invalid gpg key revocation

Peter Lebbing peter at digitalbrains.com
Tue Mar 6 20:58:50 CET 2012


On 06/03/12 19:36, auto15963931 at hushmail.com wrote:
> The revoked key appears to be on a keyserver.  When I do a search and view
> the result online, I can see my key ID number and user ID plainly identifying
> this key as having now been revoked.  I have not imported it.

The keyservers don't do any validation on revocation certificates; anyone who
feels like it can add /invalid/ revocation certificates to your key to annoy
you. But as soon as OpenPGP software imports the key from the keyserver, it will
simply discard /invalid/ revocation certificates as noise.

So I think the most likely thing is that someone who wants to annoy you has
uploaded not only your key, but also a fake revocation certificate to the
keyserver so the web interface will give you misleading information.

My suggestion:
- Back up your GnuPG home directory (the one with the keyrings and stuff)
- Import the key from the keyserver and check the validity of the revocation
- Perhaps restore the backup of the directory afterwards, or not

If it is an invalid revocation: unfortunate. To answer your next question: no,
it is not possible to remove your key or the false revocation from the
keyserver. This stuff is just noise. Users of keyservers need to be aware that
keyservers can contain noise, which does not harm the operation of the software,
but can be misleading, or potentially insulting. It is out of *your* control,
and therefore when looked at it sanely, also out of your responsibility.

Good luck,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt



More information about the Gnupg-users mailing list