PGP 8.0 released today

Johan Wevers
Thu Dec 5 14:53:02 2002

You, Len Sassaman, wrote:

> Speaking as the person who had to test the ADK vulnerability fixes for
> over a dozen different platforms and multiple products, having zero lead
> time for vulnerability correction makes that process rather painful.

I certainly believe you on that.

> I am a firm believer in full disclosure. However, giving a vendor a
> reasonable time period in which to evaluate the threat, produce a fix, and
> distribute it to customers should be standard practice.

That depends. If it's a remotely exploitable bug in some network service,
where the largest threat comes from script kiddies trying to root your box,
there is something to say for that.

However, for a program like pgp, the largest threat of someone exploiting an
error is for government agencies intercepting encrypted messages and being
able to decrypt them. If someone finds an error, it is very well pissible
those agencies with much resources found them too, while it's unlikely that
some script kiddie finds an exploitable bug in Apache. I want to know
something like that immediately, before I sent out any message that might
fall in the wrong hands due to not publishing.

ir. J.C.A. Wevers         //  Physics and science fiction site:   //
PGP/GPG public keys at