On Wed, Mar 29, 2006 at 01:03:35PM -0800, phil wrote: > Hi, > > A quick question regarding the recently discovered > vulnerability to the injection of unsigned data : > > >From the description, it wasn't completely clear to me > whether this vulnerability also applied to > verification of clearsigned text. Does it?
It doesn't. Here's the story: * It doesn't apply to signed software tarballs (detached signatures) * It doesn't apply to PGP/MIME signed email messages (which are detached signatures under the hood) * It doesn't apply to clearsigned messages * It might apply to sign+encrypted PGP/MIME messages and sign+encrypted messages in general (though note your attacker in this case may be the person who encrypted the message...) * It might apply to unencrypted-but-binary-signed messages (essentially signed+encrypted without the encryption - generally not used much). David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users