IP: Microsoft's pgp keys don't verify

[David Farber <dave () farber net>]

> X-Nil:
> Date: Thu, 26 Jul 2001 15:33:10 -0400
> To: Dave  Farber <farber () cis upenn edu>
> From: Brian McWilliams <brian () pc-radio com>
> Subject: Microsoft's pgp keys don't verify
>
> FYI ...
>
> Microsoft Bulletins Fail PGP Verification
> http://www.newsbytes.com/news/01/168397.html
>
> For at least four months, Microsoft has been sending out security 
> bulletins which fail a popular e-mail authentication system. As a result, 
> the company could be opening the door to counterfeit bulletins from 
> malicious hackers.
>
> To protect against forgery, Microsoft's security response center digitally 
> signs its bulletins with PGP before e-mailing them to subscribers of its 
> security notification service. But since at least March, if recipients 
> attempt to verify the messages' authenticity, PGP will issue a warning 
> that the bulletins contain an invalid signature.
>
> "The problem is that Microsoft's bulletins effectively look as if they're 
> forged. And telling a Microsoft forgery from someone else's is virtually 
> impossible," said Paul Murphy, head of information technology at Gemini 
> Genomics, a genetic research firm in Cambridge, England.
>
> [snip]



For archives see: http://www.interesting-people.org/