Re: Microsoft Security Bulletin MS01-040

["Paul Murphy" <Paul.Murphy () gemini-genomics com>]

As per MS01-038, this bulletin is signed with a PGP key which does not match the sender, and so does not verify.  The 
key is for "secure () microsoft com", while the sender is "secnotif () microsoft com", and as a result PGP reports:

*** PGP Signature Status: good
*** Signer: Microsoft Security Response Center <secure () microsoft com> (Invalid)
*** Signed: 26/07/2001 02:08:04
*** Verified: 26/07/2001 09:58:00

The reason why the signer is invalid is that their key is signed by an unknown signer (Key ID 0x63303caf). This turns 
out to be for "mscert () microsoft com", and expired on 2/1/01.  Is it too much to ask that they have their key signed 
by Verisign or some other well-known and trusted source, and that the keys in use are within their valid period?

Worse still, the advisory contains the following paragraph:

> To verify the digital signature on this bulletin, please download our PGP
> key at http://www.microsoft.com/technet/security/notify.asp.

This page does not exist - it should perhaps be
        http://www.microsoft.com/technet/security/bulletin/notify.asp
Having just had an incident where someone forged a MS advisory, I would think that getting this right is perhaps a 
higher priority than it would appear to Microsoft...

Best Wishes,

Paul.

-----------------------------------------------------------------------------
Paul Murphy - Head of I.T., Gemini Genomics
162 Science Park, Cambridge CB4 0GH
Tel. 01223 435305 Fax. 01223 435301
http://www.gemini-genomics.com/



_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the Gemini I.T helpdesk on : +44 (0) 1223 435333
_______________________________________________________________________