[lug] commercial version of PGP: big ADK bug

[Neal McBurnett]

There has been some big news in the last week relating to a sobering
bug in the commercial PGP Inc software, which includes Additional
Decryption Key (ADK) support.  It puts *all* people who have published
new-style key certificates at risk: Alice's key cert can be modified
by Eve such that when Bob uses PGP Inc software to encrypt to Alice
using the modified key cert, the message is also encrypted so Eve can
read it.

After reading the material below, you'll see that some aspects of the
exploit are difficult.

 The sender must acknowledge a warning dialog that an ADK is
 associated with the certificate [are two ADKs treated differently
 than one?] 
 
 The sender must already have the key for the bogus ADK on their local
 keyring.
 
I'd like to know what the user sees if Alice's original key already
has an ADK for "Trent", and if Eve is for example a casual
correspondent of Alice's who wants to also read Alice's
business-related email from Bob.  When sending mail to Alice, does Bob
see something different than he would without the second ADK? 
E.g. does he get a warning mentioning both Trent and Eve?  Can he turn
that warning off?? 

Other providers of PGP-compatible software (e.g. OpenPGP) whose code
is not buggy are furious since it indirectly affects their users
(e.g. if Alice uses OpenPGP, sends email to Bob who uses PGP Inc, who
replies to Alice, then Bob's reply (possibly also quoting text from
Alice) might be compromised.  They are pointing out once again the
many reasons to not support ADKs at all:

http://www.cert.org/advisories/CA-2000-18.html

http://www.pgp.com/other/advisories/adk.asp

http://www.counterpane.com/key-escrow.html
 
http://slashdot.org/article.pl?sid=00/08/24/155214&threshold=3

Sigh,

Neal McBurnett <neal at bcn.boulder.co.us>  303-538-4852
Avaya Communication / Internet2 / Bell Labs / Lucent Technologies
http://bcn.boulder.co.us/~neal/      (with PGP key)