Expired Signing Key - PGP

This is a discussion on Expired Signing Key - PGP ; US-CERT (an agency of the U.S. Department of Homeland Security) recently issued a bulletin at comp.security.announce about a vulnerability affecting Apple computers. The message was signed with a new, unannounced PGP key that was, in turn, signed with an expired ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Expired Signing Key

  1. Expired Signing Key

    US-CERT (an agency of the U.S. Department of Homeland Security) recently
    issued a bulletin at comp.security.announce about a vulnerability
    affecting Apple computers. The message was signed with a new,
    unannounced PGP key that was, in turn, signed with an expired US-CERT
    key-signing key. Thus, there is no way to verify the origin or
    integrity of the bulletin.

    I mention this problem here because the comp.security.announce newsgroup
    is apparently moderated and failed to post my warning about this.

    --

    David E. Ross


    Q: What's a President Bush ****tail?
    A: Business on the rocks.

  2. Re: Expired Signing Key

    > I mention this problem here because the comp.security.announce newsgroup
    > is apparently moderated and failed to post my warning about this.


    Maybe you're on some list at homeland security soon to be The Bureau of
    Information Retrieval.

    --
    CK


  3. Re: Expired Signing Key

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    "David E. Ross" writes:

    >US-CERT (an agency of the U.S. Department of Homeland Security) recently
    >issued a bulletin at comp.security.announce about a vulnerability
    >affecting Apple computers. The message was signed with a new,
    >unannounced PGP key that was, in turn, signed with an expired US-CERT
    >key-signing key. Thus, there is no way to verify the origin or
    >integrity of the bulletin.


    Technically it's a problem. However, the new key was signed before
    the signing key expired, so I see it as a somewhat minor problem.

    What it does show, is that even after 7 years the clowns at DHS
    still haven't got their act together.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)

    iEYEARECAAYFAkjSWdsACgkQvmGe70vHPUPY7QCfSToBM4azqs sl+0tfTz2wfT80
    EwoAn03d01wi7ZYLd0TKB+30l7+N5AzC
    =Xqp9
    -----END PGP SIGNATURE-----


  4. Re: Expired Signing Key

    "David E. Ross" wrote in message
    news:86udnZwY9vDOR0zVnZ2dnUVZ_tPinZ2d@posted.dockn et...
    > US-CERT (an agency of the U.S. Department of Homeland Security) recently
    > issued a bulletin at comp.security.announce about a vulnerability
    > affecting Apple computers. The message was signed with a new,
    > unannounced PGP key that was, in turn, signed with an expired US-CERT
    > key-signing key. Thus, there is no way to verify the origin or
    > integrity of the bulletin.
    >
    > I mention this problem here because the comp.security.announce newsgroup
    > is apparently moderated and failed to post my warning about this.
    >
    > --
    >
    > David E. Ross
    >


    David,

    I'm sure you already know this, but I figured I'd mention this for others
    who may be wondering about the US-CERT PGP key. It can be found here:

    http://www.us-cert.gov/pgp/0x3E1F88AB_public_key.asc

    Neil - Salem, MA USA



  5. Re: Expired Signing Key

    On 9/18/2008 11:15 AM, Neil - Salem, MA USA wrote:
    --

    David E. Ross


    Q: What's a President Bush ****tail?
    A: Business on the rocks. > "David E. Ross" wrote
    in message
    > news:86udnZwY9vDOR0zVnZ2dnUVZ_tPinZ2d@posted.dockn et...
    >> US-CERT (an agency of the U.S. Department of Homeland Security) recently
    >> issued a bulletin at comp.security.announce about a vulnerability
    >> affecting Apple computers. The message was signed with a new,
    >> unannounced PGP key that was, in turn, signed with an expired US-CERT
    >> key-signing key. Thus, there is no way to verify the origin or
    >> integrity of the bulletin.
    >>
    >> I mention this problem here because the comp.security.announce newsgroup
    >> is apparently moderated and failed to post my warning about this.
    >>

    >
    > David,
    >
    > I'm sure you already know this, but I figured I'd mention this for others
    > who may be wondering about the US-CERT PGP key. It can be found here:
    >
    > http://www.us-cert.gov/pgp/0x3E1F88AB_public_key.asc
    >
    > Neil - Salem, MA USA


    That is the US-CERT "Publications" key (e.g., for Cyber Security Alerts,
    Technical Cyber Security Alerts, Cyber Security Bulletins and Cyber
    Security Tips, announcements at comp.security.announce).

    Although generated almost four months ago, the "Publications" key was
    not placed into use until recently when it replaced the "Publications"
    key that expires in a little less than two weeks. There is also a
    "Security Operations Center" key, which also expires in a little less
    than two weeks. Both were signed by the now-expired "Master
    Key-Signing" key.

    See .

    I became aware of the new "Publications" key only two days ago, which
    was two days after the "Master Key-Signing" key expired. A search of
    public key servers yields that expired "Master Key-Signing" key but no
    newer "Master Key-Signing" key.


  6. Re: Expired Signing Key

    On Thu, 18 Sep 2008 14:15:11 -0400, Neil - Salem, MA USA wrote:
    > "David E. Ross" wrote in message
    > news:86udnZwY9vDOR0zVnZ2dnUVZ_tPinZ2d@posted.dockn et...
    >> US-CERT (an agency of the U.S. Department of Homeland Security) recently
    >> issued a bulletin at comp.security.announce about a vulnerability
    >> affecting Apple computers. The message was signed with a new,
    >> unannounced PGP key that was, in turn, signed with an expired US-CERT
    >> key-signing key. Thus, there is no way to verify the origin or
    >> integrity of the bulletin.
    >>
    >> I mention this problem here because the comp.security.announce newsgroup
    >> is apparently moderated and failed to post my warning about this.
    >>
    >> dashes -- munged here so the rest would come out right
    >>
    >> David E. Ross
    >>

    >
    > David,
    >
    > I'm sure you already know this, but I figured I'd mention this for others
    > who may be wondering about the US-CERT PGP key. It can be found here:
    >
    > http://www.us-cert.gov/pgp/0x3E1F88AB_public_key.asc
    >
    > Neil - Salem, MA USA
    >
    >


    Watch out for placing text below signatures. I see you're using Outlook
    Express -- I don't think OE identifies signatures.


+ Reply to Thread