GD doesn't always accept revocations

Jason Harris jharris at widomaker.com
Wed Feb 9 22:14:51 CET 2005


On Wed, Feb 09, 2005 at 03:32:57PM -0500, David Shaw wrote:
> On Wed, Feb 09, 2005 at 03:26:19PM -0500, Jason Harris wrote:

> > Obviously, the keyholder didn't heed the FAQ and has left 0x3EA5F9EF
> > on the GD.  Unless this is corrected, ldap://keyserver-beta.pgp.com
> > will incorrectly serve the unrevoked version of the key for the next
> > 6 months.
> 
> Yes.  I don't think this is the best design.  I understand the desire
> to keep revoked keys off of the GD, but it's not clear what to do in
> this case (an unrevoked key on the GD is suddenly revoked).

It needs only to verify the revocation and remove the key immediately.

> Drop the key immediately?  Accept the revocation and then drop the key
> after some time has gone by?  I rather like the idea of accepting the
> revocation, and then immediately causing the key to need to be
> reverified by the user (as if their 6 month time on the GD was up).
> This way the user knows what happened, and doing nothing causes the
> key to fall out of the GD.

The key was revoked by the keyholder, so it cannot be re-added to the
GD unless its revocation certificate is removed.  This is very simple
to do with a tool like gpgsplit, and is therefore an easy attack to
perpetrate against the GD and keyholders of revoked keys.  (I classify
it as an attack because it gets the GD to send confirmation emails for
"useless" keys, anyone answering the unencrypted challenges causes the
GD to store "useless" keys, etc.)

This also applies to expired (v4) keys, as long as at least one (earlier)
selfsig didn't expire the key.

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050209/fcd1584e/attachment.pgp


More information about the Gnupg-users mailing list