Problem with revoking my old key

Charly Avital shavital at mac.com
Fri Jan 27 07:12:08 CET 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Running Thunderbird version 1.5 (20051201) + enigmail 0.94.0, Macintosh
OSX 10.4.4, GnuPG 1.4.2.

When I received Daniel's message, TB+Enigmail indicated, in a colored
strip over the message's text "click the Decrypt icon to import key" (I
don't remember the exact words).

When I clicked that icon, a message was displayed "...cannot import
revocation certificate key 9438F4F0...". Again, I don't remember the
exact words, but that was the gist of the message.

I then searched for Daniel's keys with CLI:
$ gpg -search-keys daniel at kingsofcode.net (I don't have to specify the
keyserver in CLI, this is done in GPGPreferences, a feature of MacGPG,
which is the GnuPG for the Mac Project)

This produced two keys:
one created 2002-10-20
one created 2006-01-25

Both keys were valid, none contained any trace of revocation.

I then went back to Daniel's original message, clicked again the Decrypt
icon, and GnuPG[via TB+enigmail] displayed a long message the gist of
which was the successful import of the revocation certificate, and
detailing other data e.g. trust levels, etc.

Went to
$ gpg --edit-key 9438F4F0
with the following output:
- -----
This key was revoked on 2006-01-26 by DSA key 9438F4F0 Daniel Löfquist
<daniel at kingsofcode.net>
pub  1024D/9438F4F0  created: 2002-10-20  revoked: 2006-01-26  usage: CSA
                     trust: unknown       validity: revoked
This key was revoked on 2006-01-26 by DSA key 9438F4F0 Daniel Löfquist
<daniel at kingsofcode.net>
sub  1024g/DDF10144  created: 2002-10-20  revoked: 2006-01-26  usage: E
[ revoked] (1). Daniel Löfquist <daniel at kingsofcode.net>
- -----

I don't know whether Daniel has already followed David Shaw's
suggestion: import the revocation certificate into Daniel's keyring, and
they upload the resulting public key keyblock to a keyserver, which is
the standard way to use a revocation certificate. I am sure that when I
downloaded Daniel's keys from a keyserver (wwwkeys.pgp.net) the key was
not revoked.

I have *not* of course uploaded the revoked public key keyblock to a
keyserver. That's Daniel's privilege.

Therefore it seems that by importing the revocation certificate as it
appeared in Daniel's email, *when the corresponding key was present in
my keyring* gpg actually revoked the key.

If this is what happened, that means that when one has obtained the
revocation certificate, it is possible to revoke the corresponding key
in one's own keyserver, without the intervention of the certificate's
issuer, and I believe that is detailed in GnuPG documentation. This is
why revocation certificates must be carefully saved and protected in the
issuer's system, until such time the user him/herself needs to apply the
certificate.

Wouldn't it be "better" if the actual application of the revocation
certificate would be conditioned to the use of the key's passphrase,
thus limiting the revocation certificate's application to the key's
owner only?

Just 2¢

Charly




Jean-David Beyer wrote the following on 1/26/06 9:52 PM:
> Daniel Löfquist wrote:
[...]

>>> Now I've been trying to upload the revocation certificate to the various
>>> keyservers but none of them wants to accept it. For example, when I try
>>> uploading it to wwwkey.pgp.net I get this as a response:
>>>
>>> Add failed: Malformed Key --- unexpected packet type and/or order of packets
>>>
>>> Am I doing something wrong or why is my key not being accepted by the keyservers?
>>>
>>>
>>> //Daniel
>>>
>>>


> I get the same message when I try to import your key. So if it is not you,
> it is both Thunderbird 1.5 and the keyserver. I would not expect both to be
> buggy in the same way.
> 
> --
>   .~.  Jean-David Beyer          Registered Linux User 85642.
>   /V\  PGP-Key: 9A2FC99A         Registered Machine   241939.
>  /( )\ Shrewsbury, New Jersey    http://counter.li.org
>  ^^-^^ 21:50:00 up 6 days, 13:17, 5 users, load average: 4.22, 4.41, 4.58

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBQ9m5sm69XHxycyfPAQh91BAAlLA6u2GJmJBpgxPq0f+Sw8PRQR0Oig9P
m1jyL9oXCr88kdozc6YuJN/ORcw4mUBpzpK5uUJayAVppjVTT0yZ2TtabNryL1FG
B3AVHRi4IpZ69RqpYPHPwsrtWzgrniPppMKUjTHUWXkdoDNuVcdaIFNEVmY+7Ddg
KTmp+F1Z0s0L+Et8QKR1OIjcthXp06E9//8mItAKcxBFKiYKU8FH40SjAVmt65ff
AHZzdraz9NB3SqVR0h0lRWfry+dLCU2FUTrqE7eUjlmVNlfUi1kEwuKHd8juKfxC
tv3DacjSxUhiinpqScEOcilk7IkN/EK43Si0AOHIF9sx/SwT/hnTOkWl1g8lMnpr
fLT5MUY6ekjCAi4OKrdGPHG8Fw3O1T5kGVI/hPL96xWbCZL5QtZvPMS1u5oG23oB
0VAVHeUxShKkiMxJtJIlj5lzhIKrLgNtmgqF+CsU739jxunxHoUx2uXuyv12JTKg
DwQMbIMETS9WoDoY/PTFs3iFKqzlTDDcC9A6uEqcWM+0/IZJSWVm/vp4ELwp0pkX
iIZanHbFGeVAtOsvzMNpVWrhikYFb2ZVRC6YJjqW+fO5vWpyFkgIvv5xpJCI0beE
VeiPB5ZeyQUgEWExe46jfeHoKNsTSNkG0TZhbtt1BMltFeJd44quLZyrZUXgCR5R
BU9gr4vHPaw=
=JPDx
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list