Does GNUPG have the PGP ADK weakness?
Huels, Ralf KSV
Ralf.Huels@schufa.de
28 Aug 2000 12:31:14 +0200
> BTW, thre are other tools to generate v4 keys and signatures aside
> from GnuPG or NAI.
Which is exactly why Ralf disparages the use of v4 signatures all
together.
As far as I understand the debate, Ralf is talking about keys.
Unfortunately, many others seem to talk about software.
The problem for users of any software that uses v4 signatures and
encrypts to ADKs was construed as a problem for users of any software
that uses v4 sigs.
I can see why people say that not encrypting to illicit ADKs is the
senderīs responsibility and thus GnuPG users are fine.
However, the fact remains that "broken" PGP (or other s/w) versions
are going to remain out there. I think itīs ok to point out that
PGP (< 6.5.8) users are not safe from the bug when encrypting to GnuPG
users.
Of course there is really nothing we (i.e. the GnuPG users and developers)
can do about that except set the good example and spread the word.
Tschuess,
Ralf
--
Ralf Hüls Bismarckplatz
KSV Kreditschutz-Vereinigung GmbH 44866 Bochum
Score-Consult Tel. 02327/9114-28
http://www.schufa.de/ Fax. 02327/8 40 27
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org