mailing list archives
Re: PGP Signatures security BUG!
From: Florian.Weimer () RUS UNI-STUTTGART DE (Florian Weimer)
Date: Fri, 10 Mar 2000 19:11:58 +0100
"Povl H. Pedersen" <pope () NETGUIDE DK> writes:
This was the first time he verified it.
The signature has Key ID: 0x6F620B65
So he had to look up the key using the keyservers, and surprisingly
enough, the server did NOT return the name of the sender, but of a
person called "Mike Evans".
Several answers in this thread have addressed quite a few problems
regarding faked user IDs and key IDs. This kind of attack is a
significant threat only if you rely on this information to establish
the validity of a public key, but of course, this approach is
The problem that Povl observed was likely quite different. According
to my own attempts, NAI's server simply returned the wrong key, which
didn't share any obvious characteristics with the one which was
requested (both key ID and user ID were different). Currently, I'm
unable to reproduce the server behavior, though.
BTW: If you want to hide the name of your communication partners, it's
not very wise to reveal their PGP key ID, especially if it's
registered at public key servers.
Florian Weimer Florian.Weimer () RUS Uni-Stuttgart DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS Security Team +49-711-685-5973/fax +49-711-685-5898
- Re: a few bugs ..., (continued)