How can one tell what kind of a key one has set up?
David Shaw
dshaw at jabberwocky.com
Fri Nov 28 13:06:37 CET 2003
On Fri, Nov 28, 2003 at 12:47:21PM -0500, gabriel rosenkoetter wrote:
> On Fri, Nov 28, 2003 at 10:58:28AM -0500, David Shaw wrote:
> > Yep, that's an Elgamal sign+encrypt key. Still, at least you can just
> > revoke the subkey. You don't have to revoke your entire key.
>
> Is that really true?
>
> It doesn't matter that anyone he's sent a signed message too
> theoretically has access to private key data? (Or do I misunderstand
> the attack?)
The attack allows for a signature issued by an Elgamal sign+encrypt
key to be used to reveal the secret key. For an Elgamal sign+encrypt
primary key, this pretty much means the whole key is compromised from
the start since the self-signatures on that key are of course issued
by itself. For an Elgamal sign+encrypt subkey, while you still should
revoke it, you at least don't have to revoke the entire key. Revoking
the subkey is sufficient.
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 330 bytes
Desc: not available
Url : /pipermail/attachments/20031128/2a327791/attachment.bin
More information about the Gnupg-users
mailing list