Hi everyone,
In September last year I discovered a fake key for my torproject.org email address[1]. Today I discovered another one:
pub 2048R/C458C590 2014-02-13 [expires: 2018-02-13] Key fingerprint = 106D 9243 7726 CD80 6A14 0F37 B00C 48E2 C458 C590 uid Erinn Clark erinn@torproject.org sub 2048R/D16B3DB6 2014-02-13 [expires: 2018-02-13]
To reiterate what I said last time this happened:
1. That is NOT MY KEY. Do not under any circumstances trust anything that may have ever been signed or encrypted with this key. I looked around and was unable to find anything, but nonetheless, it is out there and that is creepy.
2. If anyone on any of these lists has encountered this key anywhere -- the main fear being that it has been used to fraudulently sign packages of some kind -- can you please let me/us know ASAP?
Tor Project official signatures are listed here: https://www.torproject.org/docs/signing-keys.html.en
Consider that the canonical source for all signatures! Be suspicious of anything not listed there and let us know if you ever find anything.
I want to note here that last year I created a new key which also belongs to me and I just haven't switched to yet. I am not signing any Tor packages whatsoever with this key, but it does belong to me and has several signatures from people I've met in person, some of whom also signed my old/current (63FEE659) key:
pub 4096R/91FCD12F 2013-09-21 Key fingerprint = 724B 96C1 997A E999 F0C0 0F8A F8F4 9DD8 91FC D12F uid Erinn Clark erinn@torproject.org uid Erinn Clark erinn@double-helix.org uid Erinn Clark erinn@debian.org sub 4096R/1B749632 2013-09-21
With declining trust in the web of trust, Erinn
[1] https://lists.torproject.org/pipermail/tor-talk/2013-September/029752.html