[tor-dev] Fraudulent PGP key with my email address (CEE1590D)

Bry8 Star bry8star at inventati.org
Mon Sep 2 03:01:04 UTC 2013

Please, pls, pls, consider to : declare/share your email-address and
GPG/PGP FPR, and also declare/show/share full code of GPG pubkey,
etc (with various form) in the DNS RR like "CERT PGP" then other
users can know for sure, what is real and actual and approved key
component by you.  If users are using a full DNSSEC supported
DNS-resolver and if you show a command-line command in docs/FAQ, how
users can alternatively verify with greater accuracy by connecting
directly with TorProject website and know what is the "correct"
PGP/GPG fpr/key.  DNSSEC authenticated data cannot be falsified,
generally.  I've been requesting to add those for sometime now.
Various security related component should be added and shown/shared
with public, so that different way exist for authenticating files,
certificates, etc.  It is as much (and even more) necessary as,
declaring your site's SSL/TLS cert (pub) info via "TLSA" (DANE) DNS
record, then DANE-ware apps can connect to actual site and can also
indicate falsification(s).  If you declare/share both TLSA, and
various CERT PGP records, then "full" size code declaration in dns
may not be necessary.  But when multiple proxies are used in a
connection, then full code declaration is better.  TorProject.org
domain-name is already DNSSEC signed, so now you need to add TLSA,
and CERT PGP dns records.

-- Bright Star.
bry 8 st ar a. at t. in ven ta ti d.o.t. or g:
bry 8 st ar a. at t. ya hoo d.o.t. c om:

Cert(PKIX), PGP in DNS : https://tools.ietf.org/html/rfc4398
DANE:TLSA (DNSSEC) : https://tools.ietf.org/html/rfc6698
fpr = fingerprint.

Received from Erinn Clark, on 2013-09-01 2:36 PM:
> Hello everyone,
> I discovered that there is a key out there (CEE1590D) associated with my Tor
> email address that is NOT me. I don't know who generated it, but I can think of
> many nefarious or incompetent reasons why they might have done it.
> This email is for two purposes:
> 1. To inform you that this is NOT MY KEY. Do not under any circumstances trust
> anything that may have ever been signed or encrypted with this key. I looked
> around and was unable to find anything, but nonetheless, it is out there and
> that is creepy.
> 2. If anyone on any of these lists has encountered this key anywhere -- the
> main fear being that it has been used to fraudulently sign packages of some
> kind -- can you please let me/us know ASAP?
> Tor Project official signatures are listed here: 
> https://www.torproject.org/docs/signing-keys.html.en
> Consider that the canonical source for all signatures! Be suspicious of
> anything not listed there and let us know if you ever find anything.
> Thanks,
> The Real Erinn
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20130901/687ef60f/attachment.sig>

More information about the tor-dev mailing list