[9429] in bugtraq
Possible Security Problem: Fake PGP Key
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Feb 9 14:44:44 1999
Date: Mon, 8 Feb 1999 19:14:37 +0000
Reply-To: Ben Laurie <ben@ALGROUP.CO.UK>
From: Ben Laurie <ben@ALGROUP.CO.UK>
X-To: Apache List <new-httpd@apache.org>,
apache-ssl@lists.aldigital.co.uk, UKCrypto List
<ukcrypto@maillist.ox.ac.uk>,
cryptography@c2.net, coderpunks@toad.com
To: BUGTRAQ@NETSPACE.ORG
It has come to my attention that there is a faked key out there,
purporting to be mine:
Key ID: 0x6B722A59
Fingerprint: 428C 1E68 35E1 E96C 177A F49C A906 3F1F 6B72 2A59
Name: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Created: 09/10/98
Type: 2048/1024 DH/DSS
It isn't clear to me what the point of this key is, but since I use PGP
to sign both Apache and Apache-SSL, and given recent Trojans, it isn't
hard to guess.
I didn't create this key. I don't know who did. I have no report of it
being used (yet), but if anyone has seen it used, I'd like to know about
it.
BTW, I observe that it is hard to know that my key is really mine, since
it isn't signed by well-known people. If there's anyone out there who
wants to sign it on the basis that they've seen it sign Apache or
Apache-SSL distributions for several years, that would seem to be at
least as worthwhile as having met me at a key-signing party....
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
