bug-ddrescue
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-ddrescue] Signing Key revoked

From: Drew Einhorn
Subject: Re: [Bug-ddrescue] Signing Key revoked
Date: Thu, 09 Mar 2017 02:03:41 +0000 
Bob,

That's interesting background on the issue.

It was difficult just finding the wrong signing key.

Perhaps you should update the style manual for all gnu.org project web
pages to require a link to the correct signing key instead of forcing the
users to go searching for it for themselves. Especially since there are
lots of revoked signing keys for folks to stumble across while they are
looking for the correct key.


On Wed, Mar 8, 2017 at 5:16 PM Bob Proulx <address@hidden> wrote:

> Antonio Diaz Diaz wrote:
> > Drew Einhorn wrote:
> > > You should probably add a link to the correct signing key to the
> ddrescue
> > > page.
> >
> > At the very least I'll include the full key fingerprint in the
> announcements
> > from now on. Thanks.
>
> *Everyone* in the key server list has a key with a colliding 32-bit
> fingerprint and hopefully all of those are revoked.
>
> Here is some background.  Every key in the keyservers have a colliding
> 32-bit key fingerprint due to some work by security researchers
> wanting to prove that 32-bits was insufficient to identify keys.  The
> original researchers created a 32-bit fingerprint collision for every
> key.  And this was subsequently uploaded to the keyservers!
>
>   https://evil32.com/
>
>   Someone downloaded our copy of the strong set and uploaded all of the
>   keys to the SKS keyserver network. :( While we took on this project
>   to help prompt GPG to build a more secure ecosystem, this mass clone
>   made the keyservers harder for everyone to use. Of course anyone
>   could use our tools to regenerate their own strong set clone and do
>   this again, but we'd rather our keys not be used that way.
>
> Before the above was widely known someone saw this in the wild.  This
> triggered quite a firestorm in the community.
>
>   Fake Linus Torvalds' Key Found in the Wild, No More Short-IDs.
>   https://lkml.org/lkml/2016/8/15/445
>
> A comment on this social news site from one of the evil32 authors
> where they say they revoked all of the keys and give some additional
> information.
>
>   evil32 author revokes fake keys
>   https://news.ycombinator.com/item?id=12296974
>
> And more discussion if you want to keep going with it.
>
>   https://lwn.net/Articles/689792/
>
> Hope this helps explain the background on those revoked keys with
> colliding 32-bit fingerprints.
>
> Bob
>
-- 
I don't remember, I don't recall
I got no memory of anything at all
    -- Peter Gabriel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]