Bugtraq mailing list archives
Re: PGP Signatures security BUG!
From: pedersen () NETGUIDE DK (Povl H. Pedersen)
Date: Thu, 9 Mar 2000 09:07:08 +0100
With the message from Tobias (who is in my kerying now), I get: *** PGP Signature Status: good, but key has no validity *** Signer: Tobias Haustein (Informatik IV, RWTH-Aachen) <haustein () informatik rwth-aachen de> *** Signed: 08/03/00 at 12:53 *** Verified: 09/03/00 at 8:58 But with the other message, I got: *** PGP Signature Status: good, Signer <unknown> or something like that. Looking this signer up, I got the entry for Mike Evans, who was NOT the guy who had signed it. It may all come down to bad wording, and teaching the users. But most of the simple non-technical users would assume that doing a lookup, and only get one ID back would signal that this signature had indeed signed it. I think that at least the wording should be different. Something like: *** PGP message signature not validated because sender unknown *** Signer: unknown / nobody This would clearly tell end users that something is going wrong. Saying the checksum is OK, without checking and listing the signers signature is worse, and would fool more users. -- --- Povl H. Pedersen - Chief Technology Officer - NetGuide Scandinavia as Phone: +45 8618 1845 Cellular: +45 4093 5511 Fax: +45 8618 1863 e-mail: mailto:pope () netguide dk - PGP Key ID: 0x8F4BC755
Current thread:
- Re: Enumerate Root Web Server Directory Vulnerability for IIS 4.0, (continued)
- Re: Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Chris Paget (Mar 17)
- SQL Server Vulnerability details Chip Andrews (Mar 18)
- Re: PGP Signatures security BUG! Florian Weimer (Mar 10)
- Re: PGP Signatures security BUG! Will Price (Mar 20)
- Esafe Protect Gateway (CVP) does not scan virus under some conditions Hugo.van.der.Kooij () CAIW NL (Mar 21)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some conditions Alon Rotem (Mar 24)
- Security bug in Apache project: Jakarta Tomcat Jan Madsen (Mar 21)
- [TL-Security-Announce] nmh-1.0.2 and earlier TLSA200008-1 Katie Moussouris (Mar 21)
- New Solaris Vulnerability Calculator, Sun Mailing list, and Sun Focus area from SecurityFocus.com Jeremy Rauch (Mar 13)
- Re: PGP Signatures security BUG! Tobias Haustein (Mar 08)
- Re: PGP Signatures security BUG! Povl H. Pedersen (Mar 09)
- Re: PGP Signatures security BUG! Salzman, Noah (Mar 08)
- Re: PGP Signatures security BUG! Steven M. Bellovin (Mar 08)