(my) E-mail address not found by 'https://keys.openpgp.org'

Hubert Lombard contact at hubert-lombard.website
Wed Mar 16 19:39:35 CET 2022

Hi Henning!

> On Wed, Mar 16, 2022 at 01:13:00PM +0100, Hubert Lombard wrote:
> > Hello !
> > 
> > I recently started to get interested in GPG. Last week, during my
> > first
> > tests, I sent my first key to 'keys.gnupg.net'
> > but I understood only yesterday that this server could have been
> > compromised since 2019. When I tried to revoke the key permanently,
> > it
> > was not found.
> > So I deleted the key from my computer with Seahorse, and immediately
> > after, still with Seahorse, I generated  a new key pair using the
> > same
> > email address and choosing the key server 'keys.openpgp.org'
> Why? The integrity of your privat key will not be affected by the
> keyserver you put your public key on.
Oh, I didn't know, I was advised yesterday on another irc channel
(#debian-facile) to change my key server:

"They were ('keys.gnupg.net' and others) all flooded with fake keys
this is the reason why debian, among others, uses keys.openpgp.org as a
see also CVE-2019-13050 (SKS servers poisoning)"
> > 
> > When creating this new key pair, instead of going directly to the
> > revocation step, I sent my public key.
> > After that, I performed the revocation step.
> That again does not make any sense. Why would you create a key pair
> just to revoke this immediately?
In fact, while following some instructions for use, I have just tried
to generate the revocation certificates.
As English is not my native language, there may have been an ambiguity
in the form of my question.
I mistakenly used the term "performed", when I simply tried to generate
the certificates,
just to have them on hand...

hubert at gnu ~$ gpg --gen-revoke 185B13B0 > .gnupg/openpgp-

sec  rsa2048/B2A8FF57185B13B0 2022-03-15 Hubert Lombard
<contact at hubert-lombard.website>

Faut-il créer un certificat de révocation pour cette clef ? (o/N)

I have left "N' 

I was afraid that by choosing 'o', the key would be permanently

I will have to clarify this question.

Otherwise, in my question to the list, I thought I had done the steps
out of order :/ 
But I just realized on https://emailselfdefense.fsf.org/en/ that I
followed the steps correctly.

> > 
> > Could the inversion of these 2 steps have had an impact on the fact
> > that 'https://keys.openpgp.org/' does not find my e-mail address?
> > On the other hand, it does find my
> > E67C43563F94C4756557A483B2A8FF57185B13B0 key
> > 
> > I'm wondering at this point if there is an error I could fix or if
> > it's
> > better to revoke/delete this current key-pair.
> Maybe you want to read the GNU Privacy Handbook
> https://gnupg.org/gph/en/manual.html
> It is not a perfect beginners guide but it may give you a better 
> understanding how things are working.
The link looks like precious infos.

In my bookmarks right now!

Thank you for your answer.



Hubert Lombard <contact at hubert-lombard.website>

More information about the Gnupg-users mailing list