[tor-project] Problems fetching Debian package archive signing key (0xEE8CBC9E886DDD89)

Jonathan Marquardt mail at parckwart.de
Fri Feb 1 12:08:03 UTC 2019


I took a closer look at the key that broke the Tor key with its signature:

pub   rsa4096/4F3F50786C401DCE 2015-10-04 [SC]
uid                           Richie <ryetschye at web.de>
uid                           Richie <ryetschye at posteo.ru>
uid                           Richie <ryetschye at ironcomputing.de>
uid                           Richie (IRONCOMPUTING) <richie at ironcomputing.de>
uid                           Richie (IRONCOMPUTING) <richie at irconcomputing.de>
uid                           Richie <richard.gottschalk at stud.uni-regensburg.de>
uid                           Richie (IronComputing KG) <richie at ironcomputing.de>
uid                           Do not use SKS keyserver sites (no validity checks) <@>
uid                           Do not use SKS keyserver sites (no validity checks) <https://bitbucket.org/skskeyserver/sks-keyserver/issues/41>

Apparently, someone wants to turn people's attention to this ticket:


Although the more apropriate ticket to link to in this case would be this one:


The problem is basically that anyone can dump a whole bunch of data into the 
UID field of their key and upload it, which overloads both the keyservers and 
the PGP clients. I've already sent a mail to Kristian Fiskerstrand (the 
developer of SKS keyserver), explaining the problem.
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20190201/317e471e/attachment.sig>

More information about the tor-project mailing list