Home page logo

bugtraq logo Bugtraq mailing list archives

Re: PGP Signatures security BUG!
From: pedersen () NETGUIDE DK (Povl H. Pedersen)
Date: Thu, 9 Mar 2000 09:07:08 +0100

With the message from Tobias (who is in my kerying now), I get:

*** PGP Signature Status: good, but key has no validity
*** Signer: Tobias Haustein (Informatik IV, RWTH-Aachen)
<haustein () informatik rwth-aachen de>
*** Signed: 08/03/00 at 12:53
*** Verified: 09/03/00 at 8:58

But with the other message, I got:
*** PGP Signature Status: good, Signer <unknown>

or something like that. Looking this signer up, I got the entry for
Mike Evans, who was NOT the guy who had signed it.

It may all come down to bad wording, and teaching the users. But most
of the simple non-technical users would assume that doing a lookup,
and only get one ID back would signal that this signature had indeed
signed it.

I think that at least the wording should be different. Something like:

*** PGP message signature not validated because sender unknown
*** Signer: unknown / nobody

This would clearly tell end users that something is going wrong.

Saying the checksum is OK, without checking and listing the signers
signature is worse, and would fool more users.

Povl H. Pedersen   -   Chief Technology Officer  -   NetGuide Scandinavia as
Phone: +45 8618 1845    Cellular: +45 4093 5511    Fax:   +45 8618 1863
e-mail: mailto:pope () netguide dk     -    PGP Key ID: 0x8F4BC755

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]