mailing list archives
Re: PGP Signatures security BUG!
From: pedersen () NETGUIDE DK (Povl H. Pedersen)
Date: Thu, 9 Mar 2000 09:07:08 +0100
With the message from Tobias (who is in my kerying now), I get:
*** PGP Signature Status: good, but key has no validity
*** Signer: Tobias Haustein (Informatik IV, RWTH-Aachen)
<haustein () informatik rwth-aachen de>
*** Signed: 08/03/00 at 12:53
*** Verified: 09/03/00 at 8:58
But with the other message, I got:
*** PGP Signature Status: good, Signer <unknown>
or something like that. Looking this signer up, I got the entry for
Mike Evans, who was NOT the guy who had signed it.
It may all come down to bad wording, and teaching the users. But most
of the simple non-technical users would assume that doing a lookup,
and only get one ID back would signal that this signature had indeed
I think that at least the wording should be different. Something like:
*** PGP message signature not validated because sender unknown
*** Signer: unknown / nobody
This would clearly tell end users that something is going wrong.
Saying the checksum is OK, without checking and listing the signers
signature is worse, and would fool more users.
Povl H. Pedersen - Chief Technology Officer - NetGuide Scandinavia as
Phone: +45 8618 1845 Cellular: +45 4093 5511 Fax: +45 8618 1863
e-mail: mailto:pope () netguide dk - PGP Key ID: 0x8F4BC755
- Re: Enumerate Root Web Server Directory Vulnerability for IIS 4.0, (continued)