[tor-dev] Fraudulent PGP key with my email address (CEE1590D)

Erinn Clark erinn at torproject.org
Sun Sep 1 21:36:26 UTC 2013

Hello everyone,

I discovered that there is a key out there (CEE1590D) associated with my Tor
email address that is NOT me. I don't know who generated it, but I can think of
many nefarious or incompetent reasons why they might have done it.

This email is for two purposes:

1. To inform you that this is NOT MY KEY. Do not under any circumstances trust
anything that may have ever been signed or encrypted with this key. I looked
around and was unable to find anything, but nonetheless, it is out there and
that is creepy.

2. If anyone on any of these lists has encountered this key anywhere -- the
main fear being that it has been used to fraudulently sign packages of some
kind -- can you please let me/us know ASAP?

Tor Project official signatures are listed here: 

Consider that the canonical source for all signatures! Be suspicious of
anything not listed there and let us know if you ever find anything.

The Real Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20130901/df7f419c/attachment.sig>

More information about the tor-dev mailing list