Thu Mar 22 16:57:01 2001
Evan Prodromou <firstname.lastname@example.org> writes:
> I can verify that the article does NOT say that GNUPG is affected by
> the sploit. It says that GNUPG uses the OpenPGP format, which is true.
See http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf. GnuPG is *not*
vulnerable to the described attack if you use RSA keys. At the
moment, I'm not sure if the attack works against DSA keys; GnuPG
performs an integrity check on the secret key material, but I'm not
sure if it's sufficient.
> It sounds to me like a failure of the secret keyring file format and
> not of OpenPGP per se.
OpenPGP defines an exchange format for secret keys, and this format is
vulnerable to the attack, so there's an error in OpenPGP as well.