Revoking Old Keys... my problem

Jerry Windrel jerry.windrel at verizon.net
Fri Apr 30 16:51:06 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's some good news for you, after all that bad news.  It's not
perfect and I may not be remembering it perfectly either, but I think
it's a big help, although it relies on exploiting a flaw in the
protocol of key servers, which I read about recently.  Maybe others
on the list can fill in the blanks of this method.

1) Download the bad public key from a key server.
2) Export it in binary form (not ASCII armored).
3) Get a binary editor (HexEdit is a shareware product that I use...
there are many others)
4) Using the binary edtior, alter the User ID, i.e. your real name 
"John Smith <john at smith.org>" (or 1 of them, if there are many... DO
NOT change more than one!), to say something like, "Bad Key, use
0x1234ABCD".  Unfortunately, you will have to be brief, as you cannot
use more characters than were in the original User ID.  You will be
somewhat lucky if your name is long :) If you're lucky enough to have
more than enough room, replace the unused characters at the end with
spaces.  Technically, there may be a way to make it longer, but that
would require really getting into the binary format of export files.
Don't forget to save the binary file.
5) Import your lobotomized binary export file.
6) You should be able to see the new "User ID" in place of the old
one.
7) Upload the key.
8) Search on the key server to see the result.
9) You might expect the key server to also show the old userid
replaced by the "Bad Key..." userid, but that's NOT what will happen.
 The old userid will remain (since you haven't done anything to
delete it from the key server, and deleting it from key servers is
not usually even possible), but you will have a new userid, namely
"Bad Key...".  Now whoever looks at the userids for your key will see
that "Bad Key..." warning.

It's not the ideal solution, which is to get rid of the bad key, but,
<wax philosophical="1">key servers are quite an apt metaphor to life
itself... sadly, there are mistakes that can be made that just cannot
be undone.  Seen in that context, having un unrevokable key, while
frustrating, quite pales in comparison to the possible other
irreversable mistakes that can be made in life. Chalk it up to
experience.</wax>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3 - not licensed for commercial use: www.pgp.com

iQA/AwUBQJJnwYlVuABWWiqVEQIGWgCgzuQHeU0gGZ9KazRbPfuXyWqrZMIAnRxF
wXnDs5HBg1lki60wF5KW/M4S
=pWra
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list