New db.debian.org address
I've just put up firstname.lastname@example.org which is an automated daemon for
re-creating lost passwords. You must send a PGP signed message with the
phrase 'Please change my debian password' (case sensitive). It will email
you back a PGP/GPG encrypted message containing your new password.
Right now it does not actually effect a change of password, it only goes
through the motions of generating and encrypting.
I use this incantation for testing:
echo "Please change my Debian password" | gpg --clearsign | mail email@example.com
Now, like the ping address this one also has replay protection, signature
expiration and all that other good stuff. It also requires that the
message start with the phrase I have given above, this should be ample to
protect against forgeries. Final version will also CC: the @debian.org
address of the account.
One thing to note is that the Daemon senses if the message was
signed with PGP2 or 'something else'. If PGP2 is detected it enters a
special PGP2 compatibility mode. Otherwise is encrypts using the OpenPGP
spec (GPG and PGP5). Encryption in this mode does not use IDEA or the
PGP2.x packet format.
Please send a few messages to it and see if you can read the results, let
me know of any problems!