invalid gpg key revocation

auto15963931 at hushmail.com auto15963931 at hushmail.com
Tue Mar 6 19:59:48 CET 2012 

> -----Original Message-----
> From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-
bounces at gnupg.org]
> On Behalf Of Ingo Klöcker
> Sent: Monday, March 05, 2012 3:37 PM
> To: gnupg-users at gnupg.org
> Subject: Re: invalid gpg key revocation
> 
> On Sunday 04 March 2012, Robert J. Hansen wrote:
> > On 3/4/2012 4:13 PM, auto15963931 at hushmail.com wrote:
> > > Hello. Supposing I create a key with an arbitrary user ID...
> >
> > This seems to me to be a simple question wrapped up in a lot of
> > unnecessarily specific details: "How is it possible for a
> > non-authorized person to revoke a user ID?"
> >
> > 	1.  Mathematical weakness in the underlying
> > 	    algorithms (unlikely but possible)
> > 	2.  Critical bug in GnuPG (unlikely but possible)
> > 	3.  Someone's swiped your private key (disturbingly
> > 	    possible)
> 
> 4. He has left his laptop unlocked and unattended for a very 
short period
> of time and he is using gpg-agent with a cache-ttl > 0.

I do in fact use gpg-agent and a cache >0, but this machine is not 
in a workplace or public location. It is in my home, in a place 
where visitors have no access, and my family would not have been 
able to do this.  My machine has considerable security. I am not 
saying it would be 100% impossible to get access, but I am saying 
that if there is a possibility, I am not aware of it and I need to 
be so that I can prevent it recurrence.  I do believe that there is 
another more plausible explanation.

For instance, what procedure occurs at the server itself that 
allows the revocation to occur?  Is it a fully automated event? Is 
there a way for a person without a key to issue a command to the 
server in any way to make this happen? 
> 
> I have verified that one can generate a revocation certificate 
without
> entering a passphrase if one has previously signed something 
(e.g. an
> email). So, it was probably just a very nasty prank.

This is good information, but I personally would give it a stronger 
name than prank.
> 
> Maybe gpg shouldn't use the cached signing passphrase (or any 
cached
> passphrase) for generating a revocation certificate.

This does sound like a reasonable consideration, in my opinion. At 
least, I would like to have that option configurable.
>

More information about the Gnupg-users mailing list