On Tue, Oct 31, 2017 at 08:10:45PM -0400, murphy wrote: > I got a signed notification from facebook (good signature, enigmail) > that claims my GnuPG generated public key has a "recently disclosed > vulnerability". This is the full text: > > We have detected that the OpenPGP key on your Facebook profile may be > susceptible to attacks due to a recently disclosed vulnerability. We > recommend that you revoke and replace your public key immediately to > minimize the risk to your encrypted communications. You can update your > public key by visiting your Security and Login settings. To help reduce > the risk of your key being attacked, we have set the privacy of your > potentially vulnerable public key on your profile to "Only Me" to limit > further distribution. We will continue to encrypt your notification > emails using this OpenPGP public key. > > This is doubly weird since the private/public key was generated on a > Yubikey-4 nano and it is safe at home. Does anyone know what this may > be about? > Some versions of the YubiKey 4 were affected by the ROCA vulnerability, which caused weak keys to be generated.
https://www.yubico.com/support/security-advisories/ysa-2017-01/ https://crocs.fi.muni.cz/public/papers/rsa_ccs17 I would say that is what the email is about. Cheers, Fraser
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users