Discussion:
Expired Signing Key
(too old to reply)
David E. Ross
2008-09-18 04:34:25 UTC
Permalink
US-CERT (an agency of the U.S. Department of Homeland Security) recently
issued a bulletin at comp.security.announce about a vulnerability
affecting Apple computers. The message was signed with a new,
unannounced PGP key that was, in turn, signed with an expired US-CERT
key-signing key. Thus, there is no way to verify the origin or
integrity of the bulletin.

I mention this problem here because the comp.security.announce newsgroup
is apparently moderated and failed to post my warning about this.
--
David E. Ross
<http://www.rossde.com/>

Q: What's a President Bush cocktail?
A: Business on the rocks.
Charlie Kroeger
2008-09-18 05:12:31 UTC
Permalink
Post by David E. Ross
I mention this problem here because the comp.security.announce newsgroup
is apparently moderated and failed to post my warning about this.
Maybe you're on some list at homeland security soon to be The Bureau of
Information Retrieval.
--
CK
TomT
2008-09-18 06:38:27 UTC
Permalink
Post by David E. Ross
US-CERT (an agency of the U.S. Department of Homeland Security) recently
issued a bulletin at comp.security.announce about a vulnerability
affecting Apple computers. The message was signed with a new,
unannounced PGP key that was, in turn, signed with an expired US-CERT
key-signing key. Thus, there is no way to verify the origin or
integrity of the bulletin.
I mention this problem here because the comp.security.announce newsgroup
is apparently moderated and failed to post my warning about this.
Is this the bulletin, David?

http://www.us-cert.gov/current/index.html#apple_releases_security_updates_for1

If so, I guess the message is legit and DHS is just sloppy. Gives you a
warm fuzzy feeling heh?

TomT
Neil W Rickert
2008-09-18 13:38:03 UTC
Permalink
Post by David E. Ross
US-CERT (an agency of the U.S. Department of Homeland Security) recently
issued a bulletin at comp.security.announce about a vulnerability
affecting Apple computers. The message was signed with a new,
unannounced PGP key that was, in turn, signed with an expired US-CERT
key-signing key. Thus, there is no way to verify the origin or
integrity of the bulletin.
Technically it's a problem. However, the new key was signed before
the signing key expired, so I see it as a somewhat minor problem.

What it does show, is that even after 7 years the clowns at DHS
still haven't got their act together.
Neil - Salem, MA USA
2008-09-18 18:15:11 UTC
Permalink
Post by David E. Ross
US-CERT (an agency of the U.S. Department of Homeland Security) recently
issued a bulletin at comp.security.announce about a vulnerability
affecting Apple computers. The message was signed with a new,
unannounced PGP key that was, in turn, signed with an expired US-CERT
key-signing key. Thus, there is no way to verify the origin or
integrity of the bulletin.
I mention this problem here because the comp.security.announce newsgroup
is apparently moderated and failed to post my warning about this.
--
David E. Ross
<http://www.rossde.com/>
David,

I'm sure you already know this, but I figured I'd mention this for others
who may be wondering about the US-CERT PGP key. It can be found here:

http://www.us-cert.gov/pgp/0x3E1F88AB_public_key.asc

Neil - Salem, MA USA
David E. Ross
2008-09-18 22:00:41 UTC
Permalink
On 9/18/2008 11:15 AM, Neil - Salem, MA USA wrote:
--
David E. Ross
<http://www.rossde.com/>

Q: What's a President Bush cocktail?
Post by Neil - Salem, MA USA
Post by David E. Ross
US-CERT (an agency of the U.S. Department of Homeland Security) recently
issued a bulletin at comp.security.announce about a vulnerability
affecting Apple computers. The message was signed with a new,
unannounced PGP key that was, in turn, signed with an expired US-CERT
key-signing key. Thus, there is no way to verify the origin or
integrity of the bulletin.
I mention this problem here because the comp.security.announce newsgroup
is apparently moderated and failed to post my warning about this.
David,
I'm sure you already know this, but I figured I'd mention this for others
http://www.us-cert.gov/pgp/0x3E1F88AB_public_key.asc
Neil - Salem, MA USA
That is the US-CERT "Publications" key (e.g., for Cyber Security Alerts,
Technical Cyber Security Alerts, Cyber Security Bulletins and Cyber
Security Tips, announcements at comp.security.announce).

Although generated almost four months ago, the "Publications" key was
not placed into use until recently when it replaced the "Publications"
key that expires in a little less than two weeks. There is also a
"Security Operations Center" key, which also expires in a little less
than two weeks. Both were signed by the now-expired "Master
Key-Signing" key.

See <http://www.us-cert.gov/pgp/email.html>.

I became aware of the new "Publications" key only two days ago, which
was two days after the "Master Key-Signing" key expired. A search of
public key servers yields that expired "Master Key-Signing" key but no
newer "Master Key-Signing" key.
Tim Murray
2008-09-19 12:48:17 UTC
Permalink
Post by Neil - Salem, MA USA
Post by David E. Ross
US-CERT (an agency of the U.S. Department of Homeland Security) recently
issued a bulletin at comp.security.announce about a vulnerability
affecting Apple computers. The message was signed with a new,
unannounced PGP key that was, in turn, signed with an expired US-CERT
key-signing key. Thus, there is no way to verify the origin or
integrity of the bulletin.
I mention this problem here because the comp.security.announce newsgroup
is apparently moderated and failed to post my warning about this.
dashes -- munged here so the rest would come out right
David E. Ross
<http://www.rossde.com/>
David,
I'm sure you already know this, but I figured I'd mention this for others
http://www.us-cert.gov/pgp/0x3E1F88AB_public_key.asc
Neil - Salem, MA USA
Watch out for placing text below signatures. I see you're using Outlook
Express -- I don't think OE identifies signatures.

Loading...