Fwd: [PGP-USERS] ANNOUNCE: PGP Validity Display Patches Available

R. A. Hettinga rah at shipwright.com
Tue Sep 4 16:57:47 EDT 2001


--- begin forwarded text


Status:  U
Date: Tue, 4 Sep 2001 08:15:50 +0100
To: usual at espace.net
From: Fearghas McKay <fm at espace.net>
Subject: Fwd: [PGP-USERS] ANNOUNCE: PGP Validity Display Patches Available
Reply-To: "Usual People List" <usual at espace.net>
Sender: <usual at espace.net>
List-Subscribe: <mailto:usual-on at espace.net>


--- begin forwarded text


Date: Mon, 03 Sep 2001 17:41:09 -0700
From: Will Price <wprice at cyphers.net>
X-Accept-Language: en,pdf
To: pgp-users at cryptorights.org
Subject: [PGP-USERS] ANNOUNCE: PGP Validity Display Patches Available
Sender: pgp-users-admin-human at cryptorights.org
Reply-To: pgp-users at cryptorights.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PGPsdk Key Validity Display Vulnerability

A vulnerability in PGP's display of key validity has been discovered
that could allow an attacker to fool users into thinking that a valid
signature was created by what is actually an invalid user ID. If the
attacker can obtain a signature on their key from a trusted third
party, they can then add a second user ID to their key which is
unsigned. The attacker must then switch the unsigned false user ID to
primary and convince the victim to place the key on their keyring. In
such a case, some of the displays in PGP do not properly identify the
false user ID as invalid because the second user ID is fully valid.
Whenever PGP displays validity information on a per-user ID basis,
the display is correct. Thus, attentive users who examine the user
IDs of all public keys which they import to their keyrings will
immediately notice this problem before it could have any impact.

This issue was discovered and reported to Network Associates/PGP
Security, Inc. by Sieuwert van Otterloo.

This issue has been corrected such that all key validity displays in
PGP will properly mark the unsigned user ID as invalid. Hotfixes are
now available for the following products:

PGP Corporate Desktop v7.1 (MacOS9/Win32)
PGP Personal Security v7.0.3 (MacOS9/Win32)
PGP Freeware v7.0.3 (MacOS9/Win32)

PGP E-Business Server v7.1 (Linux/Solaris/AIX/HPUX/Win32)

Product upgrades are available for the following products:

PGP E-Business Server v6.5.8x (OS/390)
PGP E-Business Server v7.0.4 (Linux/Solaris/AIX/HPUX/Win32)

The hotfixes and upgrades can be found at:
http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp

Network Associates/PGP Security Inc. has published the PGPsdk source
code in electronic form for academic and cryptographic peer review.
The source packages can be downloaded from:

http://www.pgp.com/downloads/default.asp



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBO5Qi5qy7FkvPc+xMEQLlEgCguEA97m5kzov5ZdfWYz6b/rGNBnIAoJ6/
sZOjIZUp8loameOTRj3sgqPs
=elB/
-----END PGP SIGNATURE-----

....................................................................
Unsubscribe: <mailto:pgp-users-listbot at cryptorights.org?body=unsubscribe>
Automated Help/Info: <mailto:pgp-users-listbot at cryptorights.org?body=help>
List Homepage: <http://cryptorights.org/pgp-users/>
List Admin (human): <mailto:pgp-users-admin-human at cryptorights.org>
Please do not send administrative commands to the list address!  Thanks.

--- end forwarded text

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list