git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Totally Legit Signing Key?


On Tue, Mar 5, 2019 at 9:06 AM Ben Finney <ben+python at benfinney.id.au> wrote:
>
> Peter Otten <__peter__ at web.de> writes:
>
> > $ gpg --import pubkeys.txt
> > [?]
> > gpg: Schl?ssel 487034E5: "Steve Dower (Python Release Signing) <steve.dower at microsoft.com>" 8 neue Signaturen
> > gpg: Schl?ssel 10250568: ?ffentlicher Schl?ssel "?ukasz Langa (GPG langa.pl) <lukasz at langa.pl>" importiert
> > gpg: Schl?ssel 487034E5: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > gpg: Schl?ssel F73C700D: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > gpg: Schl?ssel 6F5E1540: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > gpg: Schl?ssel AA65421D: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > gpg: Schl?ssel E6DF025C: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > gpg: Schl?ssel EA5BBD71: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > [...]
> >
> > Now "totally legit" does sound like anything but "totally legit".
>
> Another clue is in the email address for that key: the ?example.org?
> domain is guaranteed to never resolve to any machine on the internet.

(More or less - that domain DOES resolve (and has an explanatory web
site running on both HTTP and HTTPS), but it's guaranteed never to be
anything more significant than an example.)

Also of note is that the user portion of the address is "Mallory", a
well-known member of the "Alice and Bob" set of names.

https://en.wikipedia.org/wiki/Alice_and_Bob#Cast_of_characters

So I would expect these keys to be used for example malicious messages
or mis-signed content, to test the recognition of legit signatures.

If those keys are included in the pubkeys.txt download, it's minorly
wasteful, but not a major problem.

ChrisA