On Fri, 18 Feb 2005 00:39:16 +0100, aboietf said:
proper handling for the publication of the "oracle attack" would have
been to point out that no mail application based on OpenPGP was
susceptible to the circumstances of the attack, and that implementing
We don't know.
an "oracle" is considered a Really Stupid Thing (TM).
The sad thing is that oracles are very common. On the positive side
you have the fact that people don't interpret error messages properly
because that is too much work and just return a Bollean value - by
that they defeat this particular attack (maybe except for LANs).
never relevant to the reality of e-mail applications. If a recipient
is so stupid as to send me back thousands of "I can't read your mail"
Heise clearly pointed out that the attack won't work for attended
usage.
Salam-Shalom,
Werner