Key revocation UI confusion

Andy Bennett andyjpb at ashurst.eu.org
Thu Oct 13 00:50:19 CEST 2011 

Hi,

I've been happily using my key for many years. It started off in PGP on
Windows and I imported it into GnuPG 1.4.9 on Debian Lenny a few years ag=
o.
At that time I revoked a few of the old UIDs and the encryption subkey.
I then created a new encryption subkey which I've been using ever since.

Today someone suggested that they thought I'd revoked my key so I looked
into it. At first I thought that they were possibly correct: some UIs
seem to suggest that my key has indeed been revoked. However, 'gpg
--verify' and Enigmail are happy to verify signatures made by my key and
both tools are happy to use the key as if it were valid.

Here's what happens if I look at the key with 'gpg --edit-key':

-----
$ gpg --edit-key 7EBA75FF
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  1024D/7EBA75FF  created: 2000-10-30  expires: never       usage: SCA=

                     trust: ultimate      validity: ultimate
This key was revoked on 2008-05-28 by DSA key 7EBA75FF Andy Bennett
<andyjpb at ashurst.eu.org>
sub  2048g/64FEFE87  created: 2000-10-30  revoked: 2008-05-28  usage: E
sub  2048g/C65AF469  created: 2008-05-27  expires: never       usage: E
[ultimate] (1). Andy Bennett <andyjpb at ashurst.eu.org>
[ultimate] (2)  Andy Bennett <andyjpb at bigfoot.com>
[ revoked] (3)  Andy Bennett <andyjpb at ic24.net>
[ revoked] (4)  Andy Bennett <andyjpb at newscientist.net>
[ultimate] (5)  Andy Bennett <andyjpb at geniedb.com>

Command> quit
-----


The "This key was revoked..." message was potentially alarming as it
appeared immediately after the "pub" section.

However, a short experiment later, I'm pretty sure it refers to the
2048g/64FEFE87 subkey:

-----
Command> revkey
Do you really want to revoke the entire key? (y/N) y
Please select the reason for the revocation:
  0 =3D No reason specified
  1 =3D Key has been compromised
  2 =3D Key is superseded
  3 =3D Key is no longer used
  Q =3D Cancel
Your decision? 0
Enter an optional description; end it with an empty line:
>
Reason for revocation: No reason specified
(No description given)
Is this okay? (y/N) y
-----

=2E..

-----
Command> list

This key was revoked on 2011-10-12 by DSA key 7EBA75FF Andy Bennett
<andyjpb at ashurst.eu.org>
pub  1024D/7EBA75FF  created: 2000-10-30  revoked: 2011-10-12  usage: SCA=

                     trust: ultimate      validity: revoked
This key was revoked on 2008-05-28 by DSA key 7EBA75FF Andy Bennett
<andyjpb at ashurst.eu.org>
sub  2048g/64FEFE87  created: 2000-10-30  revoked: 2008-05-28  usage: E
This key was revoked on 2011-10-12 by DSA key 7EBA75FF Andy Bennett
<andyjpb at ashurst.eu.org>
sub  2048g/C65AF469  created: 2008-05-27  revoked: 2011-10-12  usage: E
[ revoked] (1). Andy Bennett <andyjpb at ashurst.eu.org>
[ revoked] (2)  Andy Bennett <andyjpb at bigfoot.com>
[ revoked] (3)  Andy Bennett <andyjpb at ic24.net>
[ revoked] (4)  Andy Bennett <andyjpb at newscientist.net>
[ revoked] (5)  Andy Bennett <andyjpb at geniedb.com>

Command> quit
Save changes? (y/N)
Quit without saving? (y/N) y
-----

=2E.. so that's what the key would look like it if really had been
entirely revoked: it would say revoked *before* the "pub" section and in
the "pub" validity section.



Now, when I inspect the key here:

http://pgp.es.net/pks/lookup?op=3Dvindex&fingerprint=3Don&search=3D0x387A=
76957EBA75FF

=2E..there are rather worrying red "revok" lines in my primary UID as wel=
l
as in my encryption subkey 2048g/C65AF469 whick I assumed was valid.

What do these lines mean?

It's clear that I've been receiving signatures on the primary UID since
the revok line and it's also clear that I've not been receiving
signatures on the UIDs that have actually been revoked.


I've found some other keys which I know to be in use, and have been
successfully verifying eMail from, that exhibit similar properties in
both UIs. Is this a property of my type of key or is it a bug or lack of
clarity in the visualization?



Many thanks for your time.




Regards,
@ndy

--=20
andyjpb at ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20111012/54a67717/attachment-0001.pgp>

More information about the Gnupg-users mailing list