Does GNUPG have the PGP ADK weakness?
Mon, 28 Aug 2000 12:46:09 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
I'm going to make one comment on this, just to eliminate some of the
There is nothing broken with the v4 signature format. The problem came
down to the fact that our code was permitting the ADK subpacket to exist
outside of the hashed area of the signature.
This is not a flaw in RFC 2440. This was a flaw in PGP (which has been
fixed in 6.5.8).
(And yes, Werner: we found out about Ralf's report the same way everyone
else did: through the mailing lists.)
Security Architect | "We all want many things,
Technology Consultant | but some of those are bottomly
| destructive of all desires."
http://sion.quickie.net | --Vernor Vinge
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
-----END PGP SIGNATURE-----
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to firstname.lastname@example.org