Re: PGP Signatures security BUG!

From: Steven M. Bellovin (smbat_private)
Date: Wed Mar 08 2000 - 10:10:39 PST

Next message: Eric Knight: "New online publication: "Computer Vulnerabilities""

Previous message: Jeremiah Johnson: "[TL-Security-Announce] man-1.5g-5 and earlier TLSA2000004-1"
Maybe in reply to: Povl H. Pedersen: "PGP Signatures security BUG!"
Next in thread: Salzman, Noah: "Re: PGP Signatures security BUG!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <p04310108b4eabe46523c@[130.227.158.132]>, "Povl H. Pedersen" writes
:

>
> It will take a long time to generate a new key with a specific
> fingerprint, but nonetheless, this 'overwriting' and hiding of other
> users IDs in the public PGP servers is bad.

Minor nit -- there's a big difference between a "fingerprint" -- which is the
result of a cryptographic hash on the key, and should *never* collide (and if
it does, you can get lots of attention by showing that the hash function isn't
strong enough) -- and a "key id", which is much shorter.

		--Steve Bellovin

Next message: Eric Knight: "New online publication: "Computer Vulnerabilities""
Previous message: Jeremiah Johnson: "[TL-Security-Announce] man-1.5g-5 and earlier TLSA2000004-1"
Maybe in reply to: Povl H. Pedersen: "PGP Signatures security BUG!"
Next in thread: Salzman, Noah: "Re: PGP Signatures security BUG!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:18 PDT