PGPfreeware 8.0: Not so good news for crypto newcomers

[Len Sassaman]

On Mon, 9 Dec 2002, Peter Gutmann wrote:

> "Richard Johnson" <rdump at river.com> writes:
>
> >To my dismay, the developers of gnupg chose to embed the command line
> >processing deep in their software, making doing a proper library-supported
> >GUI more difficult.  This was the same mistake that made PGP 2 such a bear to
> >port, etc.  I wish I had the time or skill to fix that, but the reality is I
> >simply don't have either.
>
> There are other PGP libraries available.  The Veridis Filecrypt SDK,
> http://www.veridis.com/products/FileCryptSDK/fcsdk.asp, is a commercial
> offering which uses the OpenPGP format,

A warning about Filecrypt SDK --

A few months ago, I was doing OpenPGP interop testing between Mixmaster
and some other 2440 implementations, including PGP, GnuPG, Hushmail, and
Zendit.

In the course of this testing, I discovered that Zendit, which is based on
Veridis's SDK, had a rather alarming bug: it had no concept of subkey
binding signatures (it neither generated them, nor did it verify them.)
The implications here are obvious.

I didn't do any further investigation of this bug, since I found far too
many other interop/usability flaws in Zendit to justify continuing to
worry about it, and I don't know of anyone else using FileCrypt.
Consequently, I don't know if this was a Zendit-specific bug or a problem
with FileCrypt.

I notified both the Zendit and Veridis people about this problem. I
haven't heard from either if this has been fixed.


--Len.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com