Key Management - BSI had send private key instead of public key

[Bernhard Reiter]

Am Mittwoch 17 November 2021 00:17:58 schrieb Стефан Васильев via Gnupg-users:
> According to an article on the German site golem.de[1]
> Germany's BSI[2] had sent its private key instead of
> it's public key to a user via email, who requested its
> public key.

> 
https://www.golem.de/news/verschluesselung-bsi-verschickt-privaten-pgp-schluessel-2111-161073.html

The article says that is was one private key, password encrypted
for one email address (probably a functional address for a team).
I have no further information on the incident,
and know of no MUA or GUI that makes attaching private key material to an 
email easy.

The most likely scenario would be, that there was a private key in a file
somewhere on the system that could be attached to an email manually.
As GnuPG itself uses a directory clearly named like .gnupg/private-keys-v1.d/,
there is a good chance that it was an exported private key named differently.

The BSI says to have 1400 employees, so not all of them will be technical
security experts, they were growing a lot. The BSI increasingly seems to use 
OpenPGP/MIME instead of S/MIME and is getting more accessible this way for 
encrypted email exchange.

Overall a good case for using more WKD in the client and the server, where the 
pubkey would have been transfered automatically with some basic trust and no 
need for a manual email attachment. 

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211117/68857888/attachment.sig>