Key Management - BSI had send private key instead of public key
bernhard at intevation.de
Wed Nov 17 16:18:15 CET 2021
Am Mittwoch 17 November 2021 00:17:58 schrieb Стефан Васильев via Gnupg-users:
> According to an article on the German site golem.de
> Germany's BSI had sent its private key instead of
> it's public key to a user via email, who requested its
> public key.
The article says that is was one private key, password encrypted
for one email address (probably a functional address for a team).
I have no further information on the incident,
and know of no MUA or GUI that makes attaching private key material to an
The most likely scenario would be, that there was a private key in a file
somewhere on the system that could be attached to an email manually.
As GnuPG itself uses a directory clearly named like .gnupg/private-keys-v1.d/,
there is a good chance that it was an exported private key named differently.
The BSI says to have 1400 employees, so not all of them will be technical
security experts, they were growing a lot. The BSI increasingly seems to use
OpenPGP/MIME instead of S/MIME and is getting more accessible this way for
encrypted email exchange.
Overall a good case for using more WKD in the client and the server, where the
pubkey would have been transfered automatically with some basic trust and no
need for a manual email attachment.
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 659 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users