[1431] in linux-security and linux-alert archive
[linux-security] Re: SecureNet PRO - BETA TESTING
daemon@ATHENA.MIT.EDU (Lars Wirzenius)
Wed Feb 5 05:35:39 1997
From: Lars Wirzenius <liw@iki.fi>
To: linux-security@redhat.com
In-Reply-To: Your message of "Thu, 30 Jan 1997 14:29:13 PST."
<199701302229.OAA13389@lunar.skyport.net>
Date: Wed, 05 Feb 1997 05:49:22 +0200
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
--==_Exmh_1128113367P
Content-Type: text/plain; charset=us-ascii
[ Please don't Cc: me when replying to my message on a mailing list. ]
Elliot Turner:
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: 2.6.2
>
> mQCNAzLMz0gAAAEEAJ2aya6yaEfxx+qQ2aGoeyUIg3ETWPjjBfDezWDbosBuxB34
> IV8ynbWmo+bvRZ1L2pn8r/+D2ElO3xnjmnxaeuzHFDpiNpFaGKpuvOcnZCBwNSz5
> t6/QHTE6u2a+96tvRe63PK2Inf0abHMwksFCqcUQx3jpdccKyoPm5sKOgDIZAAUR
> tCdFbGxpb3QgQi4gVHVybmVyIDx0dXJuZXJlQE1pbWVTdGFyLmNvbT4=
> =AH0W
> -----END PGP PUBLIC KEY BLOCK-----
Adding that key to a keyring:
$ pgp -ka foo.asc
Looking for new keys...
pub 1024/8E803219 1997/01/03 Elliot B. Turner <turnere@MimeStar.com>
Checking signatures...
Keyfile contains:
1 new key(s)
One or more of the new keys are not fully certified.
Do you want to certify any of these keys yourself (y/N)?
$
Um, should we trust a security firm that doesn't sign it's own
public key?
Explanation: You can't trust that the username on a public
key is the one the owner of the key pair put there, unless the
username is signed by the private key of the key pair.
I've been toying with writing a simple program to replace
all usernames with a caller specified one, and integrating
this to my finger patch that replaces PGP keys in .plans. (See
http://www.iki.fi/liw/programs/ for the patch. Not nice, perhaps,
but it demonstrates to people why trusting keys got via finger
is a bad idea.)
--
Please read <http://www.iki.fi/liw/mail-to-lasu.html> before mailing me.
Please don't Cc: me when replying to my message on a mailing list.
--==_Exmh_1128113367P
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: 2.6.3i
iQCVAwUBMvgDPoQRll5MupLRAQFy5gP8Dusmt9aiGZmzY0tZ+OHYPPnJRVdXt1sn
jfTe7bJ6MtPcqp1+tW596l0o92mo4VQaHWdDLH1yaHteLZGr7ufKl5zmKGWXhksz
f7OP5O6ZGXvY6kaRoa+TpgiqRZ9KEJAzxkwuP1u7XAWcj88/O7W5v3Rp6X8CzFdK
kwGicyjTQug=
=pAHn
-----END PGP MESSAGE-----
--==_Exmh_1128113367P--