On Tue, 15 Sep 2015, John Young wrote:
-----BEGIN PGP SIGNED MESSAGE-----
by unknown key.
I have learned today that all PGP public keys of John Young <j...@pipeline.com> and Cryptome <crypt...@earthlink.net> have been compromised. The keys have been revoked today.
Revocation could have been done by the person who stole the keys too. That in itself is not good enough.
Two new keys have been generated today: John Young 15-0915 <j...@pipeline.com> 0xD87D436C Cryptome 15-0915 <crypt...@earthlink.net> 0x8CD47BD5
Which I cannot find on either pgp.mit.edu or pgp.surfnet.nl. I did find them on keyserver.pgp.com, but I don't know who runs it and with the additional captcha software, no idea if that is compromised :P It is announced using short keyids, not to be trusted, and no finger prints although we can get those from the key used to sign this message I guess. $ gpg --list-sigs D87D436C pub 4096R/D87D436C 2015-09-15 uid John Young 15-0915 <j...@pipeline.com> sig N D87D436C 2015-09-15 John Young 15-0915 <j...@pipeline.com> sig CA57AD7C 2015-09-15 [User ID not found] sub 4096R/79F82F3B 2015-09-15 sig D87D436C 2015-09-15 John Young 15-0915 <j...@pipeline.com> $ gpg --list-sigs 8CD47BD5 pub 4096R/8CD47BD5 2015-09-15 uid Cryptome 15-0915 <crypt...@earthlink.net> sig N 8CD47BD5 2015-09-15 Cryptome 15-0915 <crypt...@earthlink.net> sig CA57AD7C 2015-09-15 [User ID not found] sub 4096R/27BCF5FB 2015-09-15 sig 8CD47BD5 2015-09-15 Cryptome 15-0915 <crypt...@earthlink.net> The keys are both announced but not signed by each other? I fetched CA57AD7C which has 6863 signatures on it. It seems to be some PGP global directory key, signed by a few people I know, but still seems to be only proof that it came from the keyserver, not that the key actually belongs to you.
This message is signed by the first.
But is that first key signed by the old keys? (which of course could also have been done by the attacker, so you need to re-start a web of trust with some of your personal confidants.
-----BEGIN PGP SIGNATURE-----
from an unknown key - with no direct signatures of any known trustable key run by a human. Paul _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography