> Sorry, this bug only affect the keys generated by the OpenPGP.js lib? No, keys generated by OpenPGP.js are not problematic. Only if you import a private key that has a S2K type not defined in RFC4880 and uses a certain session key, then it was possible to decrypt it in OpenPGP.js with any passphrase. To be clear: this is not a private key that you can generate under normal circumstances in any PGP implementation, but one that was specifically crafted for this vulnerability. _______________________________________________
http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
