[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-ddrescue] Signing Key revoked
|
From: |
Bob Proulx |
|
Subject: |
Re: [Bug-ddrescue] Signing Key revoked |
|
Date: |
Wed, 8 Mar 2017 17:16:13 -0700 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
Antonio Diaz Diaz wrote:
> Drew Einhorn wrote:
> > You should probably add a link to the correct signing key to the ddrescue
> > page.
>
> At the very least I'll include the full key fingerprint in the announcements
> from now on. Thanks.
*Everyone* in the key server list has a key with a colliding 32-bit
fingerprint and hopefully all of those are revoked.
Here is some background. Every key in the keyservers have a colliding
32-bit key fingerprint due to some work by security researchers
wanting to prove that 32-bits was insufficient to identify keys. The
original researchers created a 32-bit fingerprint collision for every
key. And this was subsequently uploaded to the keyservers!
https://evil32.com/
Someone downloaded our copy of the strong set and uploaded all of the
keys to the SKS keyserver network. :( While we took on this project
to help prompt GPG to build a more secure ecosystem, this mass clone
made the keyservers harder for everyone to use. Of course anyone
could use our tools to regenerate their own strong set clone and do
this again, but we'd rather our keys not be used that way.
Before the above was widely known someone saw this in the wild. This
triggered quite a firestorm in the community.
Fake Linus Torvalds' Key Found in the Wild, No More Short-IDs.
https://lkml.org/lkml/2016/8/15/445
A comment on this social news site from one of the evil32 authors
where they say they revoked all of the keys and give some additional
information.
evil32 author revokes fake keys
https://news.ycombinator.com/item?id=12296974
And more discussion if you want to keep going with it.
https://lwn.net/Articles/689792/
Hope this helps explain the background on those revoked keys with
colliding 32-bit fingerprints.
Bob