In message <404E3A37(_dot_)4050409(_at_)systemics(_dot_)com>, Ian Grigg writes:
The paper also makes some comments concerning
OpenPGP weaknesses (sans exploits) of PKCS#1 v1.5
RSA encryption and signatures (section 4.2, 4.3).
As already mentioned in Section 2, GPG implements
RSA encryption as defined by PKCS#1 v1.5. This is
not state-of-the-art cryptography: like with
ElGamel, Bleichenbacker's chosen-ciphertext 
can decrypt any ciphertext. But, as mentioned
in 3.3, the relevance of such attacks to the email
world is debatable, in part because of the high
number of oracle calls. We hope that future
versions of the OpenPGP standard, will recommend
better RSA encryption standards (see for instance
PKCS#1 v2.1  or NESSIE ).
Presumably it is way too late in the piece to
change these methods. My question here would be
more along the lines of whether a warning comment
should be placed in the draft document?
Adding a warning in the Security Considerations section would, I think,
be necessary here. It's a known weakness that could have serious
consequences if, for example, the OpenPGP message format was used for
some sort of programmatic interface, rather than for email.
--Steve Bellovin, http://www.research.att.com/~smb