new (2003-11-30) keyanalyze results

David Shaw dshaw at jabberwocky.com
Mon Dec 1 10:09:33 CET 2003


On Mon, Dec 01, 2003 at 09:06:08AM +0100, Adrian von Bidder wrote:
Content-Description: signed data
> On Monday 01 December 2003 00:08, David Shaw wrote:
> 
> > According to the stats you sent earlier, only around 11% of Elgamal
> > sign+encrypt keys have been revoked.  21% are expired.  69% are still
> > usable.  (The numbers don't add up to 100 since some keys are both
> > revoked and expired, plus I'm rounding).
> >
> > I hope that when 1.2.4 comes out there will be some more revocations
> > since there is nothing else that can be done with a type 20 key in
> > 1.2.4.  Still, it is more likely that some of these are forgotten
> > keys.
> 
> Hmm. I wonder if somebody shouldn't just revoke them. (As proof that
> they are *really* vulnerable).

Heh.  I was waiting for someone to suggest this.  I'm a little
surprised it took this long. ;)

Using a compromised key to revoke a key out from under someone else
raises some interesting ethical questions.  It's similar (though not
quite as problematic) to the use of a virus to patch people's
computers without their knowledge.  I don't plan on doing this, but
it's an interesting question nonetheless.

> Of course, this is only easy where it's the primary, where the
> selfsig is available.

It's only *possible* where it is the primary.  Subkeys are revoked by
the primary key, so if the primary isn't Elgamal sign+encrypt, then
there is no way to get the revocation signature issued.

David



More information about the Gnupg-users mailing list