| Eugene Smiley on Thu, 4 Sep 2003 09:22:06 -0400 |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeff Abrahamson wrote: > Now, I don't suspect Erin was trying to spoof me, and she had enclosed > a semi-random string that I had encrypted to her. So this one case > doesn't bother me. According to what you listed... > gpg: Signature made Thu 04 Sep 2003 12:15:32 AM EDT using DSA key ID A54DA2DF > gpg: Good signature from "Erin Mulder <meara@alumni.princeton.edu>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 8609 5F8C E335 F93F 40CC 14B8 10FA 4C88 A54D A2DF It is just warning you that the siganture is good, but that this person doesn't have a signature that you trust. In PGP you would get something like this: *** Status: Good Signature from Invalid Key *** Alert: Please verify signer's key before trusting signature. > But, in general, how can I distinguish between the end of the > encrypted message and the beginning of the "gpg: Signature ..." stuff? > Couldn't someone just include such a (forged) signature block at the > end of their message, then encrypt the whole thing without signing, > and so convince me that the message was signed by someone else? It is possible. One Spammer has even tried using fake PGP sigs to try to get a few "bonus" points from SpamAssassin. This is always easy to spot. However, trying to fake the signature verification is harder if that's what you are refering to. The 'attacker' would need to know about your specific setup to make it convincing, but it would still be noticable if you were to look at the original message and verify it manually. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/VzxC6QPtAqft/S8RAmGDAJ96LnEe5cras2IVS3AShIDDG9aZfwCfSAwj 1+MfNoYDjZnAwgSM6VGasgY= =ULIc -----END PGP SIGNATURE----- Attachment:
smime.p7s
|
|