PGP 5.0i key gen vulnerability

[Bradley M Alexander]

Just one more reason to use GPG, at least so far...

http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-22&[EMAIL
 PROTECTED]

-- 
--Brad

Bradley M. Alexander |   Co-Chairman,
Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG
Winstar Telecom  |   [EMAIL PROTECTED]
(703) 889-1049   |   [EMAIL PROTECTED]

"Complaining during downsizing is like playing with a pogo stick in a foxhole.
 It feels good, but it doesn't last."
--Scott Adams
  "The Dilbert Future"


pgpUe2uzrBwjX.pgp
Description: PGP signature

[no subject]

[Raven Winter]

unsubscribe

Re: On the security of e-mails

[Milan P. Stanic]

On 26-May-2000 Alexander Hvostov wrote:
> Bradley,
> 
> Uhm, isn't Sendmail's SMTP-over-SSL thing supposed to conform to some
> standard..? I seriously doubt the other endpoint has to be
> Sendmail; rather, I think it probably only needs to be running a proper
> SMTP-over-SSL implementation. If this is the case, then this can be done
> with stunnel and your favorite MTA. (mine being qmail... why doesn't
> everyone use qmail..?)

I think it is standard because I read the postfix TLS enhancement doc's and
here is snip from description:

Overview:
=
- This is an SSL/TLS enhancement package for postfix.
  It realizes (well, or at least should, once it is finished) the
  STARTTLS extension to SMTP as described in RFC2487 and used
  by Netscape 4.5x.

RFC2487 is "SMTP Service Extension for Secure SMTP over TLS"

So, all SMTP MTA's with SSL/TLS should cooperate, shouldn't they?

--
E-Mail: Milan P. Stanic <[EMAIL PROTECTED]>
Key fingerprint = EA81 54A6 7F35 5A38 FCE6  9EF6 9D24 E68E 5C1D AF15
--

Re: On the security of e-mails

[Alexander Hvostov]

Ethan,

No. RSA does. And they have the agreement of enough people (whereas MS
doesn't) to push the feds into sticking to relaxed crypto export controls.

"Remember, if you don't keep the crypto laws relaxed, none of us will vote
for you... nor will our  supporters."

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Fri, 26 May 2000, Ethan Benson wrote:

> On Fri, May 26, 2000 at 02:37:59AM -0700, Alexander Hvostov wrote:
> > Ethan,
> > 
> > Only one problem. Charlie Brown doesn't have hordes of lawyers.
> 
> and the Free software movement does?  
> 
> MS has hoards of lawyers and billions of dollors and even they are not
> escaping the US govt ;-)
> 
> -- 
> Ethan Benson
> http://www.alaska.net/~erbenson/
> 

Re: On the security of e-mails

[Ethan Benson]

On Fri, May 26, 2000 at 02:37:59AM -0700, Alexander Hvostov wrote:
> Ethan,
> 
> Only one problem. Charlie Brown doesn't have hordes of lawyers.

and the Free software movement does?  

MS has hoards of lawyers and billions of dollors and even they are not
escaping the US govt ;-)

-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgp9BRXD9eBIe.pgp
Description: PGP signature

Re: On the security of e-mails

[Alexander Hvostov]

Ethan,

Only one problem. Charlie Brown doesn't have hordes of lawyers.

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Fri, 26 May 2000, Ethan Benson wrote:

> On Fri, May 26, 2000 at 02:19:06AM -0700, Alexander Hvostov wrote:
> > Ethan, and everyone,
> > 
> > I seem to keep having to repeat myself: the USA recently relaxed its
> > crypto export controls. I'm not certain if that means I can download
> > OpenSSL and then send it to someone in  > country here>, but I believe I can.
> 
> well i personally don't really buy it, i have yet to find anyone who
> can give a truly clear and unambiguous answer to the question.  and i
> have also heard that the current relaxation is just a `evaluation'
> and they may very well reverse it again. 
> 
> you ever read `Peanuts'? the classic strip where Lucy pulls the
> football away as Charlie Brown comes running to kick it springs to
> mind...
> 
> -- 
> Ethan Benson
> http://www.alaska.net/~erbenson/
> 

Re: On the security of e-mails

[Ethan Benson]

On Fri, May 26, 2000 at 02:19:06AM -0700, Alexander Hvostov wrote:
> Ethan, and everyone,
> 
> I seem to keep having to repeat myself: the USA recently relaxed its
> crypto export controls. I'm not certain if that means I can download
> OpenSSL and then send it to someone in  country here>, but I believe I can.

well i personally don't really buy it, i have yet to find anyone who
can give a truly clear and unambiguous answer to the question.  and i
have also heard that the current relaxation is just a `evaluation'
and they may very well reverse it again. 

you ever read `Peanuts'? the classic strip where Lucy pulls the
football away as Charlie Brown comes running to kick it springs to
mind...

-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgppMeEnjZJLl.pgp
Description: PGP signature

Re: On the security of e-mails

[Alexander Hvostov]

Sergio,

It would be useless to try and use SSL for debian-security, because it is
a publicly accessible list, which sort of defeats the purpose of SSL...

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Fri, 26 May 2000, Sergio Brandano wrote:

> 
>  Alexander Hvostov wrote
> 
> > ...Unless you encrypt to a public key belonging to everyone on the
> > mailing list, which certainly can be done, though this means
> > distributing the appropriate public/private key pair, so the keys
> > themselves would also have to be encrypted, probably to each
> > individual user.
> >
> > Of course, you could also implement something like a bulletin board
> > on HTTP over SSL instead... or maybe SMTP over SSL to each individual
> > list subscriber. (insecure; most subscribers don't run their own mail
> > server)
> 
>  I have a comment on this, related to the never ending battle against
>  SPAM. Why is that mailing lists, that are open only to subscribers,
>  make public the content of thir messages (including addresses) on the
>  web? Yes, archiving. But that opens the way to address collection.
> 
>  I like your proposal of using SSL for this list. And I think we
>  should give it a try.
> 
>  Sergio
> 

Re: On the security of e-mails

[Alexander Hvostov]

Ethan, and everyone,

I seem to keep having to repeat myself: the USA recently relaxed its
crypto export controls. I'm not certain if that means I can download
OpenSSL and then send it to someone in , but I believe I can.

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Thu, 25 May 2000, Ethan Benson wrote:

> On Fri, May 26, 2000 at 12:19:33AM -0700, Alexander Hvostov wrote:
> > Sergio,
> > 
> > That's what GPG and a good MUA like Pine is for. Let's see "Big
> > Brother" crack 1024-bit public key crypto anytime this decade...
> > 
> > I know you can't legally do this in France; if you have a desire for your
> > email to be private, then I suggest moving to a country whose crypto
> > policies are not brain-dead, such as the USA, Canada, the UK, and so
>^^^
> 
> USA does not have brain-dead crypto policies? well maybe not on use
> inside the borders but its policy on crypto is most certainly very
> brain-dead...
> 
> -- 
> Ethan Benson
> http://www.alaska.net/~erbenson/
> 

Re: On the security of e-mails

[Ben White]

We'll soon be getting braindead crypto laws in the UK if the RIP bill goes 
through.
RIP details at http://www.stand.org.uk/


On Fri, 26 May 2000, Alexander Hvostov wrote:

> Sergio,
> 
> That's what GPG and a good MUA like Pine is for. Let's see "Big
> Brother" crack 1024-bit public key crypto anytime this decade...
> 
> I know you can't legally do this in France; if you have a desire for your
> email to be private, then I suggest moving to a country whose crypto
> policies are not brain-dead, such as the USA, Canada, the UK, and so
> on.
> 
> Regards,
> 
> Alex.
> 
> ---
> PGP/GPG Fingerprint:
>   EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9
> 
> -BEGIN GEEK CODE BLOCK-
> Version: 3.12
> GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
> O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
> G e-- h++ r--- y
> --END GEEK CODE BLOCK--
> 

Ben White   01473 403020
KeConnect Internet   http://www.keconnect.co.uk/

Re: On the security of e-mails

[Sergio Brandano]

 Alexander Hvostov wrote

> ...Unless you encrypt to a public key belonging to everyone on the
> mailing list, which certainly can be done, though this means
> distributing the appropriate public/private key pair, so the keys
> themselves would also have to be encrypted, probably to each
> individual user.
>
> Of course, you could also implement something like a bulletin board
> on HTTP over SSL instead... or maybe SMTP over SSL to each individual
> list subscriber. (insecure; most subscribers don't run their own mail
> server)

 I have a comment on this, related to the never ending battle against
 SPAM. Why is that mailing lists, that are open only to subscribers,
 make public the content of thir messages (including addresses) on the
 web? Yes, archiving. But that opens the way to address collection.

 I like your proposal of using SSL for this list. And I think we
 should give it a try.

 Sergio

Re: On the security of e-mails

[Ethan Benson]

On Fri, May 26, 2000 at 12:19:33AM -0700, Alexander Hvostov wrote:
> Sergio,
> 
> That's what GPG and a good MUA like Pine is for. Let's see "Big
> Brother" crack 1024-bit public key crypto anytime this decade...
> 
> I know you can't legally do this in France; if you have a desire for your
> email to be private, then I suggest moving to a country whose crypto
> policies are not brain-dead, such as the USA, Canada, the UK, and so
   ^^^

USA does not have brain-dead crypto policies? well maybe not on use
inside the borders but its policy on crypto is most certainly very
brain-dead...

-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgpmIS4PYEupv.pgp
Description: PGP signature

Re: On the security of e-mails

[Alexander Hvostov]

Julien,

The US has relaxed its crypto export laws. I understand crypto can be
exported freely now, though I'm not going to try that until I have a nice
lawyer to talk to...

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Fri, 26 May 2000, Julien Stern wrote:

> On Fri, May 26, 2000 at 12:19:33AM -0700, Alexander Hvostov wrote:
> > Sergio,
> > 
> > That's what GPG and a good MUA like Pine is for. Let's see "Big
> > Brother" crack 1024-bit public key crypto anytime this decade...
> > 
> > I know you can't legally do this in France; if you have a desire for your
> > email to be private, then I suggest moving to a country whose crypto
> > policies are not brain-dead, such as the USA, Canada, the UK, and so
> > on.
> >
> Well,
> I know it has been terrible for quite a long time, but
> crypto is now legal in France. You can use PGP, GPG or any other
> software. As far as I rembember, the only limit is 128 bits on
> _private_ keys systems, which is more than enough.
> 
> I also believe there are some restrictions if you want to create
> and/or export a software that includes crypto, but certainly not
> as many restrictions than in the US, for example :)
> 
> Regards,
> Julien
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

Re: On the security of e-mails

[Julien Stern]

On Fri, May 26, 2000 at 12:19:33AM -0700, Alexander Hvostov wrote:
> Sergio,
> 
> That's what GPG and a good MUA like Pine is for. Let's see "Big
> Brother" crack 1024-bit public key crypto anytime this decade...
> 
> I know you can't legally do this in France; if you have a desire for your
> email to be private, then I suggest moving to a country whose crypto
> policies are not brain-dead, such as the USA, Canada, the UK, and so
> on.
>
Well,
I know it has been terrible for quite a long time, but
crypto is now legal in France. You can use PGP, GPG or any other
software. As far as I rembember, the only limit is 128 bits on
_private_ keys systems, which is more than enough.

I also believe there are some restrictions if you want to create
and/or export a software that includes crypto, but certainly not
as many restrictions than in the US, for example :)

Regards,
Julien

Re: On the security of e-mails

[Alexander Hvostov]

Bradley,

Uhm, isn't Sendmail's SMTP-over-SSL thing supposed to conform to some
standard..? I seriously doubt the other endpoint has to be
Sendmail; rather, I think it probably only needs to be running a proper
SMTP-over-SSL implementation. If this is the case, then this can be done
with stunnel and your favorite MTA. (mine being qmail... why doesn't
everyone use qmail..?)

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Thu, 25 May 2000 [EMAIL PROTECTED] wrote:

> Sendmail is also beginning to address this issue. 8.11.x is supposed to
> include SSL code to do end-to-end encryption. However, this still leaves
> an opening at the destination host for snooping. Aside from that, this
> assumes that both ends are using sendmail 8.11, which is a pipe dream for
> a while to come. For end-to-end security, PGP or GPG encryption is the way
> to go.
> 
> On Thu, May 25, 2000 at 09:14:20AM -0500, Daniel Taylor wrote:
> > The closest reliable method in that area is PGP encryption
> > of e-mail.  In theory only those people who have the message
> > signed with their public key will be able to read it.
> > 
> > In practice I haven't heard otherwise.
> > 
> > The only place where it isn't appropriate to encrypt (maybe only sign)
> > is on public mailing lists.
> > 
> > Daniel TaylorEmbedded and custom Linux integration.
> > [EMAIL PROTECTED]   (612)747-1609
>  
> -- 
> --Brad
> 
> Bradley M. Alexander |   Co-Chairman,
> Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG
> Winstar Telecom  |   [EMAIL PROTECTED]
> (703) 889-1049   |   [EMAIL PROTECTED]
> 
> Never draw fire, it irritates everyone around you.
>   --Murphy's Laws of Combat
> 

Re: On the security of e-mails

[Alexander Hvostov]

Daniel,

...Unless you encrypt to a public key belonging to everyone on the mailing
list, which certainly can be done, though this means distributing the
appropriate public/private key pair, so the keys themselves would also
have to be encrypted, probably to each individual user.

Of course, you could also implement something like a bulletin board on
HTTP over SSL instead... or maybe SMTP over SSL to each individual list
subscriber. (insecure; most subscribers don't run their own mail server)

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Thu, 25 May 2000, Daniel Taylor wrote:

> The closest reliable method in that area is PGP encryption
> of e-mail.  In theory only those people who have the message
> signed with their public key will be able to read it.
> 
> In practice I haven't heard otherwise.
> 
> The only place where it isn't appropriate to encrypt (maybe only sign)
> is on public mailing lists.
> 
> Daniel TaylorEmbedded and custom Linux integration.
> [EMAIL PROTECTED]   (612)747-1609
> 
> On Thu, 25 May 2000, Sergio Brandano wrote:
> 
> > 
> >  I would like to raise the problem of the security of electronic
> >  mail. The problem popped into my mind a while ago, while reading
> >  about Italian legislation on the privacy and, in particular, of
> >  paper mail. I always wanted to draw the issue to the attention of the
> >  ``hi spheres'', but I am now in the UK, and the whole thing went into
> >  the limbo. The problem is simply as follows: there is no legislation
> >  that enforces the privacy of electronic mail. On the practical side,
> >  there is no software method currently implemented at large that
> >  allows the receiver, and only the receiver, to read his/her own mail.
> >  The secure transmission of mail is part of the whole process.
> >  The similar issue can easily be extended to the Internet, where sites
> >  (from the very client to the very server) can record your preferences,
> >  as if there were a big brother that spies on you and writes all down.
> >  An immediate consequence of it are all the SPAM mail selling
> >  financial services...
> > 
> >  Sergio
> > 
> > 
> > --  
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> > 
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

Re: On the security of e-mails

[Alexander Hvostov]

Sergio,

That's what GPG and a good MUA like Pine is for. Let's see "Big
Brother" crack 1024-bit public key crypto anytime this decade...

I know you can't legally do this in France; if you have a desire for your
email to be private, then I suggest moving to a country whose crypto
policies are not brain-dead, such as the USA, Canada, the UK, and so
on.

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Thu, 25 May 2000, Sergio Brandano wrote:

> 
>  I would like to raise the problem of the security of electronic
>  mail. The problem popped into my mind a while ago, while reading
>  about Italian legislation on the privacy and, in particular, of
>  paper mail. I always wanted to draw the issue to the attention of the
>  ``hi spheres'', but I am now in the UK, and the whole thing went into
>  the limbo. The problem is simply as follows: there is no legislation
>  that enforces the privacy of electronic mail. On the practical side,
>  there is no software method currently implemented at large that
>  allows the receiver, and only the receiver, to read his/her own mail.
>  The secure transmission of mail is part of the whole process.
>  The similar issue can easily be extended to the Internet, where sites
>  (from the very client to the very server) can record your preferences,
>  as if there were a big brother that spies on you and writes all down.
>  An immediate consequence of it are all the SPAM mail selling
>  financial services...
> 
>  Sergio
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>