Bugtraq mailing list archives

Re: PGP Signatures security BUG!

From: wk () GNUPG ORG (Werner Koch)
Date: Wed, 8 Mar 2000 11:32:41 +0100


On Tue, 7 Mar 2000, Povl H. Pedersen wrote:

The problem is, that the PGP servers expects all key IDs to be unique
numbers, and does not expect 2 users to have the same keyID. And with
the current amount of users, we are starting to get multiple users
with the same keyID.


RFC2440 clearly states that a conforming implementation MUST not assume
that key IDs are unique.  However, NAI does not claim that their PGP
is OpenPGP compatible.

There will be a keyserver admin meeting in May where we are going to
discuss all these topics.

BTW, faking the short key ID (the one that is normally displayed -
internally 64 bits are used) is possible on a standard box within some
hours.

  Werner

Current thread:

PGP Signatures security BUG! Povl H. Pedersen (Mar 07)
- Re: PGP Signatures security BUG! Tobias Haustein (Mar 08)
- Re: PGP Signatures security BUG! Werner Koch (Mar 08)
- RealServer exposes internal IP addresses tschweikle () FIDUCIA DE (Mar 08)
- Re: PGP Signatures security BUG! Eric Murray (Mar 08)
- [ Hackerslab bug_paper ] Linux printtool get printer password Sheshep ankh Dubhe (Mar 08)
  - Re: [ Hackerslab bug_paper ] Linux printtool get printer password Tuomas Jormola (Mar 09)
  - RealPlayer and Comet Cursor Keela Robison (Mar 09)
    - Fwd: ircii-4.4 buffer overflow bladi (Feb 07)
    - Re: Fwd: ircii-4.4 buffer overflow Derek Callaway (Mar 11)
    - Re: RealPlayer and Comet Cursor pedward () WEBCOM COM (Mar 09)
    - The Comet Cursor Sarah MacArthur (Mar 09)
    - Network File Resource Vulnerability Eric Hacker (Mar 09)

(Thread continues...)