[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gnupg-users
Subject:    Re: invalid gpg key revocation
From:       Ingo =?iso-8859-1?q?Kl=F6cker?= <kloecker () kde ! org>
Date:       2012-03-05 21:36:42
Message-ID: 201203052236.43408 () thufir ! ingo-kloecker ! de
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Sunday 04 March 2012, Robert J. Hansen wrote:
> On 3/4/2012 4:13 PM, auto15963931@hushmail.com wrote:
> > Hello. Supposing I create a key with an arbitrary user ID...
> 
> This seems to me to be a simple question wrapped up in a lot of
> unnecessarily specific details: "How is it possible for a
> non-authorized person to revoke a user ID?"
> 
> 	1.  Mathematical weakness in the underlying
> 	    algorithms (unlikely but possible)
> 	2.  Critical bug in GnuPG (unlikely but possible)
> 	3.  Someone's swiped your private key (disturbingly
> 	    possible)

4. He has left his laptop unlocked and unattended for a very short 
period of time and he is using gpg-agent with a cache-ttl > 0.

I have verified that one can generate a revocation certificate without 
entering a passphrase if one has previously signed something (e.g. an 
email). So, it was probably just a very nasty prank.

Maybe gpg shouldn't use the cached signing passphrase (or any cached 
passphrase) for generating a revocation certificate.


Regards,
Ingo

["signature.asc" (application/pgp-signature)]

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


[prev in list] [next in list] [prev in thread] [next in thread]