Brian, et al -- ...and then Brian Galbraith said... % % Yuri Robbers wrote: % > % > When will SuSE release updated rpm's for the PGP vulnerability announced % > by CERT? % > % SuSE distributes only PGP 2.6.3 and GnuPG....none of which have the ADK % vunerability. Please forgive the newbie from jumping in, but I believe that GPG *is* susceptible to this sort of attack when using any Version4 keys, including V4 RSA keys (and, since I haven't figured out how to get GPG 1.0.2 to use RSA V3 keys, that includes me). I get this from Ralf Senderek's paper at http://senderek.de/security/key-experiments.html in the Inevitable Conclusions section, wherein he recommends using GPG as an analysis tool but using pgp 2.6.3 as your only encryption/decryption tool. I realize that, if I have a DH key (as I do at the moment), nothing in the world can stop Joe Correspondent from getting a corrupted copy of my public key and using his PGP to encrypt to me as well as an attacker; all we can do is to ensure that he gets the real key from my and so on. I would love to be proven wrong in my understanding that GPG is also vulnerable to accepting and using a compromised key, since I like the GPG interface and key management much more than either modern or "older" PGP versions. If anyone has any information, please feel free to send it on to me! % % % Regards % % Brian :-D -- David T-G * It's easier to fight for one's principles (play) davidtg@bigfoot.com * than to live up to them. -- fortune cookie (work) davidtgwork@bigfoot.com http://www.bigfoot.com/~davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! The "new millennium" starts at the beginning of 2001. There was no year 0. Note: If bigfoot.com gives you fits, try sector13.org in its place. *sigh*