PGP flaw found by Czech firm allows dig sig to be forged
Ray Dillinger
bear at sonic.net
Thu Mar 22 08:36:40 PST 2001
In article <20010321133551.B2386 at cluebot.com>,
Declan McCullagh <declan at well.com> wrote:
> Pretty Good Privacy that permits digital signatures to be forged in
> some situations.
>
> Phil Zimmermann, the PGP inventor who's now the director of the
> OpenPGP Consortium, said on Wednesday that he and a Network Associates
> (NETA) engineer verified that the vulnerability exists.
>
> ICZ, a Prague company with 450 employees, said that two of its
> cryptologists unearthed a bug in the OpenPGP format that allows an
> adversary who breaks into your computer to forge your e-mail
> signature.
A "vulnerability" that requires the opponent to have write access
to your private key in order to exploit?
Okay. What was PGP's threat model again? I'd have sworn that this
was squarely outside it.
As far as I can tell, *NOBODY* offers security tools that offer real
protection in the event your opponent has physical access to the
machine.
Bear
More information about the cypherpunks-legacy
mailing list