Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] updated rpm for PGP vulnerability?
  • From: Rupert Kittinger <kittinger@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 29 Aug 2000 17:11:41 +0200
  • Message-id: <39ABD2AD.3FA7EF7A@xxxxxxxxxxxxxxxxxxxxxx>
Stefan Suurmeijer wrote:
>
>
> Check out the gnupg discussion lists. The addresses can be found at
> www.gnupg.org. On the first line you can also find the following:
>
> --> Snip
> GnuPG is not vulnerable to the faked ARR (aka ADK) attack as PGP 5 and 6
> is. The reason for this is that GnuPG does intentionally not handle those
> "additional recipients requests". BTW, those Big Brother packets are not
> defined in the OpenPGP standard - they are a proprietary PGP extension.
> --> Snap
>

Yes, I DID check out the gnupg develop maillist.

Please correct me if I make a mistake, but I come to the following
conclusion:

gpg might be secure, but if anybody uses an insecure pgp-descendant to
encode to my public key, the ciphertext is not necessarily secure,
because
somebody might have inserted an ADK into my public key.

The possibility to modify signed keys seems to have dire consequences on
the "network of trust"-concept, which is central to pgp.

Rupert

--
Rupert Kittinger <kittinger@xxxxxxxxxxxxxxxxxxxxxx>
Department of Mechanics and Mechanisms
Graz University of Technology
Kopernikusgasse 24/III A-8010 Graz
pgp-keyID: EB7E995C; get public key from
http://www.openpgp.net/pgpsrv.html

< Previous Next >
Follow Ups
References