[7716] in cryptography@c2.net mail archive
Re: PGP ADK Bug Fix
daemon@ATHENA.MIT.EDU (John Young)
Sun Aug 27 14:12:29 2000
Message-Id: <200008271454.KAA22169@maynard.mail.mindspring.net>
Date: Sun, 27 Aug 2000 10:46:30 -0400
To: "Arnold G. Reinhold" <reinhold@world.std.com>
From: John Young <jya@pipeline.com>
Cc: cryptography@c2.net
In-Reply-To: <v04210103b5ced61580ad@[24.218.56.92]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Anrold Reinhold wrote:
>How hard would it be to filter the public key servers for unsigned
>ADKs and either notify the keyowner or just remove the unsigned ADKs?
It might be possible to filter the unsigned ADKs from key servers,
however, it is not clear if the bug discovered is all there is to
worry about. PGP/NAI has not yet given a complete explanation
of how the bug got past quality control for truly reliable security.
Others have noted on the net how long the fault related to
bug has been around, and that despite warnings to PGP
nothing was done about it.
A few have also noted that the pattern of eventual disclosure of
a fault is not unprecedented as a way to discover a built-in
flaw added to gain export approval in an NDA sit-down with
governmental authorities, a process still required by US
export law for strongest crypto and a process that is also in
effect in other countries linked to the US by technology
control pacts such as Wassenaar.
PGP has a wonderful reservoir of goodwill that will surely
help it through this embarassment, but the reservoir has
been drained rather much and needs replenishment.
To help with that Michel Bouissou has circulated a call for
restored confidence in PGP Freeware with a set of
constructive suggestions for PGP/NAI:
http://cryptome.org/pgp-reborn.htm
Are there other suggestions being floated?
