Help me to import my secret key please

MFPA expires2010 at ymail.com
Wed May 12 20:06:01 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Wednesday 12 May 2010 at 10:11:24 AM, in
<mid:4BEA70BC.40902 at gmail.com>, Faramir wrote:


>   No, the comment could be useful in case somebody had
> the first (now orphan) key, and now he has found the
> new key and wants to know which one should he use.

Although the comment could just state it was his new key from
dd/mm/yyyy without mentioning any other key(s).


>   Let's think about the following case:   Alice creates
> a key, get it signed by CAcert.org (she has validated
> her identity in their WoT), and uploads her key to
> keyservers. Then she loses her private key, make a new
> one, and get it signed by CAcert too, and uploads it to
> keyservers.   CAcert signatures expire 1 year after
> being issued, but until then, I don't know if there is
> a way to make CAcert to revoke the signature.   Then
> Bob finds Alice in PGP-Basics list, and wants to send
> an encrypted message to her. He just knows her email
> address, and has set CAcert's key as a valid
> introducer. He performs a search at keyservers, and
> find 10 keys saying they belong to Alice. But only 2 of
> these keys are showed as valid (the bogus keys have not
> been signed by a valid introducer). But which one is
> the key he should use?   Of course, he can send a clear
> text message to Alice, and she can tell him which one
> is the right one, and then Bob would deactivate the
> orphan key and use the good one. But a comment in the
> new key would not do any harm, and would allow Bob to
> chose the good key without having to wait for Alice's
> reply.

Bob could encrypt the message asking which key to both of Alice's keys
that looked valid. But if Bob's basis for deciding Alice's keys are
valid was simply his trust in the CAcert signatures, isn't the newer
key with the more recent signature a better bet?


> ...
>> If Joe User's real key is actually 0xDECAFBAD and he still has control
>> over it, what should other users do if they see a key uploaded with the
>> User ID of:

>>   Joe User (Do Not Use 0xDECAFBAD) <joe at example.net>

>> (remember that anyone can upload such a key) ? Should
>> people care about or rely upon those comments?  Or are
>> they noise?

>   They should be considered as noise unless these keys
> have been signed by a valid (trusted) introducer.

> ...
>> The most useful response is to make sure that your proper key is
>> well-certified, and that any bogus keys are not certified.

>   Indeed, the comment advice was just a complementary
> (and optional) measure, the main response should be to
> get the certifications revoked.

Maybe this indicates a good reason to use expiry dates on keys. And
maybe a trusted revocation key that you don't actually use and that
lives offline somewhere secure, maybe even split, in case of such
eventualities.


- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

Gypsy Dwarf Escapes Prison: Small Medium at large
-----BEGIN PGP SIGNATURE-----

iQCVAwUBS+ruC6ipC46tDG5pAQoT/wQAxJglp9ny7kZR/V/wH2x0L117PRjGBQcf
/KuErSTS0Ouy3Qf19Me7LHU33srCHMmIRCYKCBeG3pJZQH1+FQDXy99QhTsfaWRy
0Re0x2YkkuU53UVTzh+w2KTnY/3/fsVBSwFJl/U/hdXvPASZOBxFY6yab+QIpbuX
Kw2KXySTIQw=
=ne+m
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list