Revocation problem with keyserver

Charly Avital shavital@mac.com
Tue Apr 23 07:58:01 2002


Hi,

I cannot answer your question (keyserver problem, or else), but I can add
the following information, hoping this might help:.

1. Importing your key 0x86ECAC0B with PGP 7.0.3 (Mac version):
- fp DEAB AF7A 9269 02E3 7BD1  570C 0AB2 6373 86EC AC0B
- signed with [same key] 0x86ECAC0B on April 23, 2002. This signature is
  dimmed, which in PGP's graphic convention indicates "bad or invalid
signature"
- signed with same key on April 14, 2002. Signature dimmed, same as in
previous.
- signed with same key on December 5, 2001. This signature appears to be
  valid, it shows a valid exportable signature icon.
- two subkeys:
  - valid from April 3, 2002. Expires: never. Size: 2048
  - valid from December 5, 2001. Expires: never. Size: 1024
Notes: the key is actually imported into PGP's keyring.
The key does not show the red X, which stands for "revoked" in PGP's
convention.

2. Trying to import that key using Mac GPG 1.0.6 shows:
gpg: requesting key 86ECAC0B from wwwkeys.us.pgp.net ...
gpg: key 86ECAC0B: invalid subkey binding
gpg: key 86ECAC0B: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
[The key was not imported into gpg's keyring]
[As indicated above, PGP shows a valid signature in that key.

3. Both imports were done at approximately the same time (less than one
minute difference), using the same keyserver.

4. In a similar case, a few days ago, a macgpg-users subscriber reported
having revoked the subkey (one and only) in his key.
Later, that key, when imported in PGP 7.0.3 (Mac) showed a red X (both in
the key row, and in the key's subkey. The red X is the mark for a revoked
key.
The one and only self signature was dimmed.
There was no other signature in that key.
Mac GPG's output was:
gpg: requesting key FDB85841 from wwwkeys.us.pgp.net ...
gpg: key FDB85841: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
The key could not be imported into GPG.

I am far too lacking in formal computer science knowledge, but I have been
using PGP (Mac) since versions 2.x.x, and Mac GPG only since October 2001.
Therefore I wouldn't venture conclusions.

What I understand from the above, is that in Mr. Gaibler's example, the
key's subkey was *not* revoked, and that two "bad or invalid " signatures
were added to the key and uploaded to a keyserver. I really don't know
whether that means that these are, in fact, signatures revoked by the key
owner.

Another fact is that the key cannot be imported into gpg, precluding its
use by gpg users, but it has been imported in a PGP 7.0.3 keyring, where it
doesn't show as revoked.
Theoretically, it means that I could not use that key, in gpg, to encrypt a
message to Mr. Gaibler. I don't know whether I could use it, in PGP.
But could a message signed with that key be verified in gpg, who would only
access the key in the keyserver, and verify the signature without actually
importing the key? That's what PGP does.

Charly

At 4:12 AM +0200 4/23/02, Volker Gaibler wrote:
>Hello!
>
>I wanted to change my encryption subkey and therefore revoke my old
>subkey. I read the hints given in earlier questions but it doesn't
>work. GPG doesn't accept my public key being imported for revocation
>as Steve Butler wrote on Thu, 7 Mar 2002. I get the following
>error message:
>
>  gpg: requesting key 86ECAC0B from wwwkeys.eu.pgp.net ...
>  gpg: key 86ECAC0B: no valid user IDs
>  gpg: this may be caused by a missing self-signature
>  gpg: Total number processed: 1
>  gpg:           w/o user IDs: 1
>
>But the key on the keyserver was created by GPG 1.0.6 and so is
>self-signed by default. (my key id is 86ECAC0B)
>
>Trying to add the new subkey to the keyserver via gpg --send-key
>results in an ok message but the key on the keyserver is not updated.
>Adding via web interface shows
>
>  Key block in add request contained no new
>  keys, userid's, or signatures.
>  Your key block contained 1 format errors,
>  which were treated as if the erroneous elements
>  hadn't been part of your submission.
>  The last error was on key 0xa82a9e56:
>  Key block corrupt: more than one signature on subkey
>
>Can this be a keyserver problem or am I doing something awfully wrong?
>
>Thanks in advance.
>Volker
>
>
>
>--
> Volker Gaibler                                 contact:
> http://www.volker-gaibler.de                   mail@volker-gaibler.de
> OpenPGP key: 0x86ECAC0B
>+---------------------------------------------------------------------+
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users