Stefan Suurmeijer wrote:
Check out the gnupg discussion lists. The addresses can be found at www.gnupg.org. On the first line you can also find the following:
--> Snip GnuPG is not vulnerable to the faked ARR (aka ADK) attack as PGP 5 and 6 is. The reason for this is that GnuPG does intentionally not handle those "additional recipients requests". BTW, those Big Brother packets are not defined in the OpenPGP standard - they are a proprietary PGP extension. --> Snap
Yes, I DID check out the gnupg develop maillist. Please correct me if I make a mistake, but I come to the following conclusion: gpg might be secure, but if anybody uses an insecure pgp-descendant to encode to my public key, the ciphertext is not necessarily secure, because somebody might have inserted an ADK into my public key. The possibility to modify signed keys seems to have dire consequences on the "network of trust"-concept, which is central to pgp. Rupert -- Rupert Kittinger <kittinger@mechanik.tu-graz.ac.at> Department of Mechanics and Mechanisms Graz University of Technology Kopernikusgasse 24/III A-8010 Graz pgp-keyID: EB7E995C; get public key from http://www.openpgp.net/pgpsrv.html