Modified user ids and key servers and a possible security risk?

thomas weidner thomas001le at googlemail.com
Wed Aug 25 18:18:18 CEST 2010


Hello,

i started using gpg (with enigmail) today and found out i have already a
key for my e-mail address on the key servers which i had completely
forgotten about. Of cause i do have the private key for this old key any
more. Therefore i created a new key. Some sources on the web suggested
leaving a message in the old key which states that the key is not used
any more. to do this i binary edited a gpg files and uploaded the
modified old key to the keyserver again. the result looked promising:
http://pgpkeys.pca.dfn.de/pks/lookup?op=vindex&search=0x6260AB5E079E8AA6

Is this a security risk? I could do this for any key and leave wrong
messages on the key server which point to some other key. After a
discussion on #gnupg i was told that gpg will not import the added user
id because the signature is wrong. while this is great for security the
key server still shows the user id. is it a bug in the key server, that
it does not check new data for validity?

greetings, thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100825/202dcc0a/attachment.pgp>


More information about the Gnupg-users mailing list