[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PGP 5.0 doesn't tell me Which key a message is signed by! [SEVERITY 1]



-----BEGIN PGP SIGNED MESSAGE-----

Yow!  I'm using PGP 5.0, with the PGPtray and the Eudora Plugin,
in a version that appears to be b14c3 for Win95.

When I receive a signed email message, or check with PGPtray,
it tells me the message is from "User <[email protected]>",
but doesn't tell me it's from KeyID 0x12345678 or the 
fingerprint of the key or anything even vaguely difficult to fake.
Thus, I've signed this message as Phil Zimmermann FAKE <[email protected]>,
and if I'd left out the FAKE it would be difficult to tell it
from a real Phil key.  The GUI happily gives me a message box saying
"Good signature from Phil Zimmermann FAKE <[email protected]>".

We've been discussing 0xDEADBEEF attacks on Cypherpunks and Coderpunks,
but this appears to be far worse - I hope it's been fixed
for the production version?
-----BEGIN PGP SIGNATURE-----
Version: 5.0 beta
Charset: noconv

iQBVAwUBM5u51kEvGqT1DvpRAQHnwgIAzF7uBmgsk9+c4IZObsnXBJBHuCFEUsMr
3V64azY6Wp156SFgDPGODQvQxzDiQCb96hUz2RK2j7DxfekOZ7rzjw==
=u93K
-----END PGP SIGNATURE-----


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#   (If this is a mailing list or news, please Cc: me on replies.  Thanks.)