|
<<
^
>>
Date: 2000-08-27
PGP, Loecher & Vergaenglichkeit
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Was Ralf Senderek da über die PGP Versionen an Declan
[von Wired] schreibt, gibt denen recht, die es immer schon
gesagt haben. Alles über PGP Version 2.6 ist potentialter
des Teufels bzw. der NSA.
postscrypt: Die ganz unten submissest angefügte URL, die
auf einen Keyserver führt, könnte eventuell verraten, dass den
hauptsächlichen q/depe/schen/diener gerade in der Nacht auf
morgen Gedanken an die Vergänglichkeit der Dinge befallen.
An diesem anno 96 generierten -key, der zuletzt nur noch
Signaturzwecken diente, hängt ein historisch gewachsener
Keyring anderer Public Keys, denen fortan nicht mehr zu
trauen ist.
post/post/skrypt: Es ist an der Zeit, neue Schlüssel zu
generieren.
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
[email protected]>
A note to the public.
I have been warning repeatedly about using newer versions of
PGP for over two years now. In a study I put on the net in
August 1998 which is also present on the PGP-International
website I expressed my valuation of the ADK-problem which
came with the newer versions. May I cite one sentence from
my earlier work:
"I do not know which mechanism will prevent a user's public
key to be linked with another faked message recovery key
without the user's consent or knowledge."
I expressed my fear that this can happen and hoped that
there will be security-checking mechanisms to prevent this.
But not knowing much about the details of signatures and
packages in 1998 I finally started to put this to a test
because in the meantime almost everyone got used to the
new keys. Completing my study and making sure that
everyone who repeats my tests will get the same results I
presented my study to the public on Tuesday 22nd August
2000 and informed persons working on computer security
immediately.
So I did not find a bug in the PGP-source code, that was
Steve Early working with Ross Anderson after having studied
my experimental research at Cambridge on Wednesday. I
discovered that there simply is no checking done, not even
the attempt to detect unauthorized manipulations of public
keys. This is not a bug, this is a scandal, because NAI put
ADKs into PGP without caring about simple manipulations.
Obviously there has never been a well thought-out security
strategy and most of the relevant information the public got
from NAI concerning ADKs was completely untrue as my
experiments reveal.
No quick debugging will solve this situation and the damage
being done to the reputation of PGP by everyone who
supports Additional Decryption Keys.
I am opposed to Additional Decryption Keys, as you know,
but I do not want people to turn away from PGP. I would like
to see people getting rid of the ADK-problem actively by
checking the keys they use and avoiding the new signature
type.
"Use PGP-classic in a reliably secure environment." That
would be my advice if I had 49 characters left on the telegram.
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
historischer Schlüssel
https://keyserver.ad.or.at/cgi-bin/key/Search?keyid=AC922C4D
-.- -.-. --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by Harkank
published on: 2000-08-27
comments to [email protected]
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<
^
>>
|
|
|
|