2 noob problems

Henry Hertz Hobbit hhhobbit7 at netscape.net
Thu May 5 06:24:27 CEST 2005 

Matthew East wrote:

> Hello,
>
> I am a relative newcomer to the world of GPG and I seek some
> help on a couple of problems I have.
>
> First, when searching for keys on keyservers (i've tried the  
> one supplied by default with gpg as well as pgp.mit.edu) using
> the "gpg --search-keys" command, it just sits there for ages
> without doing anything. I have the agent enabled via evolution
> as well and that is also just sitting there without finding
> the key. Can anyone help? It would be much appreciated.
> Sometimes it seems to work, but sometimes not, and I have no
> idea why.
>
> The other thing is that, given that I am a beginner, I have 
> self-signed my key a few times and then deleted the signature,
> when I was discovering how everything worked. Now I've
> discovered that my key appears like this (despite the fact
> that it seems fine if I check it locally):
>
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x0E6B06FF
>
> Is there anything I can do about this?

PUNT!  REALLY!

[1]  You don't sign your own key.  I would suggest you do the
following to handle the problem.

gpg --gen-revoke 0E6B06FF
gpg -a --export 0E6B06FF > matthew_east.asc

Now upload the revoked key to the server.  It will still
hang around a while, but at least you can get rid of it.

[2] Delete EVERYTHING.  Start new, but don't play around
with the key servers.  Pick your keys to expire in one
year, and a big enough keysize for the symmetric crypts.
SEND your key to another user (yes, I will help out) and
just privately sign this other person's key and do some
learning.

[3] Once you have a more firm idea of what you are doing,
THEN you can upload your public key to a key server.

[4] One thing that I have noticed is that the key servers
are notorious for passing the buck to another key server.
I would like to say that opening up ports 10 and 11371 on
the router will help, but it won't because even if the
router allows it in, which private NAT address is it
supposed to send the packet to?  All the keyserver on
the outside knows is your WAN address, and it MUST send
it to that address even if it KNOWS your internal IP NAT
address.  That is why I say that the keyserver model
should work more like DNS.  I don't care if the keyserver
that I sent the request to hands it off to another key
server to do the dirty work - the reply should come back
to the one I sent the request to.

It beats me if that helps you, but you CAN get my private
key from MIT (along with the email address it is tied to
by going to:

http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xE1FA6C62

You will notice I did NOT sign my own key.  Since I created it
and also have the secret half of the key as well, it has ultimate
authority (unless I have a multiple personality disorder).

Ciao

Henry Hertz Hobbit


__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

More information about the Gnupg-users mailing list