Does GNUPG have the PGP ADK weakness?
Mon, 28 Aug 2000 17:39:46 +0200 (CEST)
>>>"HRK" == Huels, Ralf KSV <Ralf.Huels@schufa.de> writes:
HRK> Ralf says that people who want to make sure should avoid v4 sigs. The
HRK> safest way to do that is to use software that only uses v3 sigs.
HRK> In fact he recommends GnuPG as an analysis tool.
I think we all understand the issue by now. We all know what Ralf
S. intended to say. What I was criticising was that in his "report" he
was recommending against the use of GnuPG in a way that people might
think it was broken and needed a fix, just like PGP. That's just not the
case. What he didn't do was distinguishing between the fact was PGP was
flawed and shouldn't be used before it was fixed, but GnuPG's only
"flaw" was that it could be used to communicate with a flawed PGP (and
thereby the communcation from PGP to GnuPG could be endangered). This
should have been clearly stated as a different issue.
HRK> I do think, however, that Ralf´s criticism of the CERT advisory (as quoted
HRK> in http://home.kamp.net/home/kai.raven/news/frame2000q3.html) suffers
HRK> from some of the same misunderstandings that have troubled the entire
I do not think that he suffers misunderstandings. I think he knows the
subject very well. It appears to me more that his rage against ADKs is
so, well, "strong" that he'd like people to take extreme measures. Using
software that only uses v3 signatures is such an extreme measure. It
might well be the case that all this confusion about the vulnerability
of GnuPG was kind of deliberate, in order to serve the goal. That's what
I'm opposing. Raising the issue was right, but he did a lot damage as well.
To most people, telling possible PGP users to update their versions,
being cautious when PGP warns about the use of an ADK, or even convince
them to use GnuPG is a not-so-extreme and perfectly acceptable measure.
The warning against GnuPG raised a lot of confusion because a lot of
people didn't know which part of the warning was based on technical
grounds and which on personal opinion.
Nils Ellmenreich - Fakultaet fuer Math./Informatik - Nils @
http://www.fmi.uni-passau.de/~nils - Univ. Passau - Uni-Passau.DE
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to firstname.lastname@example.org