Re: PGP Signatures security BUG!

From: Werner Koch (wkat_private)
Date: Wed Mar 08 2000 - 02:32:41 PST

Next message: Jeremiah Johnson: "[TL-Security-Announce] man-1.5g-5 and earlier TLSA2000004-1"

Previous message: pedwardat_private: "Realnetworks is trojaning people...again!!!"
Maybe in reply to: Povl H. Pedersen: "PGP Signatures security BUG!"
Next in thread: Steven M. Bellovin: "Re: PGP Signatures security BUG!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 7 Mar 2000, Povl H. Pedersen wrote:

> The problem is, that the PGP servers expects all key IDs to be unique
> numbers, and does not expect 2 users to have the same keyID. And with
> the current amount of users, we are starting to get multiple users
> with the same keyID.

RFC2440 clearly states that a conforming implementation MUST not assume
that key IDs are unique.  However, NAI does not claim that their PGP
is OpenPGP compatible.

There will be a keyserver admin meeting in May where we are going to
discuss all these topics.

BTW, faking the short key ID (the one that is normally displayed -
internally 64 bits are used) is possible on a standard box within some
hours.

  Werner

Next message: Jeremiah Johnson: "[TL-Security-Announce] man-1.5g-5 and earlier TLSA2000004-1"
Previous message: pedwardat_private: "Realnetworks is trojaning people...again!!!"
Maybe in reply to: Povl H. Pedersen: "PGP Signatures security BUG!"
Next in thread: Steven M. Bellovin: "Re: PGP Signatures security BUG!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:17 PDT