The two V3 attacks
Robert J. Hansen
rjh at sixdemonbag.org
Mon Jun 25 10:52:08 CEST 2012
On 06/25/2012 03:32 AM, Georgi Guninski wrote:
> You *knowingly* distribute vulnerable warez for a long time?
Listen, I'm about as strident of a "PGP 2.6 and V3 must both die" voice
as they come. If I were any stronger on the subject I'd be ending each
email with the sigline "MD5, PGP 2.6 et V3 delenda est!" [1] But even
then, I think this statement is way overdone.
PGP 2.6 support, MD5 in general, and V3 keys are all inferior
technologies that should have been replaced a long time ago. However,
there's still a need to read existing files that predate these attacks
and there's still a need to provide a migration path from the
known-vulnerable to the believed-good. Any system that provides both
migration tools and read support for PGP 2.6 is going to fall under your
definition of "vulnerable warez."
Me, I call it providing a migration path and support for interoperating
with legacy systems, while loudly begging, pleading, cajoling and
pathetically whining in the hopes that people will stop using these old
systems.
[1] http://en.wikipedia.org/wiki/Carthago_delenda_est
--
Robert J. Hansen <rjh at sixdemonbag.org>
MD5, PGP 2.6 et V3 delenda est!
More information about the Gnupg-devel
mailing list