PGP 8.0 released today

Johan Wevers
Thu Dec 5 14:52:06 2002

Olaf Gellert wrote:

> Well, this seems to become the industry standard as microsoft
> suggested.

Too bad. I hope we're not taking MS as an example here. They sometines
don't fix known holes for years anyway.

> Even ISS seems to stick to the 30 days,


> Just think of the last security hole in apache, when ISS published their
> report just after the apache developers were informed (so they had 2 hours
> to fix the hole). This is bad style... And not only a pgp-issue.

No, I don't think so. The hole gets probably known to the underground
anyway, and the sooner I know my server might be vulnerable the sooner
I can take measures if required. I prefer not to wait 30 days on developers.

For pgp/gpg this holds even more than for remotely exploitable programs like
Apache, where the most likely form of attack is some script kiddy trying to
root my server. Someone more knowledgable than some script kiddy might be
intercepting my messages and be able to decrypt them without me knowing it.

ir. J.C.A. Wevers         //  Physics and science fiction site:   //
PGP/GPG public keys at