Help me to import my secret key please

Faramir faramir.cl at gmail.com
Wed May 12 11:11:24 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel Kahn Gillmor escribió:
> On 05/09/2010 05:10 PM, Faramir wrote:
>>   But comments field is for comments, not for identity information, so I
>> don't see any problem in adding a hint so people can know "which key
>> should I use?".
> 
> OK, but how many such comments should we use?  (see below...)
> 
>>   Good question, but, since the old key (unless it has expiration date)
>> will still be shown as valid at the keyservers, probably it wil haunt
>> him forever.
> 
> True.  And anyone who wants to can also create and upload a key with his
> exact User ID and no expiration date, and that bogus key will also haunt
> him forever.  Should he include a comment about not using that
> maliciously-uploaded key as well?

  No, the comment could be useful in case somebody had the first (now
orphan) key, and now he has found the new key and wants to know which
one should he use.

  Let's think about the following case:
  Alice creates a key, get it signed by CAcert.org (she has validated
her identity in their WoT), and uploads her key to keyservers. Then she
loses her private key, make a new one, and get it signed by CAcert too,
and uploads it to keyservers.
  CAcert signatures expire 1 year after being issued, but until then, I
don't know if there is a way to make CAcert to revoke the signature.
  Then Bob finds Alice in PGP-Basics list, and wants to send an
encrypted message to her. He just knows her email address, and has set
CAcert's key as a valid introducer. He performs a search at keyservers,
and find 10 keys saying they belong to Alice. But only 2 of these keys
are showed as valid (the bogus keys have not been signed by a valid
introducer). But which one is the key he should use?
  Of course, he can send a clear text message to Alice, and she can tell
him which one is the right one, and then Bob would deactivate the orphan
key and use the good one. But a comment in the new key would not do any
harm, and would allow Bob to chose the good key without having to wait
for Alice's reply.

...
> If Joe User's real key is actually 0xDECAFBAD and he still has control
> over it, what should other users do if they see a key uploaded with the
> User ID of:
> 
>   Joe User (Do Not Use 0xDECAFBAD) <joe at example.net>
> 
> (remember that anyone can upload such a key) ? Should people care about
> or rely upon those comments?  Or are they noise?

  They should be considered as noise unless these keys have been signed
by a valid (trusted) introducer.

...
> The most useful response is to make sure that your proper key is
> well-certified, and that any bogus keys are not certified.

  Indeed, the comment advice was just a complementary (and optional)
measure, the main response should be to get the certifications revoked.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJL6nC8AAoJEMV4f6PvczxAhk8IAIOHgC16SKDDIPnIVXAMYVOy
SWGcVjKRZMKKPZbOsOq+dDJSrKqmktzGjlubxUyeX/IHPpAAp5UNHta2ETEZodqE
FgA1D8REQ71TZ9a6uWc2n/X5MS+tl1VGl3gAiQC8MR+xj+pkNsU7u5HWuNt6CWcd
z89S6zxmXjqlUqn/lBAmGZQk+KBFWF5azoQbdXCrvEMwx8Owx3J0OKdLL1Mlh3qW
86HGJ5QguZhC2l+O/Fu82yXinW05dCnW9BdKPYGx7Ct8nCnP9FpEfJRTDdAVmSao
4/f7BAf74l28/9ukbswCb9Il6opVI/pnKPOAOhJocV0wxt5eUHszdjBI0A6NuJs=
=8PWU
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list