[tor-project] Problems fetching Debian package archive signing key (0xEE8CBC9E886DDD89)
Jonathan Marquardt
mail at parckwart.de
Fri Feb 1 12:08:03 UTC 2019
Update:
I took a closer look at the key that broke the Tor key with its signature:
pub rsa4096/4F3F50786C401DCE 2015-10-04 [SC]
17F9D6D43CE4DDEE4178548C4F3F50786C401DCE
uid Richie <ryetschye at web.de>
uid Richie <ryetschye at posteo.ru>
uid Richie <ryetschye at ironcomputing.de>
uid Richie (IRONCOMPUTING) <richie at ironcomputing.de>
uid Richie (IRONCOMPUTING) <richie at irconcomputing.de>
uid Richie <richard.gottschalk at stud.uni-regensburg.de>
uid Richie (IronComputing KG) <richie at ironcomputing.de>
uid Do not use SKS keyserver sites (no validity checks) <@>
uid Do not use SKS keyserver sites (no validity checks) <https://bitbucket.org/skskeyserver/sks-keyserver/issues/41>
Apparently, someone wants to turn people's attention to this ticket:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/41
Although the more apropriate ticket to link to in this case would be this one:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/57
The problem is basically that anyone can dump a whole bunch of data into the
UID field of their key and upload it, which overloads both the keyservers and
the PGP clients. I've already sent a mail to Kristian Fiskerstrand (the
developer of SKS keyserver), explaining the problem.
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20190201/317e471e/attachment.sig>
More information about the tor-project
mailing list