Adobe recently published their PGP private key by accident. They have now issued a new one. But will they need to re-sign (with their new key) everything that was signed with their old key? As somebody could now sign malicious content with the old key and pretend it was published before the leak date?
Asked
Active
Viewed 130 times
1 Answers
5
It wasn’t their code-signing key that they compromised, it was the email key for their product security incident response email address. It’s embarrassing, but it doesn't affect the integrity of their code. In practice, that key is probably not used for nearly all the email that’s handled by that address, because PGP is only used by a tiny fraction of email users.
Mike Scott
- 10,118
- 1
- 27
- 35
-
OK, but it does affect the integrity of everything that was signed with the key doesn’t it? Someone could fake an old security advisory now couldn’t they? – jl6 Sep 24 '17 at 08:35
-
@jl6 It’s the other way around. Since the key has been revoked and its loss has been widely publicised, no one including Adobe can prove that a document is authentic merely because it’s been signed with that key. – Mike Scott Sep 24 '17 at 09:29
-
Yes. So there’s a whole history of documents from Adobe which can no longer be proven authentic. – jl6 Sep 24 '17 at 10:38
-
...more to the point, anyone with access to the encrypted vulnerability reports that people have previously made to the Adobe Security team can now decrypt them and learn about vulnerabilities (presumably) still in the fixing stage. So it may not impact the integrity of their code, but it might impact knowledge of existing but non-published security vulnerabilities. – gowenfawr Sep 24 '17 at 13:47
-
@gowenfawr Yes, if someone has access to emails receive by the Adobe incident response team and there’s an email relating to a vulnerability that’s not yet been fixed and it was PGP-encrypted then that’s a breach. But the combination of those three circumstances is unlikely in practice. – Mike Scott Sep 24 '17 at 16:00