-----BEGIN PGP SIGNED MESSAGE----- Yow! I'm using PGP 5.0, with the PGPtray and the Eudora Plugin, in a version that appears to be b14c3 for Win95. When I receive a signed email message, or check with PGPtray, it tells me the message is from "User <email@foo.com>", but doesn't tell me it's from KeyID 0x12345678 or the fingerprint of the key or anything even vaguely difficult to fake. Thus, I've signed this message as Phil Zimmermann FAKE <prz@acm.org>, and if I'd left out the FAKE it would be difficult to tell it from a real Phil key. The GUI happily gives me a message box saying "Good signature from Phil Zimmermann FAKE <prz@acm.org>". We've been discussing 0xDEADBEEF attacks on Cypherpunks and Coderpunks, but this appears to be far worse - I hope it's been fixed for the production version? -----BEGIN PGP SIGNATURE----- Version: 5.0 beta Charset: noconv iQBVAwUBM5u51kEvGqT1DvpRAQHnwgIAzF7uBmgsk9+c4IZObsnXBJBHuCFEUsMr 3V64azY6Wp156SFgDPGODQvQxzDiQCb96hUz2RK2j7DxfekOZ7rzjw== =u93K -----END PGP SIGNATURE----- # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)