--- begin forwarded text Status: U Date: Tue, 4 Sep 2001 08:15:50 +0100 To: [EMAIL PROTECTED] From: Fearghas McKay <[EMAIL PROTECTED]> Subject: Fwd: [PGP-USERS] ANNOUNCE: PGP Validity Display Patches Available Reply-To: "Usual People List" <[EMAIL PROTECTED]> Sender: <[EMAIL PROTECTED]> List-Subscribe: <mailto:[EMAIL PROTECTED]> --- begin forwarded text Date: Mon, 03 Sep 2001 17:41:09 -0700 From: Will Price <[EMAIL PROTECTED]> X-Accept-Language: en,pdf To: [EMAIL PROTECTED] Subject: [PGP-USERS] ANNOUNCE: PGP Validity Display Patches Available Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PGPsdk Key Validity Display Vulnerability A vulnerability in PGP's display of key validity has been discovered that could allow an attacker to fool users into thinking that a valid signature was created by what is actually an invalid user ID. If the attacker can obtain a signature on their key from a trusted third party, they can then add a second user ID to their key which is unsigned. The attacker must then switch the unsigned false user ID to primary and convince the victim to place the key on their keyring. In such a case, some of the displays in PGP do not properly identify the false user ID as invalid because the second user ID is fully valid. Whenever PGP displays validity information on a per-user ID basis, the display is correct. Thus, attentive users who examine the user IDs of all public keys which they import to their keyrings will immediately notice this problem before it could have any impact. This issue was discovered and reported to Network Associates/PGP Security, Inc. by Sieuwert van Otterloo. This issue has been corrected such that all key validity displays in PGP will properly mark the unsigned user ID as invalid. Hotfixes are now available for the following products: PGP Corporate Desktop v7.1 (MacOS9/Win32) PGP Personal Security v7.0.3 (MacOS9/Win32) PGP Freeware v7.0.3 (MacOS9/Win32) PGP E-Business Server v7.1 (Linux/Solaris/AIX/HPUX/Win32) Product upgrades are available for the following products: PGP E-Business Server v6.5.8x (OS/390) PGP E-Business Server v7.0.4 (Linux/Solaris/AIX/HPUX/Win32) The hotfixes and upgrades can be found at: http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp Network Associates/PGP Security Inc. has published the PGPsdk source code in electronic form for academic and cryptographic peer review. The source packages can be downloaded from: http://www.pgp.com/downloads/default.asp -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBO5Qi5qy7FkvPc+xMEQLlEgCguEA97m5kzov5ZdfWYz6b/rGNBnIAoJ6/ sZOjIZUp8loameOTRj3sgqPs =elB/ -----END PGP SIGNATURE----- .................................................................... Unsubscribe: <mailto:[EMAIL PROTECTED]?body=unsubscribe> Automated Help/Info: <mailto:[EMAIL PROTECTED]?body=help> List Homepage: <http://cryptorights.org/pgp-users/> List Admin (human): <mailto:[EMAIL PROTECTED]> Please do not send administrative commands to the list address! Thanks. --- end forwarded text --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
