-----BEGIN PGP SIGNED MESSAGE----- There has been some discussion on using replay attacks against PGP recently. However, a timestamp is stored in the signature packet and is signed along with the plaintext intended to be signed. This eliminates the need to include a timestamp in clear-signed data. Someone can still send a signed e-mail to a third party that was not the original recipient and make it appear as though the sender did actually send the message to the third party (e.g. Alice sends signed message to Bob Bob sends message with faked headers signed by Alice to Carol Carol believes Alice actually sent the message to her) Such an attack would have to executed shortly after the message was originally clear-signed. However, including timestamps in text to be signed is not necessary. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPhourZc+sv5siulAQHTTAP/XBlrV7nHd5pR9aTXr2Uk0M0fw4I6IjZZ xeCx++vuIjcQuo/k8xH9YvBbn+MuoE11xbVLD58xYbELuVSdMUzCQ1mpQMho8mzs O0ALr8dahq0N0Gl5kLwb97MzgJOgTwy6NSIK6883NCktAWJMsFoADpdzmDGWQbTc ZzXJ3w5OiAQ= =fWJb -----END PGP SIGNATURE----- -- finger -l markm@voicenet.com for PGP key http://www.voicenet.com/~markm/ Fingerprint: bd24d08e3cbb53472054fa56002258d5 Key-ID: 0xf9b22ba5 "The NSA can have my private key when they pry it from my cold, dead neurons." Unknown