openpgp bug
Evan Prodromou
evan@prodromou.san-francisco.ca.us
Thu Mar 22 03:19:02 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "KP" == Karol Pietrzak <noodlez84@earthlink.net> writes:
KP> hello. i've recently come across this article:
KP> http://www.icz.cz/en/onas/tisk4.html that describes an openpgp
KP> bug (involves secret key). the article states that pgp 7.0.3
KP> and gnupg are affected. however, i have not seen this printed
KP> anywhere else. can someone please verify this?
I can verify that the article does NOT say that GNUPG is affected by
the sploit. It says that GNUPG uses the OpenPGP format, which is true.
If you read the article, the sploit appears to be this: alter Alice's
secret keyring file. Then, capture a signature made by Alice's secret
key. The fudged signature can be used to determine her key.
It sounds to me like a failure of the secret keyring file format and
not of OpenPGP per se.
~ESP
- --
Evan Prodromou
evan@prodromou.san-francisco.ca.us
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
iD8DBQE6uWExozwefHAKBVERAmerAKDPe8IMt+4lzdSwnfUaPC/61/LhuACeNke2
7nwspThA4RGquSmXnij8Swk=
=LVHE
-----END PGP SIGNATURE-----