This is a much, much more serious problem than the scenario above about terrorists using these screening programs to insert a mole....

Firstly, what on earth are you talking about? If you can read a pdf you can certainly change it. Just because your crippled pdf reader doesn't let you change it doesn't mean Adobe has some magic hammer that forces everyone else in the world to not write software that allows you to change it. At worst imagine printing it and scanning it back in, doing OCR to generate a new PDF (which would be not unlike what the boarding pass barcodes would be going through). if you distribute your new pdf with a new signature or no signature at all how would the person who receives it know that they should expect there to be a signature?

Secondly, many people have asserted that these barcodes include signatures. But I've never seen any pointer to any evidence of this. Does anyone have any actual information on this purported signature? I'm quite skeptical because there doesn't seem to be enough bits in the barcodes to contain a particularly strong signature. Maybe that's good enough since you can't do offline attacks but I doubt it.

Moreover there's a fundamental weakness in a signature based scheme. The signing key would have to be in every terminal everywhere in the world belonging to every organization that can issue boarding passes. It wouldn't be very long before the key was leaked.

I did just scan a bunch of boarding passes. The US Airways and United boarding passes didn't contain very much of interest at all. The pre-merger Continental boarding pass did contain a 42 byte binary blob which could conceivably have been a signature. But the post-merge United boarding passes don't have the same thing. AC boarding passes appear to have a lot more bits but none of the barcode readers I found can read them.

From http://www.iata.org/whatwedo/stb/Doc...v4_Jun2009.pdf there is a signature field:
The PKI infrastructure used in the rest of the aviation industry for things like maintenance records and data interchange with airports appears to be ATA "Spec 42" which doesn't appear to be available for free anywhere. It does use IETF RFC 5280 certificates, but I don't see how any of the barcodes I'm looking at could be large enough to contain 5280 certificate.

Getting this (link to article) kind of press will result in a reaction from TSA. Recall that "Speak Your Name" started after the TSA got embarrassed by someone who got through the checkpoint....

I predict that Precheck gets even harder if it doesn't go away.

Maybe they start mandating signatures on all barcodes, but the article, as usual with media and the TSA, makes plenty of incorrect assumptions.

edit: did not realize WP article had been posted already.

Has anyone gotten the scanner app to work with the bar code produced by the airlines' phone apps for mobile boarding passes? Mine only works with the one the website produces for printing at home.

If you are using iOS, take a screenshot of the BP, and scan the file using the Qrafter app.

https://itunes.apple.com/us/app/qraf...416098700?mt=8

What I am talking about is this signature: AMzB2130HCgqDPhBelGkOsKD3D8HrVivfQ==|SEXWg35HHgESk v0/sIszRoy
zwkIG+jSp

Which is what appears when I scan my AA boarding pass. Obviously, I understand I can change the text, but doing so means that the text no longer matches the digital signature --- causing the BP to be rejected by the PreCheck scanner.

The private key does not have to be universally available. AA has one, and they generate the signature for my PNR centrally. It certainly does not have to be "have to be in every terminal everywhere in the world." They do have to be with every issuing organization, but that is why every organization cannot participate in PreCheck.