Hi Deryk Lister,
On Saturday, August 26, 2000 at 1:12:49 AM you wrote:
> If I understand this right, it basically makes PGP almost completely
> worthless. A public key can be tweaked whilst keeping the fingerprint
> the same, and then re-uploaded to the keyservers or handed out to
> others on your behalf. If someone sends mail to this tweaked key, you
> can still decode it - but so can the cracker! There's not a lot you
> can do about it; all keys made with Nai's PGP 5 or greater have this
> flaw.
That's nonsense, sorry. The bug is only related to the ADK-technology
in those PGP versions. That's a technology that enables, say, the boss
of a company to create custom keys for his employees while retaining a
second key (or backdoor) for himself. This (intended) functionality is
somehow flawed, hence the vulnerability. This doesn't in any way at
all effect the effectiveness of PGP encryption in any single-user
day-to-day use. I'm citing the article from BUGTRAQ, which contains
some links about the issue.
>From [EMAIL PROTECTED]:
> In case you have not heard there is a serious bug in some versions of PGP
> related to additonal decryption keys (ADK).
> For more information look at John Young's site which details some of this:
> http://cryptome.org/pgp-badbug.htm
>
> Quoting from an email on the site:
>
> "Tested versions of PGP:
> PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)
> PGP-5.0i UNIX (not vulnerable)
> PGP-5.5.3i WINDOWS (VULNERABLE)
> PGP-6.5.1i WINDOWS (VULNERABLE)
> GnuPG-1.0.1 UNIX (not vulnerable)"
>
> A paper detailing an aspect of the vulnerability is written by Ralf
> Senderek: http://senderek.de/security/key-experiments.html and his student
> Stephen Early <[EMAIL PROTECTED]> seems to have worked on
> detailing this vulnerability as well on the ukcrypto mailing list.
Oliver Sturm
--
% \(-
(-: Command not found.
--
Oliver Sturm / <[EMAIL PROTECTED]>
Key ID: 71D86996
Fingerprint: 8085 5C52 60B8 EFBD DAD0 78B8 CE7F 38D7 71D8 6996
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
You are subscribed as : [email protected]
