Security-officer PGP Key?

Tue Aug 5 19:18:05 UTC 2003

When did the PGP key for security-officer at freebsd change (if it did)?  If 
it has changed, why isn't the new one in the FreeBSD Handbook?  If it 
hasn't changed, the security-advisories list seems to have sent out a hoax.

I just received a PGP signed message, supposedly from 
security-officer at freebsd.org, for which I did not have the matching public 
key.  Reflexively, I fetched it, and then began looking into it with an 
eye toward signing it so PGP would no longer call it "untrusted."

To my shock, I found I had two public keys for security-officer, one 
vintage 4/22/1996,

    Fingerprint16 = 41 08 4E BB DB 41 60 71  F9 E5 0E 98 73 AF 3F 11

and the one I had just fetched, dated 8/27/2002

    Fingerprint20(DSS) = C374 0FC5 69A6 FBB1 4AED  B131 15D6 8804 CA6C DFB2
    Fingerprint20(DH) = 1B5B B2D7 767A 3EC7 550F  7B86 E8C9 6EEF A307 1809

My next step was to check the list of valid keys at the back of the 
FreeBSD Handbook.  Further shock.  It lists the 4/22/1996 key and not the 
more recent one just downloaded.  I immediately deleted the more recent 
key, and drafted this message.

So, is the most recent announcement on the security-advisories list a 
hoax?  If not, why isn't the public key used to sign it listed in the 
FreeBSD Handbook?
-- 
M/S 258-5                    |1024-bit PGP fingerprint:|tweten at nas.nasa.gov
NASA Ames Research Center    | 41 B0 89 0A  8F 94 6C 59|     (650) 604-4416
Moffett Field, CA  94035-1000| 7C 80 10 20  25 C7 2F E6|FAX: (650) 604-4377
Not an official NASA position.  You can't even be certain who sent this!