(my) E-mail address not found by 'https://keys.openpgp.org'
hfollmann at itcfollmann.com
Wed Mar 16 20:00:18 CET 2022
On Wed, Mar 16, 2022 at 07:39:35PM +0100, Hubert Lombard wrote:
> Hi Henning!
> > On Wed, Mar 16, 2022 at 01:13:00PM +0100, Hubert Lombard wrote:
> > > Hello !
> > >
> > > I recently started to get interested in GPG. Last week, during my
> > > first
> > > tests, I sent my first key to 'keys.gnupg.net'
> > > but I understood only yesterday that this server could have been
> > > compromised since 2019. When I tried to revoke the key permanently,
> > > it
> > > was not found.
> > > So I deleted the key from my computer with Seahorse, and immediately
> > > after, still with Seahorse, I generated a new key pair using the
> > > same
> > > email address and choosing the key server 'keys.openpgp.org'
> > Why? The integrity of your privat key will not be affected by the
> > keyserver you put your public key on.
> Oh, I didn't know, I was advised yesterday on another irc channel
> (#debian-facile) to change my key server:
> "They were ('keys.gnupg.net' and others) all flooded with fake keys
> this is the reason why debian, among others, uses keys.openpgp.org as a
> see also CVE-2019-13050 (SKS servers poisoning)"
Well, that was good advice, however you didn't have to revoke your
key. Your key was not compromized by using a different key server.
You'll revoke your key when you think something is wrong with
your private key. And it basically is a public notice to
anybody else to not trust that key after a certain date. But
it will not remove the key from anywhere. It's out there for good.
> > >
> > > When creating this new key pair, instead of going directly to the
> > > revocation step, I sent my public key.
> > > After that, I performed the revocation step.
> > That again does not make any sense. Why would you create a key pair
> > just to revoke this immediately?
> In fact, while following some instructions for use, I have just tried
> to generate the revocation certificates.
> As English is not my native language, there may have been an ambiguity
> in the form of my question.
> I mistakenly used the term "performed", when I simply tried to generate
> the certificates,
> just to have them on hand...
That is common practice. And yes I obviously misunderstood.
> hubert at gnu ~$ gpg --gen-revoke 185B13B0 > .gnupg/openpgp-
> sec rsa2048/B2A8FF57185B13B0 2022-03-15 Hubert Lombard
> <contact at hubert-lombard.website>
> Faut-il créer un certificat de révocation pour cette clef ? (o/N)
> I have left "N'
> I was afraid that by choosing 'o', the key would be permanently
> I will have to clarify this question.
> Otherwise, in my question to the list, I thought I had done the steps
> out of order :/
> But I just realized on https://emailselfdefense.fsf.org/en/ that I
> followed the steps correctly.
> > >
> > > Could the inversion of these 2 steps have had an impact on the fact
> > > that 'https://keys.openpgp.org/' does not find my e-mail address?
> > > On the other hand, it does find my
> > > E67C43563F94C4756557A483B2A8FF57185B13B0 key
> > >
> > > I'm wondering at this point if there is an error I could fix or if
> > > it's
> > > better to revoke/delete this current key-pair.
> > Maybe you want to read the GNU Privacy Handbook
> > https://gnupg.org/gph/en/manual.html
> > It is not a perfect beginners guide but it may give you a better
> > understanding how things are working.
> The link looks like precious infos.
> In my bookmarks right now!
> Thank you for your answer.
> Hubert Lombard <contact at hubert-lombard.website>
Henning Follmann | hfollmann at itcfollmann.com
More information about the Gnupg-users