In article <20010321133551.B2386@cluebot.com>, Declan McCullagh <declan@well.com> wrote:
Pretty Good Privacy that permits digital signatures to be forged in some situations.
Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists.
ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature.
A "vulnerability" that requires the opponent to have write access to your private key in order to exploit? Okay. What was PGP's threat model again? I'd have sworn that this was squarely outside it. As far as I can tell, *NOBODY* offers security tools that offer real protection in the event your opponent has physical access to the machine. Bear