Help me to import my secret key please

Daniel Kahn Gillmor dkg at
Mon May 10 04:35:00 CEST 2010

On 05/09/2010 05:10 PM, Faramir wrote:
>   But comments field is for comments, not for identity information, so I
> don't see any problem in adding a hint so people can know "which key
> should I use?".

OK, but how many such comments should we use?  (see below...)

>   Good question, but, since the old key (unless it has expiration date)
> will still be shown as valid at the keyservers, probably it wil haunt
> him forever.

True.  And anyone who wants to can also create and upload a key with his
exact User ID and no expiration date, and that bogus key will also haunt
him forever.  Should he include a comment about not using that
maliciously-uploaded key as well?

What if 10 bogus keys are uploaded with his User ID?

If Joe User's real key is actually 0xDECAFBAD and he still has control
over it, what should other users do if they see a key uploaded with the
User ID of:

  Joe User (Do Not Use 0xDECAFBAD) <joe at>

(remember that anyone can upload such a key) ? Should people care about
or rely upon those comments?  Or are they noise?

The point is that people who haven't exchanged keys directly need to
rely on certifications, not on "oh, this key happens to have a
relevant-looking user ID bound to it".  Since they already need to rely
on certifications, it's best to just treat the bad/old key as though it
were one of the malicious keys that anyone could upload.

The most useful response is to make sure that your proper key is
well-certified, and that any bogus keys are not certified.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100509/650e86d8/attachment.pgp>

More information about the Gnupg-users mailing list