| gabriel rosenkoetter on 28 Nov 2003 12:54:01 -0500 |
|
On Fri, Nov 28, 2003 at 10:57:21AM -0500, David Shaw wrote: > Possibly. I'm not sure where the 20 came from, but it might have been > because the faulty key type is 20 (RSA is 1, DSA is 17, the safe > Elgamal is 16). Must be. Unfortunately, I've deleted the message I was reading from, so... > Still, 848 keys is only around 0.04% of all keys on the keyservers. Wow. Didn't realize there were that many keys out there. I'd say that's a good sign for PGP penetration, but there are probably way fewer unique and active users of PGP than that. > This is a serious security failure, to be sure, but at the same time, > there were a lot of roadblocks placed in front of people using these > keys. And yet, people did anyway. Do you suppose this was a "I always push the button that says don't push this button" reaction, or did people really think they were getting something with ElGamal? I mean, we've known that a secure implementation of ElGamal for signing was really difficult for quite a while now, and that signing and encrypting with the same key, no matter the algorithm, was a horrible idea, and that only GnuPG even bothers to support ElGamal. The mind boggles at who would take advantage of the feature for anything other than play... -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpmkj9bCsLkG.pgp
|
|