PGP flaw found by Czech firm allows dig sig to be forged
Reese
reeza at flex.com
Thu Mar 22 17:41:31 PST 2001
At 08:36 AM 3/22/01 -0800, Ray Dillinger wrote:
>In article <20010321133551.B2386 at cluebot.com>,
>Declan McCullagh <declan at well.com> wrote:
>
>> Pretty Good Privacy that permits digital signatures to be forged in
>> some situations.
>>
>> Phil Zimmermann, the PGP inventor who's now the director of the
>> OpenPGP Consortium, said on Wednesday that he and a Network Associates
>> (NETA) engineer verified that the vulnerability exists.
>>
>> ICZ, a Prague company with 450 employees, said that two of its
>> cryptologists unearthed a bug in the OpenPGP format that allows an
>> adversary who breaks into your computer to forge your e-mail
>> signature.
>
>A "vulnerability" that requires the opponent to have write access
>to your private key in order to exploit?
>
>Okay. What was PGP's threat model again? I'd have sworn that this
>was squarely outside it.
>
>As far as I can tell, *NOBODY* offers security tools that offer real
>protection in the event your opponent has physical access to the
>machine.
Maybe acme.com???
Always did right by Wile E. Coyote,,, ;)
Reese
More information about the cypherpunks-legacy
mailing list