Slashdot Mirror

← Back to Stories (view on slashdot.org)

GnuPG's ElGamal Signing Keys Compromised

Posted by michael on from the oopsie dept.

KjetilK writes "Werner Koch just sent an announcement saying that there is a severe bug in GnuPG >= 1.0.2 that makes it easy to compromise ElGamal keys used for signing. Note that such keys are not generated by GnuPG's standard setup, and should be relatively rare. Among the 850 public keys in my personal keyring, there were only one such public key (and a few subkeys). There is already a patch available to disable these keys."

1 of 144 comments (clear)

  1. My key was one of the 850 keys by quigonn · · Score: 5, Interesting

    Fortunately, Werner Koch informed me yesterday already (I got the email at some time in the morning), so I had plenty of time to create a new key, sign it with the old one, and revoke the old one.

    Of course, this had one disadvantage: since the old key is potentially compromised, I cannot really trust in my web of trust anymore. :-/

    --
    A monkey is doing the real work for me.