Daniel Kahn Gillmor dkg at fifthhorseman.net wrote on
Thu Jun 21 22:38:31 CEST 2012 :
>v3 keys have a serious
vulnerability in that their fingerprint mechanism is trivially
gamable,
so long keyid collisions are easy.
The 'serious vulnerability' you refer to, is trivially countered by
simply lis
On Jun 22, 2012, at 10:21 AM, ved...@nym.hush.com wrote:
> Daniel Kahn Gillmor dkg at fifthhorseman.net wrote on
> Thu Jun 21 22:38:31 CEST 2012 :
>
>> v3 keys have a serious
> vulnerability in that their fingerprint mechanism is trivially
> gamable,
> so long keyid collisions are easy.
>
> The
On Fri, Jun 22, 2012 at 10:21:35AM -0400, ved...@nym.hush.com wrote:
> vulnerability in that their fingerprint mechanism is trivially
> gamable,
> so long keyid collisions are easy.
[snip]
Please fix your mail client. It is breaking threads.
Thanks,
--
. o . o . o . . o o . . . o .
.
Hi All
I was demonstrating GPA for the first time to a class of students
yesterday and a very strange thing happened. (Note that I am new to GPA,
having used OpenPGP for the last 10 years, so I am not familiar with its
"normal" behaviour). When I signed a message in the clipboard and was
aske
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 22/06/12 16:54, David Chadwick wrote:
> Hi All
>
> I was demonstrating GPA for the first time to a class of students yesterday
> and a very
> strange thing happened. (Note that I am new to GPA, having used OpenPGP for
> the last
> 10 years, so I
On Fri, 22 Jun 2012 11:23:27 -0400 David Shaw
wrote:
>There is more than one attack against V3. There is the "bit
>sliding" attack, where you can forge the whole fingerprint, but as
>a side effect it changes the keysize, and there is the DEADBEEF
>attack where you can forge the key ID, but
On 6/22/2012 12:39 PM, ved...@nym.hush.com wrote:
> " trivially countered by
> simply listing the keysize together with the fingerprint."
This is, unfortunately, not a trivial fix.
Already people don't pay attention to proper validation because the idea
of checking the fingerprint is alien to the
On 6/22/2012 11:54 AM, David Chadwick wrote:
> I was demonstrating GPA for the first time to a class of students
> yesterday and a very strange thing happened.
I was able to recreate this on GPG4WIN Win7/64, incidentally. The
problem does not appear to be in GPA, but in pinentry. It can be
recre
On Fri, 22 Jun 2012 12:56:46 -0400 Robert J. Hansen
wrote:
>On 6/22/2012 12:39 PM, ved...@nym.hush.com wrote:
>> " trivially countered by
>> simply listing the keysize together with the fingerprint."
>
>This is, unfortunately, not a trivial fix.
>
>Already people don't pay attention to proper v
Hi Robert
yes you are right. It does indeed reveal your passphrase.
I also tried to repeat my problem again with GPA, and this time most of
my passphrase appeared in a thunderbird window that had not popped up
when I started to use GPA after immediately reading your email.
Something (I did?)
On 6/22/2012 1:44 PM, ved...@nym.hush.com wrote:
> As you mentioned earlier, the v3 people have an entrenched user-
> base, and are hardly novices, and 'for them', listing the keysize
> with the fingerprint, really is trivial.
If people want to keep using PGP 2.6, let them, but I'm not going to
h
Hi All
I was demonstrating GPA for the first time to a class of students
yesterday and a very strange thing happened. (Note that I am new to GPA,
having used OpenPGP for the last 10 years, so I am not familiar with its
"normal" behaviour). When I signed a message in the clipboard and was
aske
On Fri, 22 Jun 2012 14:18:25 -0400 Robert J. Hansen
wrote:
>If people want to keep using PGP 2.6, let them, but I'm not going
>to >help them do it.
>Were it up to me, PGP 2.6 support in GnuPG would be reduced to
>read-only. So be thankful Werner isn't paying attention to my
>preferences. :
On 06/22/2012 02:52 PM, ved...@nym.hush.com wrote:
> Am somewhat surprised by the unprovoked V3 rants, when I asked for
> nothing from anyone, and only thanked WK for allowing it to happen.
Your characterization of "adding the key length is a trivial
[something]" is what irritated me. As I menti
Hello. In this instance I am running 64-bit Win7, and I have GPA installed
with Gpg 2.0.17, which came from here: http://www.gpg4win.org/. In my
configuration file are these two lines:
keyserver hkps://zimmermann.mayfirst.org
keyserver-options verbose ca-cert-file=%appdata%\gnupg\mfpl.crt
An
On Fri, Jun 22, 2012 at 02:18:13PM -0400, Robert J. Hansen wrote:
> On 6/22/2012 1:44 PM, ved...@nym.hush.com wrote:
> > As you mentioned earlier, the v3 people have an entrenched user-
> > base, and are hardly novices, and 'for them', listing the keysize
> > with the fingerprint, really is trivia
16 matches
Mail list logo
