|
|
|
|
|
|
by lawnchair_larry
4044 days ago
|
|
|
I feel like everyone is being quick to write this off as "some random, harmless error", probably because the focus is that RSA is not broken, rather than asking what this was really about. "The only case where this could matter would be a broken implementation of the OpenPGP key protocol that does not check if subkeys really belong to a master key." I'd be curious to explore that further. This kernel developer has been targeted in the past: http://arstechnica.com/security/2013/09/who-rooted-kernel-or... "During that time, attackers were able to monitor the activities of anyone using the kernel.org servers known as Hera and Odin1, as well as personal computers belonging to senior Linux developer H. Peter Anvin. The self-injecting rootkit known as Phalanx had access to a wealth of sensitive data, possibly including private keys used to sign and decrypt e-mails and remotely log in to servers. A follow-up advisory a few weeks later opened the possibility that still other developers may have fallen prey to the attackers." Edit: The key in question was created the day before this post by HPA regarding the compromise: https://lwn.net/Articles/460376/ |
|
|
Relevant GPG thread: https://lists.gnupg.org/pipermail/gnupg-users/2015-May/05354...
Relevant SKS thread: https://lists.nongnu.org/archive/html/sks-devel/2015-05/msg0...