[linux-elitists] [david.kennedy@ACM.ORG: Czech PGP Flaw Tech Details]

Karsten M. Self kmself@ix.netcom.com
Mon Mar 26 11:06:54 PST 2001


on Mon, Mar 26, 2001 at 08:41:01AM +0100, Paul J Collins (sneakums@zork.net) wrote:
> >>>>> "BLSC" == Brooklyn Linux Solutions CEO <ruben@mrbrklyn.com> writes:
> 
>     BLSC> ANd your open source solution is?
> 
> It shouldn't be long before we are drowning in vendor advisories, once
> the GnuPG team fixes the problem.
> 
> However, if someone is able to get a copy of your private key, fiddle
> with it and replace it, all without your knowledge, you have other
> problems you need to address, such as system security.

Interesting, Ruben's post didn't seem to filter to this list, I thought
it was just a personal reply.

At any rate, I was posting an advisory, not a bugfix.  Just so that
those who're using GPG under multiuser environments (where the exploit
is most likely, though still difficult to accomplish) would be aware.

My understanding is that this is a cryptographic attack, solutions
probably require re-architecting the GPG protocol.  But I don't have a
deep understanding of the protocol or attack.

-- 
Karsten M. Self <kmself@ix.netcom.com>    http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?       There is no K5 cabal
  http://gestalt-system.sourceforge.net/         http://www.kuro5hin.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20010326/8afb3764/attachment.pgp 


More information about the linux-elitists mailing list