Gpg revocation anomaly

David Shaw dshaw at jabberwocky.com
Fri Aug 17 19:07:06 CEST 2012


On Aug 17, 2012, at 11:43 AM, No such Client wrote:

> Good day, I have found an anomaly within gpg that I have asked several
> other individuals running different linux distros (gpg 1.4.10 / 1.4.11)
> to independently verify and they have come to the same conclusion.
> After reading the gnupg manual, and the manpages several times for
> pleasure, I tried ¨addrevoker sensitive¨ , with a testkey that I
> created. I have read the manpages, and the manual, and my understanding
> of addrevoker sensitive is that it is a deniable designated revoker that
> no one else but the revoked party and the revokee should know what it
> is. As well as B. That said ¨sensitive¨ (deniable) designated revoker
> can reliably generate and revoke whatever key said individual has been
> designated as a sensitive revoker for. So, I tested this feature using
> two test keys on a new keyring I created to simulate a real-world
> environment.  and this raised more questions than answers (addrevoker
> sensitive  - is not well-documented, nor is it covered in any detail)

A sensitive designated revoker isn't deniable.  All it means is that when exporting the key that can be revoked, the designated revoker packet isn't included by default.  That's it.

Here's a use case: Alice wants Baker to be able to revoke her key, but she doesn't want anyone else to know this (say, she's afraid that Charlie will come after Baker in the real world).  She adds Baker to her key via 'addrevoker sensitive'.   She then sends a copy of her public key to Baker, but exports it with "--export-options export-sensitive-revkeys".  Now that she'd done this, she can safely send her public key to anyone she likes (to the keyserver, or even to Charlie directly), as the designated revoker information on the key will not be included, thus hiding the fact that Baker has the power to revoke Alice's key.

If and when Baker needs to revoke Alice's key, he issues the revocation signature, adds it to Alice's public key, and publishes it, including *both his revocation signature (to revoke Alice's key), and the designated revoker packet (to prove he has the right to issue the revocation)*.  After revocation, there is no deniability - clearly Baker issued the revocation, and clearly Alice allowed him to do so.

David




More information about the Gnupg-devel mailing list