Bogus digital signatures, Re: OT: utility account transfer frauds

[David Howe]

at Tuesday, October 15, 2002 10:25 AM, Charles Lindsey
> Of course, if the other guy presents you with a version he has already
> signed (we presume this transaction is not face-to-face), then making
> the change will break his signature (and if you want him to sign your
> altered copy, then we are back to square one, because he will also
> want to make a small randon change before signing it).
At the expense of a little work, this is doable too.
There are only three possibilities - either a inline plaintext, binary
detached, or binary non-detached sig.
with a plaintext sig, you can place your text *before* the pgp-start
marker. the authentication process will ignore it and you can sign the
whole thing (string, body and sig) by any of the three methods.
with a binary attached sig, any additions to the data after the sig will
be ignored - so simply append your random string to the end of the file,
then again attached-sign it.
with a detached sig, enclose both file and sig in a archive file, adding
a "authentication" file containing your string. then sign that archive.