Date: Tue, 05 Aug 2003 12:18:04 -0700 From: Dave Tweten <tweten@nas.nasa.gov> To: freebsd-security@freebsd.org, freebsd-doc@freebsd.org Subject: Security-officer PGP Key? Message-ID: <88080.1060111084@gilmore.nas.nasa.gov>
next in thread | raw e-mail | index | archive | help
When did the PGP key for security-officer@freebsd change (if it did)? If
it has changed, why isn't the new one in the FreeBSD Handbook? If it
hasn't changed, the security-advisories list seems to have sent out a hoax.
I just received a PGP signed message, supposedly from
security-officer@freebsd.org, for which I did not have the matching public
key. Reflexively, I fetched it, and then began looking into it with an
eye toward signing it so PGP would no longer call it "untrusted."
To my shock, I found I had two public keys for security-officer, one
vintage 4/22/1996,
Fingerprint16 = 41 08 4E BB DB 41 60 71 F9 E5 0E 98 73 AF 3F 11
and the one I had just fetched, dated 8/27/2002
Fingerprint20(DSS) = C374 0FC5 69A6 FBB1 4AED B131 15D6 8804 CA6C DFB2
Fingerprint20(DH) = 1B5B B2D7 767A 3EC7 550F 7B86 E8C9 6EEF A307 1809
My next step was to check the list of valid keys at the back of the
FreeBSD Handbook. Further shock. It lists the 4/22/1996 key and not the
more recent one just downloaded. I immediately deleted the more recent
key, and drafted this message.
So, is the most recent announcement on the security-advisories list a
hoax? If not, why isn't the public key used to sign it listed in the
FreeBSD Handbook?
--
M/S 258-5 |1024-bit PGP fingerprint:|tweten@nas.nasa.gov
NASA Ames Research Center | 41 B0 89 0A 8F 94 6C 59| (650) 604-4416
Moffett Field, CA 94035-1000| 7C 80 10 20 25 C7 2F E6|FAX: (650) 604-4377
Not an official NASA position. You can't even be certain who sent this!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?88080.1060111084>