On Sun, Sep 28, 2003 at 02:03:07AM -0400, Travis Crump wrote: > Roberto Sanchez wrote: > >I just started playing with GPG today. Can't you tell? :-) > > > >Anyhow. I generated bunches of keys trying to get Enigmail to play nice > >with Thunderbird and also with gpg on the command line. > > > >When I finally got around to the part of the HowTo on searching for keys > >(of course I did not read through all the way before starting), I > >searched for my key. It turns out that at some point all my keys (3 in > >all) were exported. The problem is that I had already deleted the > >key-pairs from my machine, since they were just test runs. > > > >Is there a way to get rid of them from the keyservers? > > > >-Roberto > > If I wanted to, I could upload keys with your email/name to the > keyservers. If it made an ounce of difference, this would be a massive > denial of service vulnerability. It doesn't. Don't worry about it. Don't quite follow here... 1) Travis uploads a key with Roberto's email/name to the keyservers 2) Travis posts to the list as Roberto signed with the fake key 3) I receive the list mail 4) I see what I think is a signed message from Roberto and mutt/gpg reports "Good signature..." (fetching of keys I don't already have is transparent and automatic) OK, the fake key will have a different fingerprint, but given that Roberto has said he's experimenting with gpg, suddenly finding a new key wouldn't be too surprising. In an ideal world, my copy of Roberto's key would be signed by Roberto, or someone who knew Roberto and could verify that it was his key [recurse as required]. Unfortunately, this is not an ideal world. I've got loads of keys from list members which are not signed and most likely never will be. All they really tell me is that mail signed with keys with the same fingerprint came from the same sender. Until Roberto has been using gpg for a while and has built up a history of using a certain key, surely he is vulnerable to a "Travis attack"? -- Pigeon Be kind to pigeons Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F
Attachment:
pgpNz0NTHSlwr.pgp
Description: PGP signature