invalid gpg key revocation

Faramir at
Wed Mar 7 01:31:11 CET 2012

Hash: SHA256

El 06-03-2012 15:59, auto15963931 at escribió:

> I do in fact use gpg-agent and a cache >0, but this machine is not
>  in a workplace or public location. It is in my home, in a place 
> where visitors have no access, and my family would not have been 
> able to do this.  My machine has considerable security. I am not 
> saying it would be 100% impossible to get access, but I am saying 
> that if there is a possibility, I am not aware of it and I need to
>  be so that I can prevent it recurrence.  I do believe that there
> is another more plausible explanation.

  Same here, any attack (other than thief) on my machine would come
from Internet.

> For instance, what procedure occurs at the server itself that 
> allows the revocation to occur?  Is it a fully automated event? Is
>  there a way for a person without a key to issue a command to the 
> server in any way to make this happen?

  Only your private key can generate the revocation certificate,
Keyservers don't have your private key. After the revocation
certificate is generated, anybody can import it to your public key and
upload it to keyservers... remember rev certs must be capable of
revoking a key in case the private key is no longer available. So we
think probably somebody had access to your key, or to a backed up rev
cert. You say there was not an already generated rev cert, so it is
very likely your computer has a trojan on it.

  By the way, how long was your private key? 1024 bits? Or less?
because if it was a 512 bits key, it MIGHT have been factorized.

  Just in case, I keep my master keys off-line, only the subkeys are
at my computer.

   Best regards
Version: GnuPG v1.4.12 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list