bad keysigning by Geotrust

Atom Smasher atom at
Wed Feb 15 09:06:12 CET 2006

this is what happens when someone signs a key that shouldn't be signed. 
it's based on an x.509 (hierarchical) trust model, not a pgp (distributed) 
trust model, but the consequences are the same: a certification signature 
that should not have been issued was issued. this is basically "mallory" 
collecting a good signature on a fraudulent key.

 	Now here's where it gets really interesting. The phishing site...
 	is protected by a Secure Sockets Layer (SSL) encryption
 	certificate issued by a division of the credit reporting bureau
 	Equifax that is now part of a company called Geotrust.

The New Face of Phishing


  PGP key -
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

 	A student asked his old Sufi Master if he should tie up
 	his camel for the night, so that it wouldn't wander
 	away while they were sleeping or if doing so was an
 	insult to God. Should he leave the camel untied to
 	show his trust in God that the camel wouldn't run away?
 	The Master replied "Trust God AND tie up your camel."

More information about the Gnupg-users mailing list