Does GNUPG have the PGP ADK weakness?

Nils Ellmenreich Nils@infosun.fmi.uni-passau.de
Mon, 28 Aug 2000 17:39:46 +0200 (CEST)





>>>"HRK" == Huels, Ralf KSV <Ralf.Huels@schufa.de> writes:
HRK> Ralf says that people who want to make sure should avoid v4 sigs. The HRK> safest way to do that is to use software that only uses v3 sigs. HRK> In fact he recommends GnuPG as an analysis tool. I think we all understand the issue by now. We all know what Ralf S. intended to say. What I was criticising was that in his "report" he was recommending against the use of GnuPG in a way that people might think it was broken and needed a fix, just like PGP. That's just not the case. What he didn't do was distinguishing between the fact was PGP was flawed and shouldn't be used before it was fixed, but GnuPG's only "flaw" was that it could be used to communicate with a flawed PGP (and thereby the communcation from PGP to GnuPG could be endangered). This should have been clearly stated as a different issue. HRK> I do think, however, that Ralf´s criticism of the CERT advisory (as quoted HRK> in http://home.kamp.net/home/kai.raven/news/frame2000q3.html) suffers HRK> from some of the same misunderstandings that have troubled the entire HRK> debate. I do not think that he suffers misunderstandings. I think he knows the subject very well. It appears to me more that his rage against ADKs is so, well, "strong" that he'd like people to take extreme measures. Using software that only uses v3 signatures is such an extreme measure. It might well be the case that all this confusion about the vulnerability of GnuPG was kind of deliberate, in order to serve the goal. That's what I'm opposing. Raising the issue was right, but he did a lot damage as well. To most people, telling possible PGP users to update their versions, being cautious when PGP warns about the use of an ADK, or even convince them to use GnuPG is a not-so-extreme and perfectly acceptable measure. The warning against GnuPG raised a lot of confusion because a lot of people didn't know which part of the warning was based on technical grounds and which on personal opinion. Cheers, Nils -- Nils Ellmenreich - Fakultaet fuer Math./Informatik - Nils @ http://www.fmi.uni-passau.de/~nils - Univ. Passau - Uni-Passau.DE -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org