blank line.
The problem is, if you are using an interface to PGP, most of the time they use PGP in batchmode to check the signature, and they don't let you see the output. This means people go "Check the signature", PGP says "Good signature found", and they think that it has never been modified. This is a security hole. Not everyone uses PGP to do everything from the command line. Plus, using lines with only a tab in them, it's possible to add seperated paragraphs and "normal-looking" text.
I don't like this bug/feature, but I don't see it as a serious security problem for users who are aware of it. I do think it could be a problem for users who are not aware of it, and who incorrectly assume that the "good signature" message means that the {header/junk/extra stuff} was part of the signed material.
--apb (Alan Barrett)
Here's an example: -----BEGIN PGP SIGNED MESSAGE----- Note that this paragraph was added *AFTER* this message was digitally signed. Note also that the line above this paragraph contains *1* tab. Using this, it's possible to add as much stuff to the beginning of a clearsigned message as you want, with it looking completely natural, and checking fine. This *IS* a security hole. This para was also added later. Test message My public key follows, after this signed message: -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLowcCDidu+MSuAG5AQFpgQP7B1K5uKAQBEdmAxuNGJAvl97GWYlU9miv HbBQbkPo5C6BsbaJvbzxplZE2YN98bWO2IhMOJdNfywaCuWnQFJGcRcZiGvDqyqc 0vQj0qhy37KPBp1CjrEf76neCjyOL4bWtz+BrF9tru8O7olGv61fGASpkpjL46Zg bFtb8UP0kV4= =D3M0 -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.1 mQCVAy5s+KsAAAEEAMp5v1Q/6kqmN3ZFejiBrK1rAgCH0jM/QUHXSbf2wkCCeE4g Slzp93pIhez6EJasdJFdp/QafO3nTKFjZ9ZZTClnPeMFjlATuJoA/gLsPuoRgRxv 2n9UWkw1eNg8cprfdK/C4oO53Sd4DxrctBHW1enVFMB4TeuLqzidu+MSuAG5AEYg AAAAAAAAAAO0J0pvbmF0aGFuIFcuIEFkYW1zIDxqb25hZGFtc0BuZXRjb20uY29t PokAdQMFEC5s+Qw2D9BFC0YeTQEBETAC/1+fw55S1hMBCv5vMOlGlbVSYcaf9QFz 6RnJG4hDXzVPii/PxZf9w5sXraZr39a/OW09sMPdszLlyPfR8zsihd4j4qCnLAjI v16XKU1ft85DEHjpwQFhWnYNCFSeGX5VU4kAlQMFEC5s+O84nbvjErgBuQEBXRYD /Ave3Uoc3GRfv/995Yz0RQDUmi4JRzo749dVtXBatODo1vr2209+fHVGu+IZtRx2 WCUKY9YSQr95XJuqxFsfBpdQ6pAyxov5kfecrE2uDrBqlQBCs4IAnMnZeE5FD1Cd d28qEO2sKAimqJjtcJNvYOr7aL2AFKjXqP1B+wD3Lnn+ =Cqf1 -----END PGP PUBLIC KEY BLOCK-----