Mailing List Archive

NO!

And I am a little bit tired of repeating that over and over ;)

GnuPG does not know about ARR and therefore it is simply not able to
encrypt to a key from an ARR. I changed that on Friday, so that you
can now look at the ARR keys with --list-packets - but they are *not
used* in any other way than listing. ARRs not defined by OpenPGP.

BTW, the CERT advisory and the followup to Ross Andersons orginal
announcemnet to ukcrypto got it right.

Some statements by Ralf Senderek may have led to some confusion and
I have the impression that he published his paper without contacting
NAI prior to give them a chance to fix the bug.

Werner


--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

> Some statements by Ralf Senderek may have led to some confusion and
> I have the impression that he published his paper without contacting
> NAI prior to give them a chance to fix the bug.

It seems to me that two aspects of the problem have been happily mixed
up by several authors.
One is whether a given software uses the ADK feauture and encrypts to an
ADK.
The other is whether a key can be modified to contain an illicit ADK.

Ralf´s statement that GnuPG is vulnerable seems to be based on the fact
that keys generated by GnuPG can be modified by an attacker to contain
an unwanted ADK. No user of GnuPG will have a problem with that as GnuPG
does not use the ADK feature at all (i.e. not even with authentic ADKs).
However, if that key is subsequently used as an encryption key by someone
using an unfixed PGP version, it will encrypt to the illicit ADK.

In that sense, GnuPG-generated keys are vulnerable to the ADK bug even if
GnuPG itself is not.

Tschuess,
Ralf

--
Ralf Hüls Bismarckplatz
KSV Kreditschutz-Vereinigung GmbH 44866 Bochum
Score-Consult Tel. 02327/9114-28
http://www.schufa.de/ Fax. 02327/8 40 27




--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

At 10:22 28/08/2000 +0200, you wrote:
>GnuPG does not know about ARR and therefore it is simply not able to
>encrypt to a key from an ARR. I changed that on Friday, so that you
>can now look at the ARR keys with --list-packets


Could you release a 1.0.2x version (both for Unix and Win32) with this new
feature ?

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

On Mon, 28 Aug 2000, Huels, Ralf KSV wrote:

> Ralf´s statement that GnuPG is vulnerable seems to be based on the fact
> that keys generated by GnuPG can be modified by an attacker to contain
> an unwanted ADK. No user of GnuPG will have a problem with that as GnuPG

You can't distinguis a GnuPG created key from a key generated by an
other implemenation. OpenPGP demands the use of v4 signatures because
they have a lot of advantages.

BTW, thre are other tools to generate v4 keys and signatures aside
from GnuPG or NAI.

Werner

--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

> BTW, thre are other tools to generate v4 keys and signatures aside
> from GnuPG or NAI.

Which is exactly why Ralf disparages the use of v4 signatures all
together.

As far as I understand the debate, Ralf is talking about keys.
Unfortunately, many others seem to talk about software.
The problem for users of any software that uses v4 signatures and
encrypts to ADKs was construed as a problem for users of any software
that uses v4 sigs.

I can see why people say that not encrypting to illicit ADKs is the
sender´s responsibility and thus GnuPG users are fine.
However, the fact remains that "broken" PGP (or other s/w) versions
are going to remain out there. I think it´s ok to point out that
PGP (< 6.5.8) users are not safe from the bug when encrypting to GnuPG
users.

Of course there is really nothing we (i.e. the GnuPG users and developers)
can do about that except set the good example and spread the word.

Tschuess,
Ralf

--
Ralf Hüls Bismarckplatz
KSV Kreditschutz-Vereinigung GmbH 44866 Bochum
Score-Consult Tel. 02327/9114-28
http://www.schufa.de/ Fax. 02327/8 40 27




--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

>>>"HRK" == Huels, Ralf KSV <Ralf.Huels@schufa.de> writes:

HRK> However, the fact remains that "broken" PGP (or other s/w) versions
HRK> are going to remain out there. I think it´s ok to point out that
HRK> PGP (< 6.5.8) users are not safe from the bug when encrypting to GnuPG
HRK> users.

Certainly, but it's not OK to say that GnuPG is also affected and people
shouldn't be using it anymore. But that is what Ralf S. did ..

HRK> Of course there is really nothing we (i.e. the GnuPG users and developers)
HRK> can do about that except set the good example and spread the word.

Exactly. See above.

Cheers, Nils
--
Nils Ellmenreich - Fakultaet fuer Math./Informatik - Nils @
http://www.fmi.uni-passau.de/~nils - Univ. Passau - Uni-Passau.DE

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

> HRK> However, the fact remains that "broken" PGP (or other s/w) versions
> HRK> are going to remain out there. I think it´s ok to point out that
> HRK> PGP (< 6.5.8) users are not safe from the bug when encrypting to
> GnuPG
> HRK> users.
>
> Certainly, but it's not OK to say that GnuPG is also affected and people
> shouldn't be using it anymore. But that is what Ralf S. did ..

Umm. Not exactly:

| So if you want to get rid of ADKs as much as possible, you are well
| advised to use PGP-Classic, PGP-2.6.x, the only PGP which guarantees
| that only Version-3-signatures are made and which rejects DH-keys and
| RSA-keys in Version-4-format.
|
| You should use GnuPG as an analysis-tool to check which packets a key
| or cryptogram consists of. And you can use newer PGP versions or GnuPG
| to check the validity of signatures on messages which have been made
| with V4-keys by others.

Ralf says that people who want to make sure should avoid v4 sigs. The
safest way to do that is to use software that only uses v3 sigs.
In fact he recommends GnuPG as an analysis tool.

I do think, however, that Ralf´s criticism of the CERT advisory (as quoted
in http://home.kamp.net/home/kai.raven/news/frame2000q3.html) suffers
from some of the same misunderstandings that have troubled the entire
debate.
The way I understand the advisory, they perceive only the actual _use_
of illicit ADKs as the problem, while Ralf takes the mere fact that keys
can be modified as the problem. For instance CERT calls keys that don´t
have ADKs when added to the key ring "not vulnerable" (presumbly because
they obviously don´t have an illicit ADK), while Ralf disagrees (because
ADKs might be added later).
I guess it all depends on whether you emphasize on the key itself or on
the software that uses it.
I think in that respect Ralf´s criticism is too harsh. If all software
products used only hashed parts of the key, there wouldn´t be a problem.

Tschüß,
Ralf

--
Ralf Hüls Bismarckplatz
KSV Kreditschutz-Vereinigung GmbH 44866 Bochum
Score-Consult Tel. 02327/9114-28
http://www.schufa.de/ Fax. 02327/8 40 27




--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

>>>"HRK" == Huels, Ralf KSV <Ralf.Huels@schufa.de> writes:

HRK> Ralf says that people who want to make sure should avoid v4 sigs. The
HRK> safest way to do that is to use software that only uses v3 sigs.
HRK> In fact he recommends GnuPG as an analysis tool.

I think we all understand the issue by now. We all know what Ralf
S. intended to say. What I was criticising was that in his "report" he
was recommending against the use of GnuPG in a way that people might
think it was broken and needed a fix, just like PGP. That's just not the
case. What he didn't do was distinguishing between the fact was PGP was
flawed and shouldn't be used before it was fixed, but GnuPG's only
"flaw" was that it could be used to communicate with a flawed PGP (and
thereby the communcation from PGP to GnuPG could be endangered). This
should have been clearly stated as a different issue.

HRK> I do think, however, that Ralf´s criticism of the CERT advisory (as quoted
HRK> in http://home.kamp.net/home/kai.raven/news/frame2000q3.html) suffers
HRK> from some of the same misunderstandings that have troubled the entire
HRK> debate.

I do not think that he suffers misunderstandings. I think he knows the
subject very well. It appears to me more that his rage against ADKs is
so, well, "strong" that he'd like people to take extreme measures. Using
software that only uses v3 signatures is such an extreme measure. It
might well be the case that all this confusion about the vulnerability
of GnuPG was kind of deliberate, in order to serve the goal. That's what
I'm opposing. Raising the issue was right, but he did a lot damage as well.

To most people, telling possible PGP users to update their versions,
being cautious when PGP warns about the use of an ADK, or even convince
them to use GnuPG is a not-so-extreme and perfectly acceptable measure.
The warning against GnuPG raised a lot of confusion because a lot of
people didn't know which part of the warning was based on technical
grounds and which on personal opinion.

Cheers, Nils
--
Nils Ellmenreich - Fakultaet fuer Math./Informatik - Nils @
http://www.fmi.uni-passau.de/~nils - Univ. Passau - Uni-Passau.DE

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org