2016-10-13



Today, someone wrote to me if he should use that revoked PGP  key
of  mine  for sending encrypted mails. -- Revoked key? I've never
revoked one of my keys. Hence, I took a  look  on  the  keyserver
and, yes, my key shows up as revoked! I was puzzled.

After some investigation I discovered that not *my*  key  is  re-
voked  but  one  that *looks like* my key. You see the difference
more easily if you have a look at this view, for instance.  [0]

Asking in the Debianforum.de provided  some  background  informa-
tion.  [1] The forged keys were the result of a demonstration  of
an  attack vector. They were revoked after someone uploaded those
fake keys to a public keyserver.

I was a bit shocked -- not because those fake keys are there  but
because  I  haven't  heard of this information until I was hit by
it. In my eyes, this is an evolution step for the PGP world  (be-
cause  this is the day, one can no longer use short key IDs), but
it was not seen and discussed as such.  That's what I find  prob-
lematic.

[0]  http://pgp.zdv.uni-
mainz.de:11371/pks/lookup?op=index&search=meillo%40marmaro.de&fingerprint=on
[1]  https://debianforum.de/forum/viewtopic.php?f=37&t=162584


http://marmaro.de/lue/        markus schnalke <meillo@marmaro.de>