[PGP-USERS] FW: Serious bug in PGP - versions 5 and 6

[Werner Koch]

On Thu, 24 Aug 2000, Clive Jones wrote:

> Don't trust your secrets to people you don't trust. Trusting them not
> to use broken software is just another part of that issue.

It is just that all PGP >= 5 versions are broken by design/bug  and
the majority of encrypted mail is send by PGP implementations.  Have a
look at the key servers stats and you will see that most keys have
been created by PGP >= 5.

It is important that security audits are *really* done and not that
everyone assumes: Okay, here is the source, someone else has probably
checked it.  It has been shown in the last months that this is not
true (and that includes free software and proprietary one with open
source).  The "given many eyeballs, all bugs are shallow" thesis is
whishful thinking.

  Werner

-- 
Werner Koch				GnuPG key:  621CC013
OpenIT GmbH                             http://www.OpenIT.de

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org