Does GNUPG have the PGP ADK weakness?
L. Sassaman
rabbi@quickie.net
Mon, 28 Aug 2000 12:46:09 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm going to make one comment on this, just to eliminate some of the
confusion.
There is nothing broken with the v4 signature format. The problem came
down to the fact that our code was permitting the ADK subpacket to exist
outside of the hashed area of the signature.
This is not a flaw in RFC 2440. This was a flaw in PGP (which has been
fixed in 6.5.8).
(And yes, Werner: we found out about Ralf's report the same way everyone
else did: through the mailing lists.)
- --Len.
__
L. Sassaman
Security Architect | "We all want many things,
Technology Consultant | but some of those are bottomly
| destructive of all desires."
http://sion.quickie.net | --Vernor Vinge
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE5qsGHPYrxsgmsCmoRAraBAKDZNXQGghT+PiDRofXCSOat1PLw8wCgsAmM
VOZU5v4ibWw2YgDuEIc4oLE=
=Gkpb
-----END PGP SIGNATURE-----
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org