Am I confused, or does this same problem apply to the key on CERT advisory CA-2001-21? *** PGP Signature Status: good *** Signer: CERT Coordination Center <certat_private> (Invalid) *** Signed: 7/24/2001 8:43:46 PM *** Verified: 7/26/2001 12:54:13 PM one of the keys used to sign the key used for this advisory was key ID 0x6A9591D0, also for "certat_private", which expired 9/30/2000. Ben Dehner Valmont Industries -----Original Message----- From: Paul Murphy [mailto:Paul.Murphy@gemini-genomics.com] Sent: Thursday, July 26, 2001 4:15 AM To: bugtraqat_private Subject: Re: Microsoft Security Bulletin MS01-040 As per MS01-038, this bulletin is signed with a PGP key which does not match the sender, and so does not verify. The key is for "secureat_private", while the sender is "secnotifat_private", and as a result PGP reports: *** PGP Signature Status: good *** Signer: Microsoft Security Response Center <secureat_private> (Invalid) *** Signed: 26/07/2001 02:08:04 *** Verified: 26/07/2001 09:58:00 The reason why the signer is invalid is that their key is signed by an unknown signer (Key ID 0x63303caf). This turns out to be for "mscertat_private", and expired on 2/1/01. Is it too much to ask that they have their key signed by Verisign or some other well-known and trusted source, and that the keys in use are within their valid period?
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 14:07:45 PDT