-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I, known as Blair Noctis in the Debian project, hereby testify on my lost hardware key: The hardware key carried 3 subkeys, each with one of S/E/A capabilities, but not the master key. The 3 subkeys are listed below: pub ed25519/0xC21D9AD423A39727 2020-12-26 [SCA] [expires: 2026-06-30] Key fingerprint = 59D8 4D44 CCD0 E826 47AE DA29 C21D 9AD4 23A3 9727 (...) sub ed25519/0x71EBD00F03F1D063 2024-05-22 [A] [revoked: 2025-12-08] sub ed25519/0xEC57DECA6F53EFE9 2024-05-22 [S] [revoked: 2025-12-08] sub cv25519/0x0F9B9ED4D176E88A 2024-05-22 [E] [revoked: 2025-12-08] The information on it being lost was first "published" on the debian-private ML, Message-Id: <7360b67e-671c-45ff-946d-00a55dbcb998@debian.org>. After some project member promptly replied, this is a security risk, which should not be taken casually as I first did in that email. Thus, I immediately revoked the 3 subkeys carried on that hardware key, and uploaded the revocations to 3 key servers: keyring.debian.org, keyserver.ubuntu.com, keys.openpgp.org. This is an embarassing situation that, without meeting in person (IOW out-of-band verification), no one else in the project knows if the text above is true. It could well be that "I" am now a hacker who got hold of the hardware key, which actually carries the master key, so this very hacker could sign with it. But to assert that the master key is not lost, this message will be signed with it. Then, I also list some proofs below that I have access to other credentials that should only be accessible to "me". 1. Posting this message on salsa.debian.org asserts that I have the crendentials (password and 2FA) of salsa account `ncts`. Either someone forced the password out of my mouth, or forced the master password of my password vault out of my mouth. This is unlikely in a lost hardware key scenario, but still. 2. Taking the Message-Id of the opening email of BTS bug #1124388, which at the time of writing is the latest bug BTS Web archive could give me: <87ms2y7nw1.fsf@msgid.hilluzination.de> which you could verify here (search for Message-Id): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124388;msg=5 This serves as a "no earlier than" proof. Then, using one of my SSH keys on Salsa (curl https://salsa.debian.org/ncts.keys): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIktXFiomqBe6OqanCnO8jRf4CrXB7/YnHZlKo/qx30m Blair Noctis (salsa.debian.org) running `echo '<87ms2y7nw1.fsf@msgid.hilluzination.de>' | ssh-keygen -Y sign -n file -f ~/.ssh/salsa` gives this result: - -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgiS1cWKiaoF7o6pqcKc7yNF/gKt cHv9icdmUqj+rHfSYAAAAFZW1haWwAAAAAAAAABnNoYTUxMgAAAFMAAAALc3NoLWVkMjU1 MTkAAABA6yDISWIqyaAjbEBYApUNgI5w248O7bpsYvk/4bI1TB/csLP1IJ479V5XNiAMP7 aADC2jl5YYrV9Hm/mjDYxlAw== - -----END SSH SIGNATURE----- which could be verified by running these commands: echo 'ncts@debian.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIktXFiomqBe6OqanCnO8jRf4CrXB7/YnHZlKo/qx30m' > allowed_signers.txt echo $SIGNATURE_ABOVE > sig.txt echo '<87ms2y7nw1.fsf@msgid.hilluzination.de>' | ssh-keygen -Y verify -n email -f allowed_signers.txt -I 'ncts@debian.org' -s sig.txt which, if everything goes well, should give something like Good "email" signature for ncts@debian.org with ED25519 key SHA256:QA4nU9wHyy6+os+ThOUoCIatxxF1TW8DWHhZFxS2VBY This asserts that I have the private key. Salsa admins could verify that this key has been there for quite some months. 3. A copy of this message will be at https://people.debian.org/~ncts/202512-lost-hardware-key-statement.txt, which asserts that I have access to the SSH private key stored in db.debian.org. DSA could verify, from their logs, that this key has been used to log in to DSA machines for quite some months. 4. I could also send an email upon request through the mail-submit.debian.org gateway, the password of which could only be obtained with a valid PGP key. 5. Other creative ways of proof could be considered. - -- Sdrager, Blair Noctis 🇵🇸 -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRZ2E1EzNDoJkeu2inCHZrUI6OXJwUCaVVDKgAKCRDCHZrUI6OX J6kiAQCbKH7vSDUCFUfuSOJTC86cZkQxc/PrIIu2p0VkBgNrLAEAwuevXvDhRJp9 f0vDEsQw2iJcPt7HKgcgKHvaMdrGeQk= =4T2d -----END PGP SIGNATURE-----