PGP "master keys"
Hadmut Danisch
hadmut at danisch.de
Fri Apr 28 03:20:36 EDT 2006
On Wed, Apr 26, 2006 at 10:41:12PM -0400, Steven M. Bellovin wrote:
>
> Ah -- corporate key escrow. An overt back door for Little Brother, rather
> than a covert one for Big Brother....
You should check the list of recipient keys in PGP messages from time
to time anyway. I recently found a bug in an MTU plugin: Once you had
a PGP pubkey with an empty ID in your keyring, the plugin had always
added this key to the recipient keys, although the owner was not
listed as a recipient of the e-mail. As far as we debugged, the key
had to be in 'trusted' state, but it worked. Once you managed to have
your pubkey added to someone else's keyring with an additional empty
user ID (what most users never realize) you could read any encrypted
mail sent by that person.
regards
Hadmut
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list