Anderson's attack?

Ben Pearre bwpearre at alumni.princeton.edu
Fri Mar 1 23:48:01 CET 2002


On Wed, Feb 06, 2002 at 03:50:22PM -0800, Len Sassaman wrote:
> This was addressed pretty thoroughly on the Cryptography list when Davis's
> paper first came out. Basically, the "flaws" the paper is discussing are
> social, not technical. The steps that can be taken on a technical level
> to prevent this are few. (FWIW, OpenPGP's timestamping helps this a bit.)

Ok, y'all have convinced me that this is a mailer problem, not an
engine problem.  But it's very widespread.  Couldn't it at least be
better documented?

I couldn't find any info in the documentation as to whether it
encrypt-signed or sign-encrypted, and what the implications were.
Just make it clear that when something arrives encrypted, gpg doesn't
know who encrypted it.  This would probably want to go in the man
page, where people who read about --encrypt and --sign will see it.

Cheers,
-Ben

-- 
bwpearre at alumni.princeton.edu                http://hebb.mit.edu/~ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : /pipermail/attachments/20020301/64458017/attachment.bin


More information about the Gnupg-devel mailing list