On 06/25/2012 10:18 AM, Johan Wevers wrote: > That depends on your threat model. If signing messages is not so > important to you but encrypting is, this advice is understandable. > So let MD5 be broken, it matters not for encryption.
If MD5 signatures can be forged (and news reports strongly indicate they can be), that means the self-signature on certificates is now susceptible to forgery. > This suggests a threat model where your opponent has almost Stuxnet > like capabilities. It may make sense to talk about specific things we've discovered about those two pieces of work (Flame being the other), but let's be careful using them as adjectives. We genuinely don't know enough about them: it will take the public antivirus community years to discover exactly what and how they do what they do. > Since the pgp 2 days we get warnings about adapted compilers, but > I've never seen something like that surfacing. "Lieutenant, when you see Indians, be careful. When you don't see Indians, be more careful." -- _Ride Ranger Ride_, a 1936 Gene Autry film Competent malware hides better than Lamont Cranston. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users