Bugtraq mailing list archives

RE: Microsoft Security Bulletin MS01-040

From: "Microsoft Security Response Center" <secure () microsoft com>
Date: Thu, 26 Jul 2001 17:26:26 -0700

Hi Paul -

There are several issues here, some of which relate to the mailer, some
of which involve Microsoft's signing process, and some of which involve
how the PGP product works.  I'll do my best to explain what's happening,
but if you have questions about using PGP, Network Associates is really
the authoritative information source. 

The signature status and the key validity are two different issues
entirely.  The signature status ("good" in your note below) means that
the signature was successfully verified.  This tells you that the email
hasn't been tampered with in transit, and that the public key you used
to verify it is the mate to the private key that was used to sign it.
What this does *not* tell you is whether the key is actually the
Microsoft key -- that's what the validitor indicator tells you.  In the
case you cited below, the validity indicator ("invalid") means that PGP
couldn't certify that the key actually is the Microsoft key.  There's a
fine shade of meaning here that's very important.  "Invalid" doesn't
mean that the key isn't the Microsoft, only that PGP couldn't confirm
that it's the Microsoft key.  PGP assesses the validity of a key by
seeing whether anyone you trust has vouched for its authenticity by
signing it.  In this case, it says that the key is invalid because
nobody you trust has signed it.  

As you noted, there are two signatures on the key.  One is a
self-signature; the other belongs to a group called MS-CERT.  Because
you don't have MS-CERT's key in your keyring, its signature on the key
is meaningless -- it doesn't have any bearing on the key's validity one
way or the other.  We don't ask other parties to sign our key because
there are over 150,000 subscribers to our notification service, and it's
unlikely that there is a key (or even a reasonable set of keys) that is
trusted by all of them.  Instead, we provide a different way to validate
that you've downloaded the bona fide Microsoft key.  You can download
the key via an SSL session, and when downloading the key you can check
the certificate to confirm that you're actually at the Microsoft web
site.  After downloading it, you can check the key's fingerprint against
the one posted on the download page and confirm that they're the same.
(BTW, you're right that the page on the mailer is currently returning an
error.  We're working to get it returned to service, but in the meantime
an alternative URL is
http://www.microsoft.com/technet/security/bulletin/notify.asp).

Because the validity assessment from PGP is based on whether someone you
trust has signed the key, you can, if you like, make the key valid by
signing it yourself.  However, there's no requirement to do this -- PGP
doesn't require that the be shown as valid in order to use it to verify
the signature.  If you do decide to sign the key, you should only do so
after confirming via one of the methods above that it really is the
Microsoft key.  Don't simply sign the key in order to make the error
message go away.   

You're right that the name on the signing key (secure () microsoft com) is
different from the address that sent the email (secnotif () microsoft com).
However, this has nothing to do with whether the signature can be
verified, nor does it have anything to do with PGP's validity
assessment.  When verifying the signature, PGP selects the right key in
your keyring based on the name associated with the signing key.  The
"from" address on the email doesn't play any part in verifying the
signature.  We use the secure () microsoft com key to sign bulletin mailers
in order to minimize the number of Microsoft keys customers have to have
in their PGP keyrings.  We need to have a key that customers can use to
send us encrypted mail at secure () microsoft com, and we also need one we
can use to sign bulletin mailers.  We concluded that we could avoid a
certain amount of confusion by using the same key for both purposes.  

As you noted, there have been a number of bogus bulletin mailers
circulating lately, and it's a good idea to always confirm the signature
on any mailer you receive.  The signature verification on a mail could
fail for any of a number of innocuous reasons -- the Notification
Service's list server might flip a bit, the mail viewer on your local
machine might reformat the mail when displaying it, etc -- or it could
be a bogus mailer sent by a malicious user.  The signature verification
process doesn't give you any way to know which is the case.  Anytime the
signature verification fails, the best course of action is to visit
www.microsoft.com/technet/security and view the web-hosted version of
the bulletin.  The version on the web is always the authoritative
version.  

Hope that helps explain the situation.  There's more information on this
subject available at
http://www.microsoft.com/technet/itsolutions/security/news/bogus.asp.
Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center

  


-----Original Message-----
From: Paul Murphy [mailto:Paul.Murphy () gemini-genomics com] 
Sent: Thursday, July 26, 2001 2:15 AM
To: bugtraq () securityfocus com
Subject: Re: Microsoft Security Bulletin MS01-040



As per MS01-038, this bulletin is signed with a PGP key which does not
match the sender, and so does not verify.  The key is for
"secure () microsoft com", while the sender is "secnotif () microsoft com",
and as a result PGP reports:

*** PGP Signature Status: good
*** Signer: Microsoft Security Response Center <secure () microsoft com>
(Invalid)
*** Signed: 26/07/2001 02:08:04
*** Verified: 26/07/2001 09:58:00

The reason why the signer is invalid is that their key is signed by an
unknown signer (Key ID 0x63303caf). This turns out to be for
"mscert () microsoft com", and expired on 2/1/01.  Is it too much to ask
that they have their key signed by Verisign or some other well-known and
trusted source, and that the keys in use are within their valid period?

Worse still, the advisory contains the following paragraph:

To verify the digital signature on this bulletin, please download our 
PGP key at http://www.microsoft.com/technet/security/notify.asp.


This page does not exist - it should perhaps be
        http://www.microsoft.com/technet/security/bulletin/notify.asp
Having just had an incident where someone forged a MS advisory, I would
think that getting this right is perhaps a higher priority than it would
appear to Microsoft...

Best Wishes,

Paul.

------------------------------------------------------------------------
-----
Paul Murphy - Head of I.T., Gemini Genomics
162 Science Park, Cambridge CB4 0GH
Tel. 01223 435305 Fax. 01223 435301 http://www.gemini-genomics.com/



_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the Gemini I.T helpdesk on : +44 (0) 1223 435333
_______________________________________________________________________

Current thread:

Microsoft Security Bulletin MS01-040 Microsoft Product Security (Jul 25)
- <Possible follow-ups>
- Re: Microsoft Security Bulletin MS01-040 Paul Murphy (Jul 26)
- RE: Microsoft Security Bulletin MS01-040 Dehner, Ben (Jul 26)
- RE: Microsoft Security Bulletin MS01-040 Microsoft Security Response Center (Jul 26)