From: “W. Kinney” <kinney@ucsu.Colorado.EDU>
To: cypherpunks@toad.com
Message Hash: e172306cd9f0196b2431a456068a35338800e7070a0c676553d47700c9682ebe
Message ID: <199312031653.AA02164@ucsu.Colorado.EDU>
Reply To: N/A
UTC Datetime: 1993-12-03 16:54:06 UTC
Raw Date: Fri, 3 Dec 93 08:54:06 PST
From: "W. Kinney" <kinney@ucsu.Colorado.EDU>
Date: Fri, 3 Dec 93 08:54:06 PST
To: cypherpunks@toad.com
Subject: HELP! Unnerving MacPGP Glitch!
Message-ID: <199312031653.AA02164@ucsu.Colorado.EDU>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
Hmm. Seems the Curve Software public key I sent out has a "bad signature"
attached... namely my personal PGP key, with which I signed the new key.
Here's what happened -- perhaps someone can explain why: I generated a new
key for Curve Software, and signed it with my other key, while it was in my
secret key ring (should be ok, right?). I then extracted the new key to an
ascii file. When this new key and signature are added to my public keyring,
it tells me that the signature is bad. I then select removal of the bad
signature, and MacPGP gives me a dialog that says
"File pubring.$01 already exists. Overwrite? (y/n)"
If I select "yes", I get the dialog back over and over. If I select no, the
dialog goes away and the Curve Encrypt key ends up in my public key ring,
_with the signature still attached_. Now when I verify the signature of the
key while it's on the ring, it is flagged as valid.
What the hell? It must have something to do with having signed a key on my
secret ring, which was kind of a weird thing to do, I guess. And now I'm all
worried that somehow I've compromised the security of one or both of these
keys.
The second problem I have is how to correct the bad signature in all the
copies of the Curve Software public key that are out there? Should I leave
the bad sig in there and sign it again? Should I remove the bad sig and
re-sign it? Should I just issue revocation certificates for everything and
start over?
Seems like it ought to be all right to remove the bad sig, re-sign the key,
and post the same key with the new signature to the list, signed with itself
so that people who already have it in their pubring can verify its veracity.
Still, this will be good fuel for paranoia -- "here's the public key for
verifying this encryption software... OOPS! screwed it up, here's a NEW key!"
Advice appreciated. I don't want to release the code to the Beta testers
until this security issue is resolved.
-- Will
-----BEGIN PGP SIGNATURE-----
Version: 2.3
iQCVAgUBLP8JZPfv4TpIg2PxAQGaIQP9GW5D5c695lys23opUDogxlIEvFuCDnKS
GK9F5zsAWSwcXLxvRg05Wr59+/xtLPAxWat+wsdg5hdVCXFMECPCALwgC75H0Vpw
2wql24ZobSwJFLY+AXDSxscMUwZwLr5j9PtN6GL/EUubRihH7JXs2tzsupvdlde8
j5p0J5ZvwhM=
=1aLJ
-----END PGP SIGNATURE-----
Return to December 1993
Return to ““W. Kinney” <kinney@ucsu.Colorado.EDU>”
1993-12-03 (Fri, 3 Dec 93 08:54:06 PST) - HELP! Unnerving MacPGP Glitch! - “W. Kinney” <kinney@ucsu.Colorado.EDU>