Hector Martin

The message itself decrypted properly, but just asked for an interview with only the vaguest of hints of what this was about. The message was unsigned. No public key was provided to reply, none existed in the keyservers for this address, nor on their website.

They also sent it to my old 1024-bit ELG public key, which by then was superseded and obsoleted, and I was using a new 4096-bit RSA key which had been published to the keyservers and my website in 2011.

So I had no way to send an encrypted reply, and no way to verify that the message really came from them (in particular, given the horrible SMTP server config, this is literally indistinguishable from a spoofed e-mail anyone could send).

So I replied in cleartext, asking for a key, *explicitly* asked for a signed message and a verbatim public key for me to use. They replied in the same style, just with the public key pasted into the encrypted message, but no signature.

So let's recap: 5 year old webmail, 6 year old e-mail server, >2 year old PGP with an arbitrary code exec CVE. The key itself? The userid was "CCN-CERT.PublicKey <CCN-CERT.PublicKey.Depart@CCN.es>", which does not match the sender of the e-mail either.

Not that this was going to go anywhere by now, but I replied with inline PGP, and sent them my phone number to see what their story was. I didn't hear back for two weeks. Apparently they had gone on vacation.

At least they managed to sign their message when they finally replied? Still using attachments though. I figured this wasn't worth wasting any more of my time on by then, didn't reply and never heard back.