[21883] in bugtraq
RE: Microsoft Security Bulletin MS01-040
daemon@ATHENA.MIT.EDU (Dehner, Ben)
Thu Jul 26 17:13:40 2001
Message-ID: <C7AA5E6D0B60D311B1E60000F67D62CB095A135C@VALMAILA>
From: "Dehner, Ben" <Btd@valmont.com>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Thu, 26 Jul 2001 12:54:55 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Am I confused, or does this same problem apply to the key on CERT advisory
CA-2001-21?
*** PGP Signature Status: good
*** Signer: CERT Coordination Center <cert@cert.org> (Invalid)
*** Signed: 7/24/2001 8:43:46 PM
*** Verified: 7/26/2001 12:54:13 PM
one of the keys used to sign the key used for this advisory was key ID
0x6A9591D0, also for "cert@cert.org", which expired 9/30/2000.
Ben Dehner
Valmont Industries
-----Original Message-----
From: Paul Murphy [mailto:Paul.Murphy@gemini-genomics.com]
Sent: Thursday, July 26, 2001 4:15 AM
To: bugtraq@securityfocus.com
Subject: Re: Microsoft Security Bulletin MS01-040
As per MS01-038, this bulletin is signed with a PGP key which does not match
the sender, and so does not verify. The key is for "secure@microsoft.com",
while the sender is "secnotif@microsoft.com", and as a result PGP reports:
*** PGP Signature Status: good
*** Signer: Microsoft Security Response Center <secure@microsoft.com>
(Invalid)
*** Signed: 26/07/2001 02:08:04
*** Verified: 26/07/2001 09:58:00
The reason why the signer is invalid is that their key is signed by an
unknown signer (Key ID 0x63303caf). This turns out to be for
"mscert@microsoft.com", and expired on 2/1/01. Is it too much to ask that
they have their key signed by Verisign or some other well-known and trusted
source, and that the keys in use are within their valid period?
