|
Date: Thu, 5 May 2016 12:32:03 +0100 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: broken RSA keys On Wed, 04 May 2016 at 21:18:26 -0400, Stanislav Datskovskiy wrote: > 3) The 'mirrored' keys found thus far in no case have valid > self-signatures. (A number of the remaining phuctored keys - do.) Thus > it does not follow from the facts at hand that these particular keys > were generated /by the people and organizations whose names appear in > the user string/ ! Even if these keys had valid self-signatures, that wouldn't imply anything about whether they were generated by the people or organizations named in the uids; anyone could generate a PGP key right now that claimed to be yours or mine or anyone else's. That's why we have the "web of trust", along with competing identity-claiming mechanisms like keybase.io - the generated key wouldn't have (reputable) third-party signatures, unless its generator was able to do some social engineering to obtain them. I would have expected that an attacker trying for things like evil32 would want to have a valid self-signature, and the self-signature isn't magic (it's just an ordinary signature made with the private certification key as far as I know), so I'm a bit confused by why these "mirrored" keys would lack them? S
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.