GnuPG public key vulnerability?
murphy
mac3iii at gmail.com
Wed Nov 1 01:10:45 CET 2017
I got a signed notification from facebook (good signature, enigmail)
that claims my GnuPG generated public key has a "recently disclosed
vulnerability". This is the full text:
We have detected that the OpenPGP key on your Facebook profile may be
susceptible to attacks due to a recently disclosed vulnerability. We
recommend that you revoke and replace your public key immediately to
minimize the risk to your encrypted communications. You can update your
public key by visiting your Security and Login settings. To help reduce
the risk of your key being attacked, we have set the privacy of your
potentially vulnerable public key on your profile to "Only Me" to limit
further distribution. We will continue to encrypt your notification
emails using this OpenPGP public key.
This is doubly weird since the private/public key was generated on a
Yubikey-4 nano and it is safe at home. Does anyone know what this may
be about?
Facebook public key (it is valid, see:
https://www.facebook.com/notes/protect-the-graph/securing-email-communications-from-facebook/1611941762379302/):
pub rsa4096 2015-05-17 [SC] [expires: 2018-05-17]
31A70953D8D590BA1FAB37762F3898CEDEE958CF
uid [ full ] Facebook, Inc.
sub rsa4096 2017-07-24 [S] [expires: 2018-02-19]
My public key is uploaded to keyservers and is:
pub rsa4096 2016-10-17 [SC] [expires: 2018-10-17]
D89A29A3E1DA59DFBF516EA73E450D1BCF78C26B
uid [ultimate] orange
uid [ultimate] Murphy Chesney (facebook communication)
<mac3iii at gmail.com>
sub rsa4096 2016-10-17 [A] [expires: 2018-10-17]
sub rsa2048 2016-10-17 [E] [expires: 2018-10-17]
Murphy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171031/c50886ed/attachment.sig>
More information about the Gnupg-users
mailing list