VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESSAGE - PGP

This is a discussion on VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESSAGE - PGP ; What is the procedure to validate the authenticity of a Microsoft Security Bulletin from xyz@Newsletters.Microsoft.com its embedded PGP signature? PGP 6.5.3 should be able to validate PGP 7.x & 8.x SIGNATURES right? ============ REF: PGP Freeware 6.5.3 returns ... *** ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESSAGE

  1. VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESSAGE

    What is the procedure to validate the authenticity of a Microsoft Security
    Bulletin from xyz@Newsletters.Microsoft.com its embedded PGP signature?

    PGP 6.5.3 should be able to validate PGP 7.x & 8.x SIGNATURES right?

    ============
    REF:

    PGP Freeware 6.5.3 returns ...


    *** PGP Signature Status: bad
    *** Signer: Microsoft Security Response Center
    (Invalid)
    *** Signed: 10/15/2003 2:50:08 PM
    *** Verified: 10/15/2003 5:40:29 PM
    *** BEGIN PGP VERIFIED MESSAGE ***

    --------------------------------------------------------------------
    Title: Microsoft Windows Security Bulletin Summary for October 2003
    Issued: October 15, 2003
    Version Number: 1.0
    Bulletin: http://www.microsoft.com/technet/security/winoct03.asp
    --------------------------------------------------------------------

    ....

    --------------------------------------------------------------------
    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
    PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.

    ....

    SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
    FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
    LIMITATION MAY NOT APPLY.
    --------------------------------------------------------------------



    *** END PGP VERIFIED MESSAGE ***


    ************************************************** *****************
    ....

    To verify the digital signature on this bulletin, please download our PGP
    key at http://www.microsoft.com/technet/security/notify.asp.

    ....

    ============

    This is after loading the http://www.microsoft.com/technet/security/MSRC.asc


    NOTE:

    Using PGPkeys.exe I even signed and changed the key properties to trusted
    after confirming:

    FP: 5E39 0633 D6B3 9788 F776 D980 AB7A 9432 for
    ID: 0x3103F52B

    ============

  2. Re: VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESSAGE

    What's to validate ? It's virus
    "JJ" wrote in message
    news:149b2638.0310151738.3310964a@posting.google.c om...
    > What is the procedure to validate the authenticity of a Microsoft

    Security
    > Bulletin from xyz@Newsletters.Microsoft.com its embedded PGP

    signature?
    >
    > PGP 6.5.3 should be able to validate PGP 7.x & 8.x SIGNATURES right?
    >
    > ============
    > REF:
    >
    > PGP Freeware 6.5.3 returns ...
    >
    >
    > *** PGP Signature Status: bad
    > *** Signer: Microsoft Security Response Center
    > (Invalid)
    > *** Signed: 10/15/2003 2:50:08 PM
    > *** Verified: 10/15/2003 5:40:29 PM
    > *** BEGIN PGP VERIFIED MESSAGE ***
    >
    > --------------------------------------------------------------------
    > Title: Microsoft Windows Security Bulletin Summary for October 2003
    > Issued: October 15, 2003
    > Version Number: 1.0
    > Bulletin: http://www.microsoft.com/technet/security/winoct03.asp
    > --------------------------------------------------------------------
    >
    > ...
    >
    > --------------------------------------------------------------------
    > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
    > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
    >
    > ...
    >
    > SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
    > FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
    > LIMITATION MAY NOT APPLY.
    > --------------------------------------------------------------------
    >
    >
    >
    > *** END PGP VERIFIED MESSAGE ***
    >
    >
    > ************************************************** *****************
    > ...
    >
    > To verify the digital signature on this bulletin, please download our

    PGP
    > key at http://www.microsoft.com/technet/security/notify.asp.
    >
    > ...
    >
    > ============
    >
    > This is after loading the

    http://www.microsoft.com/technet/security/MSRC.asc
    >
    >
    > NOTE:
    >
    > Using PGPkeys.exe I even signed and changed the key properties to

    trusted
    > after confirming:
    >
    > FP: 5E39 0633 D6B3 9788 F776 D980 AB7A 9432 for
    > ID: 0x3103F52B
    >
    > ============




  3. Re: VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESSAGE

    You went a step further than I did--changing the key properties to trusted.
    I did manage to verify the fingerprint, although I wasn't able to verify the
    download from MIT!

    I'm getting the same result you are, so we must be doing something
    wrong--perhaps in using the older version. If this thread doesn't attract
    someone who should know, like Michel Gallant, I'll see if I can find him or
    someone else.

    'course, maybe the other responder is right and it is a virus! (JOKE)

    "JJ" wrote in message
    news:149b2638.0310151738.3310964a@posting.google.c om...
    > What is the procedure to validate the authenticity of a Microsoft Security
    > Bulletin from xyz@Newsletters.Microsoft.com its embedded PGP signature?
    >
    > PGP 6.5.3 should be able to validate PGP 7.x & 8.x SIGNATURES right?
    >
    > ============
    > REF:
    >
    > PGP Freeware 6.5.3 returns ...
    >
    >
    > *** PGP Signature Status: bad
    > *** Signer: Microsoft Security Response Center
    > (Invalid)
    > *** Signed: 10/15/2003 2:50:08 PM
    > *** Verified: 10/15/2003 5:40:29 PM
    > *** BEGIN PGP VERIFIED MESSAGE ***
    >
    > --------------------------------------------------------------------
    > Title: Microsoft Windows Security Bulletin Summary for October 2003
    > Issued: October 15, 2003
    > Version Number: 1.0
    > Bulletin: http://www.microsoft.com/technet/security/winoct03.asp
    > --------------------------------------------------------------------
    >
    > ...
    >
    > --------------------------------------------------------------------
    > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
    > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
    >
    > ...
    >
    > SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
    > FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
    > LIMITATION MAY NOT APPLY.
    > --------------------------------------------------------------------
    >
    >
    >
    > *** END PGP VERIFIED MESSAGE ***
    >
    >
    > ************************************************** *****************
    > ...
    >
    > To verify the digital signature on this bulletin, please download our PGP
    > key at http://www.microsoft.com/technet/security/notify.asp.
    >
    > ...
    >
    > ============
    >
    > This is after loading the

    http://www.microsoft.com/technet/security/MSRC.asc
    >
    >
    > NOTE:
    >
    > Using PGPkeys.exe I even signed and changed the key properties to trusted
    > after confirming:
    >
    > FP: 5E39 0633 D6B3 9788 F776 D980 AB7A 9432 for
    > ID: 0x3103F52B
    >
    > ============




  4. Re: VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESSAGE

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > *** PGP Signature Status: bad


    Means the file's been corrupted, probably. Get someone with 8.x to check
    just in case it's a change in standards but I doubt it. See if it has
    wrapped differently from what was intended.
    There should be a line stating the hashing algorithm

    > *** Signer: Microsoft Security Response Center
    > (Invalid)


    You shouldn't get this if you have signed the key, whether or not the
    message is comprimised.

    > *** Signed: 10/15/2003 2:50:08 PM
    > *** Verified: 10/15/2003 5:40:29 PM
    > *** BEGIN PGP VERIFIED MESSAGE ***


    Could you post the original? And I'll see if it decrypts with my version.

    -----BEGIN PGP SIGNATURE-----
    Version: 6.5.8ckt http://www.hn.org/drno/pgp.shtml

    iQA/AwUBP5AULrHlcSptAz1hEQLaNwCg5nOTJ8SIMdj3rpq02jXn/Xr1utcAn3pf
    7o+xSEouo2CVxGu6y4G0dDmT
    =TQgn
    -----END PGP SIGNATURE-----




  5. Re: VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGPSIGNED MESSAGE

    As others have already noted, the "Invalid" merely means you did
    not sign your copy of Micro$oft's public key. You validate a key
    by signing it.

    I can think of three reasons why you get "PGP Signature Status:
    bad". Technically, all of them are equivalent although they
    differ operationally.

    1. Line wrapping occurred in the sender's E-mail client after the
    message was signed. PGP and compatible encryption software wraps
    the lines before signing. If the E-mail client forces an even
    shorter line-length and wraps again, signature verification will
    fail.

    2. Appropriate MIME-compliant character translations between
    unlike platforms did not occur. For example, PGP assumes that all
    end-of-lines are represented by CR-LF, which is the standard PC
    representation; PGP assumes this even for messages signed or
    verified on a UNIX host, where end-of-lines are represented by
    only LF. Any necessary translation occurs for PGP when the
    message is temporarily converted to ASCII-armored before signing.
    The actual message remains in plain-text and thus depends upon the
    E-mail clients -- sending and receiving -- to make any
    translations for unlike hosts. If such translations do not occur
    correctly (or do not occur at all), the ASCII-armored conversion
    during verification might not match the conversion during
    signing.

    3. The message might be a forgery. A hacker or virus might be
    sending these messages after copying the signature from a valid
    Micro$oft message. I often see this on certain newgroups during
    flame wars.

    In technical terms, all three mean that a non-standard change
    occurred in the message after it was signed.

    Note that I do not receive Micro$oft security bulletins. Most of
    them deal with problems in Internet Explorer, Outlook (or its
    various clones), or M$ server products. I use none of those. I
    use Eudora Lite 3.0.6 (old) for E-mail, Mozilla 1.5 (new this
    week) as my Web browser, and Netscape 4.79 (old but not as old as
    my Eudora) for my newsgroup browser. While these do interface
    with each other, the interfaces are sufficiently weak that I
    minimize the risk of spreading viruses to others. IE and Outlook
    have such strong interfaces with each other (and with Windows and
    Office) that they constitute the primary vehicle for spreading
    viruses, thus making the security bulletins necessary.

    JJ wrote:
    >
    > What is the procedure to validate the authenticity of a Microsoft Security
    > Bulletin from xyz@Newsletters.Microsoft.com its embedded PGP signature?
    >
    > PGP 6.5.3 should be able to validate PGP 7.x & 8.x SIGNATURES right?
    >
    > ============
    > REF:
    >
    > PGP Freeware 6.5.3 returns ...
    >
    > *** PGP Signature Status: bad
    > *** Signer: Microsoft Security Response Center
    > (Invalid)
    > *** Signed: 10/15/2003 2:50:08 PM
    > *** Verified: 10/15/2003 5:40:29 PM
    > *** BEGIN PGP VERIFIED MESSAGE ***
    >
    > --------------------------------------------------------------------
    > Title: Microsoft Windows Security Bulletin Summary for October 2003
    > Issued: October 15, 2003
    > Version Number: 1.0
    > Bulletin: http://www.microsoft.com/technet/security/winoct03.asp
    > --------------------------------------------------------------------
    >
    > ...
    >
    > --------------------------------------------------------------------
    > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
    > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
    >
    > ...
    >
    > SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
    > FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
    > LIMITATION MAY NOT APPLY.
    > --------------------------------------------------------------------
    >
    > *** END PGP VERIFIED MESSAGE ***
    >
    > ************************************************** *****************
    > ...
    >
    > To verify the digital signature on this bulletin, please download our PGP
    > key at http://www.microsoft.com/technet/security/notify.asp.
    >
    > ...
    >
    > ============
    >
    > This is after loading the http://www.microsoft.com/technet/security/MSRC.asc
    >
    > NOTE:
    >
    > Using PGPkeys.exe I even signed and changed the key properties to trusted
    > after confirming:
    >
    > FP: 5E39 0633 D6B3 9788 F776 D980 AB7A 9432 for
    > ID: 0x3103F52B
    >
    > ============



    --

    David E. Ross


    Concerned about someone snooping into your E-mail?
    Use PGP. See my

  6. Re: VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESSAGE

    Since when do Microsoft use PGP, they have their own Government Standard
    128 spy-able encryption. :-)

    Neville


    In article <149b2638.0310151738.3310964a@posting.google.com>,
    carridious@mozartmail.com (JJ) wrote:

    > What is the procedure to validate the authenticity of a Microsoft
    > Security
    > Bulletin from xyz@Newsletters.Microsoft.com its embedded PGP signature?
    >
    > PGP 6.5.3 should be able to validate PGP 7.x & 8.x SIGNATURES right?
    >
    > ============
    > REF:
    >
    > PGP Freeware 6.5.3 returns ...
    >
    >
    > *** PGP Signature Status: bad
    > *** Signer: Microsoft Security Response Center
    > (Invalid)
    > *** Signed: 10/15/2003 2:50:08 PM
    > *** Verified: 10/15/2003 5:40:29 PM
    > *** BEGIN PGP VERIFIED MESSAGE ***
    >
    > --------------------------------------------------------------------
    > Title: Microsoft Windows Security Bulletin Summary for October 2003
    > Issued: October 15, 2003
    > Version Number: 1.0
    > Bulletin: http://www.microsoft.com/technet/security/winoct03.asp
    > --------------------------------------------------------------------
    >
    > ...
    >
    > --------------------------------------------------------------------
    > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
    > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
    >
    > ...
    >
    > SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
    > FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
    > LIMITATION MAY NOT APPLY.
    > --------------------------------------------------------------------
    >
    >
    >
    > *** END PGP VERIFIED MESSAGE ***
    >
    >
    > ************************************************** *****************
    > ...
    >
    > To verify the digital signature on this bulletin, please download our
    > PGP
    > key at http://www.microsoft.com/technet/security/notify.asp.
    >
    > ...
    >
    > ============
    >
    > This is after loading the
    > http://www.microsoft.com/technet/security/MSRC.asc
    >
    >
    > NOTE:
    >
    > Using PGPkeys.exe I even signed and changed the key properties to
    > trusted
    > after confirming:
    >
    > FP: 5E39 0633 D6B3 9788 F776 D980 AB7A 9432 for
    > ID: 0x3103F52B
    >
    > ============


  7. Re: VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESSAGE

    nevilledaniels@cix.compulink.co.uk writes:

    > Since when do Microsoft use PGP, they have their own Government Standard
    > 128 spy-able encryption. :-)


    No, they do not. They've used PGP for years for security announcements.
    You can obtain their public keys on their Web site.

    --
    Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

  8. Re: VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESS

    Thanks for the pointer.

    But what is the encryption in Outlook Express and MS Outlook?
    If it is not Microsoft's idea of security. :-))

    Neville

    In article , mxsmanic@hotmail
    ..com (Mxsmanic) wrote:

    > nevilledaniels@cix.compulink.co.uk writes:
    >
    > > Since when do Microsoft use PGP, they have their own Government
    > > Standard 128 spy-able encryption. :-)

    >
    > No, they do not. They've used PGP for years for security announcements.
    > You can obtain their public keys on their Web site.
    >
    > --
    > Transpose hotmail and mxsmanic in my e-mail address to reach me
    > directly.


  9. Re: VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESS

    nevilledaniels@cix.compulink.co.uk writes:

    > But what is the encryption in Outlook Express and MS Outlook?
    > If it is not Microsoft's idea of security. :-))


    PGP can be used with any e-mail client. S/MIME can only be used with
    clients that support S/MIME. I suspect that was part of Microsoft's
    reason for choosing PGP.

    --
    Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

  10. Re: VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESS

    In article , mxsmanic@hotmail
    ..com (Mxsmanic) wrote:
    >
    > PGP can be used with any e-mail client. S/MIME can only be used with
    > clients that support S/MIME. I suspect that was part of Microsoft's
    > reason for choosing PGP.
    >


    :-)

    Neville

+ Reply to Thread