According to Schneier, the flaw prompts the tampered version of the certificate to automatically and invisibly encrypt all messages to the organization as well as to the certificate owner. Schneier, who is also a world-respected cryptographer, said the problem won't go away until all flawed versions of PGP are eradicated. He added that it's the sender who is responsible for encrypting to the ADKs, not the recipient.
"Way back in 1998, a bunch of us cryptographers predicted that adding key escrow would make system design harder and would result in even more security problems," said Schneier. "This is an example of that prediction coming true."
Copyright 2000 Computerworld online (US), International Data Group Inc. All rights reserved.