[Top] [All Lists]

Re: Anybody know details about Schneier's "flaw"?

2002-08-14 23:20:21

On 8/14/02 2:27 PM, "john(_dot_)dlugosz(_at_)kodak(_dot_)com" 
<john(_dot_)dlugosz(_at_)kodak(_dot_)com> wrote:

According to the link posted by someone else,
(, "We also recommend changes in the
OpenPGP standard [3 ]to educe the
effectiveness of ou attacks in these settings."

Are the people activly working on the -bis draft aware of this?

Yes, we are aware of it. We released bis-06 on Monday with language in it to
address this. We were advised about this a month ago, and have had quite a
good email conversation with the authors about it.

The text that is in there is some talk in the sections on compression, which
say that a decompression error should be considered to be a security
problem, not a data problem (in other words, don't typically let the user
have the damaged plaintext), and some language that recommends encouraging
people to use MDCs. There is also a relatively long section in Security
Considerations. Take a look, I think you'll like it.