new (2003-11-30) keyanalyze results
David Shaw
dshaw at jabberwocky.com
Mon Dec 1 10:09:33 CET 2003
On Mon, Dec 01, 2003 at 09:06:08AM +0100, Adrian von Bidder wrote:
Content-Description: signed data
> On Monday 01 December 2003 00:08, David Shaw wrote:
>
> > According to the stats you sent earlier, only around 11% of Elgamal
> > sign+encrypt keys have been revoked. 21% are expired. 69% are still
> > usable. (The numbers don't add up to 100 since some keys are both
> > revoked and expired, plus I'm rounding).
> >
> > I hope that when 1.2.4 comes out there will be some more revocations
> > since there is nothing else that can be done with a type 20 key in
> > 1.2.4. Still, it is more likely that some of these are forgotten
> > keys.
>
> Hmm. I wonder if somebody shouldn't just revoke them. (As proof that
> they are *really* vulnerable).
Heh. I was waiting for someone to suggest this. I'm a little
surprised it took this long. ;)
Using a compromised key to revoke a key out from under someone else
raises some interesting ethical questions. It's similar (though not
quite as problematic) to the use of a virus to patch people's
computers without their knowledge. I don't plan on doing this, but
it's an interesting question nonetheless.
> Of course, this is only easy where it's the primary, where the
> selfsig is available.
It's only *possible* where it is the primary. Subkeys are revoked by
the primary key, so if the primary isn't Elgamal sign+encrypt, then
there is no way to get the revocation signature issued.
David
More information about the Gnupg-users
mailing list