Bugtraq mailing list archives
Re: PGPsdk Key Validity Vulnerability
From: Florian Weimer <Florian.Weimer () RUS Uni-Stuttgart DE>
Date: 04 Sep 2001 18:17:52 +0200
Patrick Oonk <patrick () pine nl> writes:
A vulnerability in PGP's display of key validity has been discovered that could allow an attacker to fool users into thinking that a valid signature was created by what is actually an invalid user ID.
According to Sieuwert van Otterloo, PGP 5 and 6 are affected by this problem as well. (However, these versions have other problems as well, so you should not use them anyway.) Similar problems exist in PGP 2.x (the PGP version by Phil's Pretty Good Software) and its derivatives. Their notion of the primary user ID is flawed, too, although they do not support the V4 primary user ID subpacket. GnuPG does not mark non-certified user IDs when listing the user IDs for a key (but at least lists all user IDs, so you can notice that something fishy is going on), and the use of '--with-colons' without '--fixed-list-mode' by a frontend might cause the frontend to output misleading information much in the same way as PGP 7. -- Florian Weimer Florian.Weimer () RUS Uni-Stuttgart DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Current thread:
- PGPsdk Key Validity Vulnerability Patrick Oonk (Sep 04)
- Re: PGPsdk Key Validity Vulnerability Florian Weimer (Sep 04)