invalid gpg key revocation
Ingo Klöcker
kloecker at kde.org
Mon Mar 5 22:36:42 CET 2012
On Sunday 04 March 2012, Robert J. Hansen wrote:
> On 3/4/2012 4:13 PM, auto15963931 at hushmail.com wrote:
> > Hello. Supposing I create a key with an arbitrary user ID...
>
> This seems to me to be a simple question wrapped up in a lot of
> unnecessarily specific details: "How is it possible for a
> non-authorized person to revoke a user ID?"
>
> 1. Mathematical weakness in the underlying
> algorithms (unlikely but possible)
> 2. Critical bug in GnuPG (unlikely but possible)
> 3. Someone's swiped your private key (disturbingly
> possible)
4. He has left his laptop unlocked and unattended for a very short
period of time and he is using gpg-agent with a cache-ttl > 0.
I have verified that one can generate a revocation certificate without
entering a passphrase if one has previously signed something (e.g. an
email). So, it was probably just a very nasty prank.
Maybe gpg shouldn't use the cached signing passphrase (or any cached
passphrase) for generating a revocation certificate.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20120305/3e5fb0fe/attachment.pgp>
More information about the Gnupg-users
mailing list