oss-sec mailing list archives
Re: broken RSA keys
From: Simon McVittie <smcv () debian org>
Date: Thu, 5 May 2016 12:32:03 +0100
On Wed, 04 May 2016 at 21:18:26 -0400, Stanislav Datskovskiy wrote:
3) The 'mirrored' keys found thus far in no case have valid self-signatures. (A number of the remaining phuctored keys - do.) Thus it does not follow from the facts at hand that these particular keys were generated /by the people and organizations whose names appear in the user string/ !
Even if these keys had valid self-signatures, that wouldn't imply anything about whether they were generated by the people or organizations named in the uids; anyone could generate a PGP key right now that claimed to be yours or mine or anyone else's. That's why we have the "web of trust", along with competing identity-claiming mechanisms like keybase.io - the generated key wouldn't have (reputable) third-party signatures, unless its generator was able to do some social engineering to obtain them. I would have expected that an attacker trying for things like evil32 would want to have a valid self-signature, and the self-signature isn't magic (it's just an ordinary signature made with the private certification key as far as I know), so I'm a bit confused by why these "mirrored" keys would lack them? S
Current thread:
- Re: broken RSA keys, (continued)
- Re: broken RSA keys Alexander Cherepanov (May 04)
- Re: broken RSA keys Stanislav Datskovskiy (May 04)
- Re: broken RSA keys Solar Designer (May 05)
- Re: broken RSA keys Alexander Cherepanov (May 05)
- Re: broken RSA keys Stanislav Datskovskiy (May 05)
- Re: broken RSA keys Solar Designer (May 12)
- Re: broken RSA keys Solar Designer (May 05)
- Re: broken RSA keys Hanno Böck (May 05)
- Re: broken RSA keys Solar Designer (May 05)
- Re: broken RSA keys Daniel Kahn Gillmor (May 07)
- Re: broken RSA keys Simon McVittie (May 05)
- Re: broken RSA keys Stanislav Datskovskiy (May 05)
- Re: broken RSA keys Hanno Böck (May 05)
- Re: broken RSA keys Stanislav Datskovskiy (May 05)