Re: PGP ADK Bug Fix
At 11:57 AM 8/27/00 -0700, Bill Stewart wrote: ... The real question is whether somebody will hack the keyservers to eat ADK keys before or after somebody downloads all the DH keys, adds ADK keys to them, updates the servers, and threatens to publish ... It looks like NAI is treating this with the seriousness it deserves, and has already modified two key servers to "cleanse" keys with unsigned ADK parasitic records: http://www.pgp.com/other/advisories/adk.asp ___ Michael Paul Johnson [EMAIL PROTECTED]http://ebible.org/mpj
Re: PGP ADK Bug Fix
How hard would it be to filter the public key servers for unsigned ADKs and either notify the keyowner or just remove the unsigned ADKs? The cert containing the unsigned ADK could be moved to a separate key server, equipped with suitable warnings, so the forensic record would be preserved. Arnold Reinhold
Re: PGP ADK Bug Fix
Anrold Reinhold wrote: How hard would it be to filter the public key servers for unsigned ADKs and either notify the keyowner or just remove the unsigned ADKs? It might be possible to filter the unsigned ADKs from key servers, however, it is not clear if the bug discovered is all there is to worry about. PGP/NAI has not yet given a complete explanation of how the bug got past quality control for truly reliable security. Others have noted on the net how long the fault related to bug has been around, and that despite warnings to PGP nothing was done about it. A few have also noted that the pattern of eventual disclosure of a fault is not unprecedented as a way to discover a built-in flaw added to gain export approval in an NDA sit-down with governmental authorities, a process still required by US export law for strongest crypto and a process that is also in effect in other countries linked to the US by technology control pacts such as Wassenaar. PGP has a wonderful reservoir of goodwill that will surely help it through this embarassment, but the reservoir has been drained rather much and needs replenishment. To help with that Michel Bouissou has circulated a call for restored confidence in PGP Freeware with a set of constructive suggestions for PGP/NAI: http://cryptome.org/pgp-reborn.htm Are there other suggestions being floated?
Re: PGP ADK Bug Fix
Thanks John. Also www.pgpi.com now makes it available. However, it would be nice to have a fixed copy of PGP6.5.3i, the last version made available with source code. Has anybody got patches for it? Enzo - Original Message - From: "John Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, August 26, 2000 9:26 PM Subject: PGP ADK Bug Fix Cryptome offers the ADK bug-fixed PGP Freeware 6.5.8: http://jya.com/pgpfree/PGPFW658Win32.zip (7.8MB) http://jya.com/pgpfree/PGPFW658Mac_sit.bin (5.6MB) Analyses of the ADK fix and any others most welcome.
Re: PGP ADK Bug Fix
At 10:33 AM 8/27/00 -0400, Arnold G. Reinhold wrote: How hard would it be to filter the public key servers for unsigned ADKs and either notify the keyowner or just remove the unsigned ADKs? The cert containing the unsigned ADK could be moved to a separate key server, equipped with suitable warnings, so the forensic record would be preserved. The philosophy of the keyservers is that they only provide distribution and convenience - the security of using a PGP comes from signatures. If we've lost the security of the PGP signature system, at least for DH keys, then perhaps they can help, but that doesn't tell you if there are already-distributed keys containing ADKs. ADK-infected PGP keys can still be used for signatures and keysigning, just not for encryption keys. Fortunately, the RSA patent expires Real Soon Now, so we could start widely redeploying RSA keys. (Unfortunately, the old-style RSA keys had format bugs too, and they use MD5 which is moribund.) The real question is whether somebody will hack the keyservers to eat ADK keys before or after somebody downloads all the DH keys, adds ADK keys to them, updates the servers, and threatens to publish Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
PGP ADK Bug Fix
Cryptome offers the ADK bug-fixed PGP Freeware 6.5.8: http://jya.com/pgpfree/PGPFW658Win32.zip (7.8MB) http://jya.com/pgpfree/PGPFW658Mac_sit.bin (5.6MB) Analyses of the ADK fix and any others most welcome.