Having some transparency about security problems with software is great, but Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.

The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen:

Oh shit Adobe pic.twitter.com/7rDL3LWVVz — Juho Nurminen (@jupenur) September 22, 2017

Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account.

To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT's shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team's blog. Here's what that extension looks like:

But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe's PSIRT blog.

There are many people trying to make PGP communications better, but the fundamental architecture of PGP is such a pain to use that when Ars' Lee Hutchinson e-mailed PGP creator Phillip Zimmermann in PGP format, Zimmermann refused to read the message that way—because his PGP key was not on his phone:



The newly generated Adobe PSIRT key, by the way, came straight out of GPGtools.