Patrick Oonk <patrickat_private> writes: > A vulnerability in PGP's display of key validity has been discovered > that could allow an attacker to fool users into thinking that a valid > signature was created by what is actually an invalid user ID. According to Sieuwert van Otterloo, PGP 5 and 6 are affected by this problem as well. (However, these versions have other problems as well, so you should not use them anyway.) Similar problems exist in PGP 2.x (the PGP version by Phil's Pretty Good Software) and its derivatives. Their notion of the primary user ID is flawed, too, although they do not support the V4 primary user ID subpacket. GnuPG does not mark non-certified user IDs when listing the user IDs for a key (but at least lists all user IDs, so you can notice that something fishy is going on), and the use of '--with-colons' without '--fixed-list-mode' by a frontend might cause the frontend to output misleading information much in the same way as PGP 7. -- Florian Weimer Florian.Weimerat_private-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 14:52:34 PDT