The phrase "MUST be present in the hashed area." has to be added to
the following sections:
5.2.3.4. Signature creation time
5.2.3.6. Key expiration time
5.2.3.10. Signature expiration time
5.2.3.12. Revocable
5.2.3.13. Trust signature
5.2.3.14. Regular expression
5.2.3.15. Revocation key
5.2.3.17. Key server preferences
5.2.3.19. Primary user id
5.2.3.21. Key Flags
5.2.3.22. Signer's User ID
5.2.3.23. Reason for Revocation
I'm not sure about the following (GnuPG puts them into the hashed
area):
5.2.3.7. Preferred symmetric algorithms
5.2.3.8. Preferred hash algorithms
5.2.3.9. Preferred compression algorithms
Hash protection is obviously not needed for:
5.2.3.5. Issuer
5.2.3.11. Exportable Certification
5.2.3.18. Preferred key server (resolving URLs isn't secure anyway)
5.2.3.20. Policy URL (ditto)
Whether notation data has to be put into the hashed area depends on
that data, of course.
--
Florian Weimer
Florian(_dot_)Weimer(_at_)RUS(_dot_)Uni-Stuttgart(_dot_)DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5