David Shaw on Thu, 4 Sep 2003 11:03:05 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] gpg spoof?

On Thu, Sep 04, 2003 at 10:49:22AM -0400, Jeff Abrahamson wrote:
> > That said, I'm not opposed to a more rigorous warning... I need to
> > think about that a bit more.
> Could gpg use the same solution that mutt used: add a line that says,
> "Signature verified at `date`"?

Yes, but it's not a perfect solution - in mutt, the timestamp appears
outside of the GnuPG output.  There is no way for a message to put
text in that area as only mutt itself can write there.  There is no
way to get outside of GnuPG output in GnuPG.

Given that, it would be possible (though very difficult) for someone
to guess when a message would be read and encode that timestamp in the

A stronger solution that does not have this problem is to put a "gpg:
message has no signature" warning on messages without signatures.
Even that is not perfect since there are messages with more than one
signature.  It's hard to do out-of-band messaging when you have only
one form of output (piping to 'gpg' pretty much has to end up on the

Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug