Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
[PGP-USERS] FW: Serious bug in PGP - versions 5 and 6
clive at nsict
Aug 24, 2000, 11:35 AM
Post #1 of 5 (835 views)
Permalink
The worrying part to me is:
"The problem won't go away until all vulnerable versions of PGP are retired,
since it's the sender who is responsible for encrypting to the ADKs, not the
recipient."

To be fair, this is nothing new. There are lots of ways a sender's
implementation could be broken so as to leak the secret information to
someone other than you, the recipient.

Generally, if Alice shares a secret piece of information with Bob,
it's at best as secure as the less secure of their respective systems.

Don't trust your secrets to people you don't trust. Trusting them not
to use broken software is just another part of that issue.

--Clive.

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org
Re: [PGP-USERS] FW: Serious bug in PGP - versions 5 and 6 [ In reply to ]
wk at gnupg
Aug 25, 2000, 2:12 AM
Post #2 of 5 (828 views)
Permalink
On Thu, 24 Aug 2000, Clive Jones wrote:

> Don't trust your secrets to people you don't trust. Trusting them not
> to use broken software is just another part of that issue.

It is just that all PGP >= 5 versions are broken by design/bug and
the majority of encrypted mail is send by PGP implementations. Have a
look at the key servers stats and you will see that most keys have
been created by PGP >= 5.

It is important that security audits are *really* done and not that
everyone assumes: Okay, here is the source, someone else has probably
checked it. It has been shown in the last months that this is not
true (and that includes free software and proprietary one with open
source). The "given many eyeballs, all bugs are shallow" thesis is
whishful thinking.

Werner

--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org
Re: [PGP-USERS] FW: Serious bug in PGP - versions 5 and 6 [ In reply to ]
Walter.Truitt at usa
Aug 25, 2000, 6:25 AM
Post #3 of 5 (830 views)
Permalink
On 25 Aug, Werner Koch wrote:

> It is just that all PGP >= 5 versions are broken by design/bug and
> the majority of encrypted mail is send by PGP implementations. Have a
> look at the key servers stats and you will see that most keys have
> been created by PGP >= 5.

My key was created by gnupg, but the keyserver says Version: 5.0

> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: 5.0
> Comment: PGP Key Server 0.9.4

When I use gpg to export it it has a different set of strings.

> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.0.0 (SunOS)
> Comment: For info see http://www.gnupg.org

I don't feel you can use the keyserver as a guide to what versions of
pgp are being used.

-walter
Re: [PGP-USERS] FW: Serious bug in PGP - versions 5 and 6 [ In reply to ]
lhecking at nmrc
Aug 25, 2000, 6:33 AM
Post #4 of 5 (828 views)
Permalink
Walter Truitt writes:
> On 25 Aug, Werner Koch wrote:
>
> > It is just that all PGP >= 5 versions are broken by design/bug and
> > the majority of encrypted mail is send by PGP implementations. Have a
> > look at the key servers stats and you will see that most keys have
> > been created by PGP >= 5.
>
> My key was created by gnupg, but the keyserver says Version: 5.0

My old pgp 2.6.3 RSA key is also labeled Version 5.0. Confused the hell
out of me when I saw it this first time.

> I don't feel you can use the keyserver as a guide to what versions of
> pgp are being used.

Exactly.

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org
Re: [PGP-USERS] FW: Serious bug in PGP - versions 5 and 6 [ In reply to ]
wk at gnupg
Aug 25, 2000, 7:25 AM
Post #5 of 5 (829 views)
Permalink
On Fri, 25 Aug 2000, Walter Truitt wrote:

> My key was created by gnupg, but the keyserver says Version: 5.0
>
> > -----BEGIN PGP PUBLIC KEY BLOCK-----
> > Version: 5.0
> > Comment: PGP Key Server 0.9.4

That is the armor which has nothing to do with the implemnation used
to create the key (a keyserver does not create keys)

> I don't feel you can use the keyserver as a guide to what versions of
> pgp are being used.

What I wanted to say, was that the majority of keys on the keyservers
are v4 keys as generated by PGPG >= 5 or GnuPG. You can easily see
that by looking at the algorithms: PGP 2 is not able to generate DSA
keys.

Werner



--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal