[Cryptography] [cryptography] JYA and Cryptome Keys Compromised

Razer Rayzer at riseup.net
Tue Sep 15 15:50:12 PDT 2015


Found jya's new key @sks

http://sks.pkqs.net/pks/lookup?search=jya%40pipeline.com&fingerprint=on&op=index&exact=off

On 09/15/2015 03:39 PM, John Young wrote:
> Correct analysis. First was get out a prompt notice to wave off users,
> then proceed with other authentications. Toughest problem is how to
> avoid another compromise of new keys since so many ways to do
> that have arisen and/or suspected over the life of PGP and other
> systems. WoT is problematic too, as are key signing parties, and
> so on. Other systems claim to be better, and we are using some of
> them, waiting and watching and suspecting are the lessons learned
> from stalwart testbed PGP in all its guises and disguises.
>
> We likely would not have discovered the compromises if not for
> those lessons.
>
> Nor do we mind starting from scratch, perhaps a bit more often
> than 11 years. Tornados do happen out side alleys of easy
> prediction (this is not a cyphersec sales motto).
>
> At 04:22 PM 9/15/2015, Paul Wouters wrote:
>> On Tue, 15 Sep 2015, John Young wrote: > -----BEGIN PGP SIGNED
>> MESSAGE----- by unknown key. > I have learned today that all PGP
>> public keys of John Young > <jya at pipeline.com> and Cryptome
>> <cryptome at earthlink.net> have been > compromised. > The keys have
>> been revoked today. Revocation could have been done by the person who
>> stole the keys too. That in itself is not good enough. > Two new keys
>> have been generated today: > > John Young 15-0915 <jya at pipeline.com>
>> 0xD87D436C > Cryptome 15-0915 <cryptome at earthlink.net> 0x8CD47BD5
>> Which I cannot find on either pgp.mit.edu or pgp.surfnet.nl. I did
>> find them on keyserver.pgp.com, but I don't know who runs it and with
>> the additional captcha software, no idea if that is compromised :P It
>> is announced using short keyids, not to be trusted, and no finger
>> prints although we can get those from the key used to sign this
>> message I guess. $ gpg --list-sigs D87D436C pub   4096R/D87D436C
>> 2015-09-15 uid                  John Young 15-0915 <jya at pipeline.com>
>> sig      N   D87D436C 2015-09-15  John Young 15-0915
>> <jya at pipeline.com> sig          CA57AD7C 2015-09-15  [User ID not
>> found] sub   4096R/79F82F3B 2015-09-15 sig          D87D436C
>> 2015-09-15  John Young 15-0915 <jya at pipeline.com> $ gpg --list-sigs
>> 8CD47BD5 pub   4096R/8CD47BD5 2015-09-15 uid                 
>> Cryptome 15-0915 <cryptome at earthlink.net> sig      N   8CD47BD5
>> 2015-09-15  Cryptome 15-0915 <cryptome at earthlink.net> sig         
>> CA57AD7C 2015-09-15  [User ID not found] sub   4096R/27BCF5FB
>> 2015-09-15 sig          8CD47BD5 2015-09-15  Cryptome 15-0915
>> <cryptome at earthlink.net> The keys are both announced but not signed
>> by each other? I fetched CA57AD7C which has 6863 signatures on it. It
>> seems to be some PGP global directory key, signed by a few people I
>> know, but still seems to be only proof that it came from the
>> keyserver, not that the key actually belongs to you. > This message
>> is signed by the first. But is that first key signed by the old keys?
>> (which of course could also have been done by the attacker, so you
>> need to re-start a web of trust with some of your personal
>> confidants. > -----BEGIN PGP SIGNATURE----- from an unknown key -
>> with no direct signatures of any known trustable key run by a human.
>> Paul _______________________________________________ The cryptography
>> mailing list cryptography at metzdowd.com
>> http://www.metzdowd.com/mailman/listinfo/cryptography
>
>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20150915/bf9ed0e4/attachment-0002.sig>


More information about the cypherpunks mailing list