Thought I'd pass this along. Not sure if it applies to anyone.
- Critical flaw in GnuPG - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, November 28, 2003 - A critical security flaw has been found in the GnuPG encryption software which could compromise a user's private key in seconds. This flaw affects versions 1.0.2 and later of GnuPG which use ElGamal keys for encryption and signing (type 20). ElGamal keys used for encryption only (type 16) are not affected by this flaw. Although use of sign+encrypt keys is not considered good cryptographic practice, the OpenPGP standard allows them to be used and GnuPG supports creation and handling of them. Fortunately, these keys are not used very often nor are they created by default in GnuPG, since -compared to RSA or DSA keys - they have significant disadvantages with regard to security and performance. Actually, users must create ElGamal sign+encrypt keys through specific options in GnuPG. To avoid being affected by this vulnerability, it is advisable not to generate ElGamal keys for encryption and signing (type 20), revoke the keys that are already in use and take into account that all the material signed and encrypted with them could have been compromised. GnuPG has already announced that future versions of the program will not allow these keys to be created. More information at: http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html -- Regards Chris A 100% Microsoft free computer Registered Linux User 283774 http://counter.li.org 7:22pm up 10:18, 2 users, load average: 0.02, 0.09, 0.04
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com