[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-users
Subject: Re: invalid gpg key revocation
From: Ingo =?iso-8859-1?q?Kl=F6cker?= <kloecker () kde ! org>
Date: 2012-03-05 21:36:42
Message-ID: 201203052236.43408 () thufir ! ingo-kloecker ! de
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Sunday 04 March 2012, Robert J. Hansen wrote:
> On 3/4/2012 4:13 PM, auto15963931@hushmail.com wrote:
> > Hello. Supposing I create a key with an arbitrary user ID...
>
> This seems to me to be a simple question wrapped up in a lot of
> unnecessarily specific details: "How is it possible for a
> non-authorized person to revoke a user ID?"
>
> 1. Mathematical weakness in the underlying
> algorithms (unlikely but possible)
> 2. Critical bug in GnuPG (unlikely but possible)
> 3. Someone's swiped your private key (disturbingly
> possible)
4. He has left his laptop unlocked and unattended for a very short
period of time and he is using gpg-agent with a cache-ttl > 0.
I have verified that one can generate a revocation certificate without
entering a passphrase if one has previously signed something (e.g. an
email). So, it was probably just a very nasty prank.
Maybe gpg shouldn't use the cached signing passphrase (or any cached
passphrase) for generating a revocation certificate.
Regards,
Ingo
["signature.asc" (application/pgp-signature)]
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic