GD doesn't always accept revocations
Jason Harris
jharris at widomaker.com
Wed Feb 9 23:38:46 CET 2005
On Wed, Feb 09, 2005 at 04:25:48PM -0500, David Shaw wrote:
> On Wed, Feb 09, 2005 at 04:14:51PM -0500, Jason Harris wrote:
> > It needs only to verify the revocation and remove the key immediately.
>
> Well, that's one possible answer. Why don't you suggest it to the GD
> people?
If this isn't already self-evident to them...
> Why go through a lot of bother to find an expired or revoked key which
> you then manipulate into being acceptable? Just make a brand new key
> with your victim's email address and submit that. It's the same
> result.
For one thing, anyone who followed the GD FAQ and simply removed a key
from the GD without revoking it in their own keyring may be duped into
confirming the fingerprint of a key they once used and probably still
have. The key may or may not be expired, but their encryption client
definitely can't heed a revocation that was never generated.
For another, why waste good bytes out of /dev/random? Besides, the
game is mostly over if the victim must first import a totally unknown key.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050209/a1dd93d7/attachment.pgp
More information about the Gnupg-users
mailing list