GD doesn't always accept revocations

Jason Harris jharris at
Wed Feb 9 23:38:46 CET 2005

On Wed, Feb 09, 2005 at 04:25:48PM -0500, David Shaw wrote:
> On Wed, Feb 09, 2005 at 04:14:51PM -0500, Jason Harris wrote:

> > It needs only to verify the revocation and remove the key immediately.
> Well, that's one possible answer.  Why don't you suggest it to the GD
> people?

If this isn't already self-evident to them...

> Why go through a lot of bother to find an expired or revoked key which
> you then manipulate into being acceptable?  Just make a brand new key
> with your victim's email address and submit that.  It's the same
> result.

For one thing, anyone who followed the GD FAQ and simply removed a key
from the GD without revoking it in their own keyring may be duped into
confirming the fingerprint of a key they once used and probably still
have.  The key may or may not be expired, but their encryption client
definitely can't heed a revocation that was never generated.

For another, why waste good bytes out of /dev/random?  Besides, the
game is mostly over if the victim must first import a totally unknown key.

Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at _|_ web:
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050209/a1dd93d7/attachment.pgp

More information about the Gnupg-users mailing list