28 Jun
2019
28 Jun
'19
7:44 p.m.
Short update: I was just told that a similar problem has actually occurred with TPO infrastructure, back in February: https://lists.torproject.org/pipermail/tor-project/2019-February/002194.html The affected key, at that time, was the deb.torproject.org signing key, which was signed by a key with a large UID. It's a different attack, but that can be mitigated in similar ways. The good key is still available here: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E88... ... where signatures are also provided so that you do not have to use the key from the keyservers. The key is also available on keys.openpgp.org. A. -- Antoine Beaupré torproject.org system administration