OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: PGP Signatures security BUG!
From: Florian Weimer (Florian.WeimerRUS.UNI-STUTTGART.DE)
Date: Fri Mar 10 2000 - 12:11:58 CST


"Povl H. Pedersen" <popeNETGUIDE.DK> writes:

> This was the first time he verified it.
>
> The signature has Key ID: 0x6F620B65
>
> So he had to look up the key using the keyservers, and surprisingly
> enough, the server did NOT return the name of the sender, but of a
> person called "Mike Evans".

Several answers in this thread have addressed quite a few problems
regarding faked user IDs and key IDs. This kind of attack is a
significant threat only if you rely on this information to establish
the validity of a public key, but of course, this approach is
fundamentally flawed.

The problem that Povl observed was likely quite different. According
to my own attempts, NAI's server simply returned the wrong key, which
didn't share any obvious characteristics with the one which was
requested (both key ID and user ID were different). Currently, I'm
unable to reproduce the server behavior, though.

BTW: If you want to hide the name of your communication partners, it's
not very wise to reveal their PGP key ID, especially if it's
registered at public key servers.

--
Florian Weimer 	                  Florian.WeimerRUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS Security Team                 +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5