Totally Legit Signing Key?

[Chris Angelico]

On Tue, Mar 5, 2019 at 9:06 AM Ben Finney <ben+python at benfinney.id.au> wrote:
>
> Peter Otten <__peter__ at web.de> writes:
>
> > $ gpg --import pubkeys.txt
> > […]
> > gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) <steve.dower at microsoft.com>" 8 neue Signaturen
> > gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) <lukasz at langa.pl>" importiert
> > gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> > [...]
> >
> > Now "totally legit" does sound like anything but "totally legit".
>
> Another clue is in the email address for that key: the ‘example.org’
> domain is guaranteed to never resolve to any machine on the internet.

(More or less - that domain DOES resolve (and has an explanatory web
site running on both HTTP and HTTPS), but it's guaranteed never to be
anything more significant than an example.)

Also of note is that the user portion of the address is "Mallory", a
well-known member of the "Alice and Bob" set of names.

https://en.wikipedia.org/wiki/Alice_and_Bob#Cast_of_characters

So I would expect these keys to be used for example malicious messages
or mis-signed content, to test the recognition of legit signatures.

If those keys are included in the pubkeys.txt download, it's minorly
wasteful, but not a major problem.

ChrisA