PGP 5.0 doesn't tell me Which key a message is signed by! [SEVERITY 1]
Bill Stewart
stewarts at ix.netcom.com
Mon Jun 9 01:09:11 PDT 1997
-----BEGIN PGP SIGNED MESSAGE-----
Yow! I'm using PGP 5.0, with the PGPtray and the Eudora Plugin,
in a version that appears to be b14c3 for Win95.
When I receive a signed email message, or check with PGPtray,
it tells me the message is from "User <email at foo.com>",
but doesn't tell me it's from KeyID 0x12345678 or the
fingerprint of the key or anything even vaguely difficult to fake.
Thus, I've signed this message as Phil Zimmermann FAKE <prz at acm.org>,
and if I'd left out the FAKE it would be difficult to tell it
from a real Phil key. The GUI happily gives me a message box saying
"Good signature from Phil Zimmermann FAKE <prz at acm.org>".
We've been discussing 0xDEADBEEF attacks on Cypherpunks and Coderpunks,
but this appears to be far worse - I hope it's been fixed
for the production version?
-----BEGIN PGP SIGNATURE-----
Version: 5.0 beta
Charset: noconv
iQBVAwUBM5u51kEvGqT1DvpRAQHnwgIAzF7uBmgsk9+c4IZObsnXBJBHuCFEUsMr
3V64azY6Wp156SFgDPGODQvQxzDiQCb96hUz2RK2j7DxfekOZ7rzjw==
=u93K
-----END PGP SIGNATURE-----
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts at ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list or news, please Cc: me on replies. Thanks.)
More information about the cypherpunks-legacy
mailing list