A weakness in PGP signatures, and a suggested solution
Brian C. Lane
blane at eskimo.com
Wed Jan 17 08:39:17 PST 1996
-----BEGIN PGP SIGNED MESSAGE-----
> > In article <Pine.ULT.3.91.960110182255.18692H-100000 at xdm011>, Jeffrey Goldberg <cc047 at Cranfield.ac.uk> says:
>
> But then the recipient has a PGP-signed message from you which
> isn't encrypted (using pgp -d). That person could then impersonate
> you. Eg Alice the jilted lover could resend the goodbye message
> with forged headers to Bob's new girlfriend to get back at him.
Ah ha! Now I understand what this argument has been all about. This
is not a flaw with PGP, but with the software doing the signing. It
should/could add a line with a time and date stamp inside the
signature envelope, or Bob could add more information, making the
message more specific.
I don't think PGP needs to be 'fixed', but the signing software
does.
Brian
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQB1AwUBMP0gGHIWObr6ZnuNAQFqpQMAhEDxcClXzwqS5QLSYgbGC0SdPwOSppgG
cbEcHEamA+C/fzlCRl1FoCkvA/SPHoZB29FNJSH8hnP6s5OZQfFf3LZXPL+/UFiL
64i7dlt6Ajtg58eDiMj/+qPsHd8hbAuV
=jj8n
-----END PGP SIGNATURE-----
--- <blane at eskimo.com> -------------------- <http://www.eskimo.com/~blane> ---
Embedded System Programmer, EET Student, Interactive Fiction author (RSN!)
============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============
More information about the cypherpunks-legacy
mailing list