Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WRQYA-0007Aj-3t for bitcoin-development@lists.sourceforge.net; Sat, 22 Mar 2014 18:21:42 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.149.81 as permitted sender) client-ip=62.13.149.81; envelope-from=pete@petertodd.org; helo=outmail149081.authsmtp.net; Received: from outmail149081.authsmtp.net ([62.13.149.81]) by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1WRQY8-00076r-LF for bitcoin-development@lists.sourceforge.net; Sat, 22 Mar 2014 18:21:42 +0000 Received: from mail-c237.authsmtp.com (mail-c237.authsmtp.com [62.13.128.237]) by punt18.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s2MILXmc098991; Sat, 22 Mar 2014 18:21:33 GMT Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s2MILO5O019552 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sat, 22 Mar 2014 18:21:27 GMT Date: Sat, 22 Mar 2014 14:21:53 -0400 From: Peter Todd To: Mike Hearn Message-ID: <20140322182153.GC21728@savin> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xo44VMWPx7vlQ2+2" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: c8741882-b1ee-11e3-94fa-002590a135d3 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aAdMdAAUFVQGAgsB AmIbWlxeUlx7W2Q7 bAxPbAVDY01GQQRq WVdMSlVNFUsrA2F4 emEbLRlzfgBDejB3 Yk9mECNTW0B7fU5/ XxxVQDgbZGY1a30W VBYJagNUcgZDfk5E aVUrVz1vNG8XDQg5 AwQ0PjZ0MThBJSBS WgQAK04nCWgCHTN0 fz86VTYiDAULQD97 ABU4K1h0 X-Authentic-SMTP: 61633532353630.1024:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 76.10.178.109/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1WRQY8-00076r-LF Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Fake PGP key for Gavin X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 18:21:42 -0000 --xo44VMWPx7vlQ2+2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote: > In case you didn't see this yet, >=20 > http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html >=20 > If you're using PGP to verify Bitcoin downloads, it's very important that > you check you are using the right key. Someone seems to be creating fake > PGP keys that are used to sign popular pieces of crypto software, probably > to make a MITM attack (e.g. from an intelligence agency) seem more > legitimate. Note that Bitcoin source and binary downloads are protected by both the PGP WoT and the certificate authority PKI system. The binaries are hosted on bitcoin.org, which is https and protected by a the PKI system, and the source code is hosted on github, again, https protected. A MITM attack would need to compromise the PKI system as well, at least provided users aren't fooled into downloading over http. --=20 'peter'[:-1]@petertodd.org 0000000000000000657de91df7a64d25adfd3ff117bc30d00f5aa3065894f4a5 --xo44VMWPx7vlQ2+2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQGrBAEBCACVBQJTLdS8XhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw MDAwMDAwMDAwMDAwMDAzOWRmNTA4OTU3YWI0YTU1YjljZjI5YWM5OGFlYzBiN2Rk ZTEzMGRhYTViMzMzZjYvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0 ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfsPxAgAmBM1+CsyQ6WqDvIYHH6b/1ug hSUM74wMePOixylhwOHb+y+aaFoSWvQyYbLqGp7IGLVm1LmmjVgJws99vcuBnWeq GsUSMzMLb1Srkqgjqc1BOw8eIAyrxo5J9TzDOtjY3P8MmMmhXqR+X5pRjCGuCKb+ A6Ay0TDWNH9rXteN4x9DQ/zgVgsKZpKfg496WouPpK8V9YQ2NR7iQbESvtfF/Ian lue1mE5sw0eTJe3NI5eDgjJYSIs6TOEYEGPg1XtA+x0GGoIOUD6nYHxXc0sA+ix5 19csnghQVBxCMlFd6/6rGxYgY4jHqpei7X9yM70chzbTH3X7gbLupsKzS6Cmcw== =MyQJ -----END PGP SIGNATURE----- --xo44VMWPx7vlQ2+2--