RE: Microsoft Security Bulletin MS01-040

["Dehner, Ben" <Btd () valmont com>]

Am I confused, or does this same problem apply to the key on CERT advisory
CA-2001-21?


*** PGP Signature Status: good
*** Signer: CERT Coordination Center <cert () cert org> (Invalid)
*** Signed: 7/24/2001 8:43:46 PM
*** Verified: 7/26/2001 12:54:13 PM

one of the keys used to sign the key used for this advisory was key ID
0x6A9591D0, also for "cert () cert org", which expired 9/30/2000.

Ben Dehner
Valmont Industries

-----Original Message-----
From: Paul Murphy [mailto:Paul.Murphy () gemini-genomics com]
Sent: Thursday, July 26, 2001 4:15 AM
To: bugtraq () securityfocus com
Subject: Re: Microsoft Security Bulletin MS01-040



As per MS01-038, this bulletin is signed with a PGP key which does not match
the sender, and so does not verify.  The key is for "secure () microsoft com",
while the sender is "secnotif () microsoft com", and as a result PGP reports:

*** PGP Signature Status: good
*** Signer: Microsoft Security Response Center <secure () microsoft com>
(Invalid)
*** Signed: 26/07/2001 02:08:04
*** Verified: 26/07/2001 09:58:00

The reason why the signer is invalid is that their key is signed by an
unknown signer (Key ID 0x63303caf). This turns out to be for
"mscert () microsoft com", and expired on 2/1/01.  Is it too much to ask that
they have their key signed by Verisign or some other well-known and trusted
source, and that the keys in use are within their valid period?