CDR: Re: Phil Zimmerman Profiled
Minor controversies continue to dog PGP. Just within the last year, two small faults in the released code were discovered. While experts agree that neither one presented any practical danger to the security of PGP-based communications, both sparked arguments about NAI's ability and even its intentions. In the first case, a fault in a specific version for Unix could, in principle, compromise a key generated by a method PGP had always deprecated: automatically, without user input.
Heh. A random number generator that produces an output of all zeros. Small flaw. No biggie.
Except for the me that generated a key that was vulnerable to that 0x149DCDDC However I believe there was an email attached to that and the signatures to that key, but apparently not anymore =) And its a big deal, can you say 0 strength key? Max Inux <maxinux@openpgp.net> 0xE42A7FB1 http://www.openpgp.net Key fingerprint = E4CA 2B4F 24FC B1BF E671 52D0 9E4B A590 E42A 7FB1 If crypto is outlawed only outlaws will have crypto. 'An it harm none, let it be done' PS, sorry if this is a repost, I posted it about 10 hours ago and it has not gone through ssz, so here it goes to OpenPGP
-----BEGIN PGP SIGNED MESSAGE----- On Fri, 10 Nov 2000, Max Inux wrote:
Heh. A random number generator that produces an output of all zeros. Small flaw. No biggie.
Except for the me that generated a key that was vulnerable to that 0x149DCDDC However I believe there was an email attached to that and the signatures to that key, but apparently not anymore =) And its a big deal, can you say 0 strength key?
Sigh. No one seems to have an appreciation of sarcasm anymore. The vulnerability was, of course, quite serious. The only way NAI dodged the bad publicity the bullet was by saying that no one was affected. Are you saying they lied? Can you prove your key was affected? - -MW- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: No comment. iQEVAwUBOgyYoysFU3q6vVI9AQEJNAf/e1k8pfK9jxafUo+jXBGdJzy4GS83oi23 95tgvTACK8t92ShgWIAuiLj2gOI/gfRGCuD707aq4w920bziEjTeeR4IAxATmarl qw+d1OmRT5R5OeT//ZYTPyEoq2Wpa9VLQXKcHkbeozDtX4jZBl1lEu0NvDSpv4Ub vKWgdgV8XGNCXeI2Hy4KAG3m42fZcnh4PXIN7QQpwmyA8+rFxM6R15zyJn+4CPO1 JVruUHPk42lugPXAqo9HhBC7wStUI3pZmeX7TNkYNTyz3G0gXOHep1DmLTLLynin TuWIDB85xXw3m7ZvtSRAUaNERYRLXuz2Ox2NJ4HhiHG44mo4R+mX2A== =/92z -----END PGP SIGNATURE-----
On Fri, 10 Nov 2000, Meyer Wolfsheim wrote:
On Fri, 10 Nov 2000, Max Inux wrote:
Heh. A random number generator that produces an output of all zeros. Small flaw. No biggie.
Except for the me that generated a key that was vulnerable to that 0x149DCDDC However I believe there was an email attached to that and the signatures to that key, but apparently not anymore =) And its a big deal, can you say 0 strength key?
Sigh. No one seems to have an appreciation of sarcasm anymore.
The vulnerability was, of course, quite serious. The only way NAI dodged the bad publicity the bullet was by saying that no one was affected.
Are you saying they lied? Can you prove your key was affected?
The key was/is on the key server publish well prior to the anouncement of the bug, actually I believe I published it about a week after PGP 5.0 for Linux was released. You have the Key ID, grab it from the server. I know it was affected due to a phone call I got at 3:00 am the morning after the bug was discovered. when they looked through the key server for any key vulnerable. Useride: khercs 0x149DCDDC DH/DSS 4096/1024 10/18/1997 Never IDEA C2FC 876D 2D59 1710 7DA2 12FD 2948 FD98 149D CDDC William Tiemann <maxinux@openpgp.net> 0xE42A7FB1 http://www.openpgp.net Key fingerprint = E4CA 2B4F 24FC B1BF E671 52D0 9E4B A590 E42A 7FB1 If crypto is outlawed only outlaws will have crypto.
participants (2)
-
Max Inux
-
Meyer Wolfsheim