From: Bill Stewart <stewarts@ix.netcom.com>
Date: Mon, 9 Jun 1997 01:09:11 -0700 (PDT)
To: pgp50bugs@pgp.com
Subject: PGP 5.0 doesn't tell me Which key a message is signed by! [SEVERITY 1]
Message-ID: <3.0.1.32.19970609010751.0075c738@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Yow!  I'm using PGP 5.0, with the PGPtray and the Eudora Plugin,
in a version that appears to be b14c3 for Win95.

When I receive a signed email message, or check with PGPtray,
it tells me the message is from "User <email@foo.com>",
but doesn't tell me it's from KeyID 0x12345678 or the 
fingerprint of the key or anything even vaguely difficult to fake.
Thus, I've signed this message as Phil Zimmermann FAKE <prz@acm.org>,
and if I'd left out the FAKE it would be difficult to tell it
from a real Phil key.  The GUI happily gives me a message box saying
"Good signature from Phil Zimmermann FAKE <prz@acm.org>".

We've been discussing 0xDEADBEEF attacks on Cypherpunks and Coderpunks,
but this appears to be far worse - I hope it's been fixed
for the production version?
-----BEGIN PGP SIGNATURE-----
Version: 5.0 beta
Charset: noconv

iQBVAwUBM5u51kEvGqT1DvpRAQHnwgIAzF7uBmgsk9+c4IZObsnXBJBHuCFEUsMr
3V64azY6Wp156SFgDPGODQvQxzDiQCb96hUz2RK2j7DxfekOZ7rzjw==
=u93K
-----END PGP SIGNATURE-----


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#   (If this is a mailing list or news, please Cc: me on replies.  Thanks.)