[PGP-USERS] FW: Serious bug in PGP - versions 5 and 6

Werner Koch wk@gnupg.org
Fri, 25 Aug 2000 11:12:22 +0200

On Thu, 24 Aug 2000, Clive Jones wrote:

> Don't trust your secrets to people you don't trust. Trusting them not
> to use broken software is just another part of that issue.
It is just that all PGP >= 5 versions are broken by design/bug and the majority of encrypted mail is send by PGP implementations. Have a look at the key servers stats and you will see that most keys have been created by PGP >= 5. It is important that security audits are *really* done and not that everyone assumes: Okay, here is the source, someone else has probably checked it. It has been shown in the last months that this is not true (and that includes free software and proprietary one with open source). The "given many eyeballs, all bugs are shallow" thesis is whishful thinking. Werner -- Werner Koch GnuPG key: 621CC013 OpenIT GmbH http://www.OpenIT.de -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org