Mailing List Archive

(my) E-mail address not found by 'https://keys.openpgp.org'
Hello !

I recently started to get interested in GPG. Last week, during my first
tests, I sent my first key to 'keys.gnupg.net'
but I understood only yesterday that this server could have been
compromised since 2019. When I tried to revoke the key permanently, it
was not found.
So I deleted the key from my computer with Seahorse, and immediately
after, still with Seahorse, I generated a new key pair using the same
email address and choosing the key server 'keys.openpgp.org'

When creating this new key pair, instead of going directly to the
revocation step, I sent my public key.
After that, I performed the revocation step.

Could the inversion of these 2 steps have had an impact on the fact
that 'https://keys.openpgp.org/' does not find my e-mail address?
On the other hand, it does find my
E67C43563F94C4756557A483B2A8FF57185B13B0 key

I'm wondering at this point if there is an error I could fix or if it's
better to revoke/delete this current key-pair.

Thank in advance for your advice

Regards

Hubert
--
Hubert Lombard <contact@hubert-lombard.website>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (my) E-mail address not found by 'https://keys.openpgp.org' [ In reply to ]
Hi,

On Wed, Mar 16, 2022 at 01:13:00PM +0100, Hubert Lombard wrote:
> Could the inversion of these 2 steps have had an impact on the fact
> that 'https://keys.openpgp.org/' does not find my e-mail address?
> On the other hand, it does find my
> E67C43563F94C4756557A483B2A8FF57185B13B0 key

Unlike most keyservers, keys.openpgp.org requires you verify your email
address before the key is available by email, but it can be searched by
fingerprint even without that (though it won't contain the email
information, iirc). Since this sounds similar, it seems to me like you
may not have completed this verification step, or something went wrong
there.

- Michael
Re: (my) E-mail address not found by 'https://keys.openpgp.org' [ In reply to ]
On Wed, Mar 16, 2022 at 01:13:00PM +0100, Hubert Lombard wrote:
> Hello !
>
> I recently started to get interested in GPG. Last week, during my first
> tests, I sent my first key to 'keys.gnupg.net'
> but I understood only yesterday that this server could have been
> compromised since 2019. When I tried to revoke the key permanently, it
> was not found.
> So I deleted the key from my computer with Seahorse, and immediately
> after, still with Seahorse, I generated a new key pair using the same
> email address and choosing the key server 'keys.openpgp.org'

Why? The integrity of your privat key will not be affected by the
keyserver you put your public key on.


>
> When creating this new key pair, instead of going directly to the
> revocation step, I sent my public key.
> After that, I performed the revocation step.

That again does not make any sense. Why would you create a key pair
just to revoke this immediately?

>
> Could the inversion of these 2 steps have had an impact on the fact
> that 'https://keys.openpgp.org/' does not find my e-mail address?
> On the other hand, it does find my
> E67C43563F94C4756557A483B2A8FF57185B13B0 key
>
> I'm wondering at this point if there is an error I could fix or if it's
> better to revoke/delete this current key-pair.

Maybe you want to read the GNU Privacy Handbook
https://gnupg.org/gph/en/manual.html
It is not a perfect beginners guide but it may give you a better
understanding how things are working.

>
> Thank in advance for your advice
>
> Regards
>
> Hubert
> --
> Hubert Lombard <contact@hubert-lombard.website>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

--
Henning Follmann | hfollmann@itcfollmann.com


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (my) E-mail address not found by 'https://keys.openpgp.org' [ In reply to ]
Hi Michael!

Thank you for your answers, I have to learn and verify several things
indeed.
In particular, checking my email address, I didn't know that :)

'https://gnupg.org/gph/en/manual.html' will surely enlighten me on some
points...

Thanks again

Regards

> Hi,
>
> On Wed, Mar 16, 2022 at 01:13:00PM +0100, Hubert Lombard wrote:
> > Could the inversion of these 2 steps have had an impact on the fact
> > that 'https://keys.openpgp.org/' does not find my e-mail address?
> > On the other hand, it does find my
> > E67C43563F94C4756557A483B2A8FF57185B13B0 key
>
> Unlike most keyservers, keys.openpgp.org requires you verify your email
> address before the key is available by email, but it can be searched by
> fingerprint even without that (though it won't contain the email
> information, iirc).  Since this sounds similar, it seems to me like you
> may not have completed this verification step, or something went wrong
> there.
>
> - Michael

--
Hubert Lombard <contact@hubert-lombard.website>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (my) E-mail address not found by 'https://keys.openpgp.org' [ In reply to ]
Hi Henning!

> On Wed, Mar 16, 2022 at 01:13:00PM +0100, Hubert Lombard wrote:
> > Hello !
> >
> > I recently started to get interested in GPG. Last week, during my
> > first
> > tests, I sent my first key to 'keys.gnupg.net'
> > but I understood only yesterday that this server could have been
> > compromised since 2019. When I tried to revoke the key permanently,
> > it
> > was not found.
> > So I deleted the key from my computer with Seahorse, and immediately
> > after, still with Seahorse, I generated  a new key pair using the
> > same
> > email address and choosing the key server 'keys.openpgp.org'
>
> Why? The integrity of your privat key will not be affected by the
> keyserver you put your public key on.
>
Oh, I didn't know, I was advised yesterday on another irc channel
(#debian-facile) to change my key server:

"They were ('keys.gnupg.net' and others) all flooded with fake keys
mid-2019
this is the reason why debian, among others, uses keys.openpgp.org as a
keyserver
see also CVE-2019-13050 (SKS servers poisoning)"
>
> >
> > When creating this new key pair, instead of going directly to the
> > revocation step, I sent my public key.
> > After that, I performed the revocation step.
>
> That again does not make any sense. Why would you create a key pair
> just to revoke this immediately?
>
In fact, while following some instructions for use, I have just tried
to generate the revocation certificates.
As English is not my native language, there may have been an ambiguity
in the form of my question.
I mistakenly used the term "performed", when I simply tried to generate
the certificates,
just to have them on hand...

hubert@gnu ~$ gpg --gen-revoke 185B13B0 > .gnupg/openpgp-
revocs.d/E67C43563F94C4756557A483B2A8FF57185B13B0.rev

sec rsa2048/B2A8FF57185B13B0 2022-03-15 Hubert Lombard
<contact@hubert-lombard.website>

Faut-il créer un certificat de révocation pour cette clef ? (o/N)

I have left "N'

I was afraid that by choosing 'o', the key would be permanently
revoked.

I will have to clarify this question.

Otherwise, in my question to the list, I thought I had done the steps
out of order :/
But I just realized on https://emailselfdefense.fsf.org/en/ that I
followed the steps correctly.

> >
> > Could the inversion of these 2 steps have had an impact on the fact
> > that 'https://keys.openpgp.org/' does not find my e-mail address?
> > On the other hand, it does find my
> > E67C43563F94C4756557A483B2A8FF57185B13B0 key
> >
> > I'm wondering at this point if there is an error I could fix or if
> > it's
> > better to revoke/delete this current key-pair.
>
> Maybe you want to read the GNU Privacy Handbook
> https://gnupg.org/gph/en/manual.html
> It is not a perfect beginners guide but it may give you a better
> understanding how things are working.
>
The link looks like precious infos.

In my bookmarks right now!

Thank you for your answer.

Regards

>

--
Hubert Lombard <contact@hubert-lombard.website>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (my) E-mail address not found by 'https://keys.openpgp.org' [ In reply to ]
On Wed, Mar 16, 2022 at 07:39:35PM +0100, Hubert Lombard wrote:
> Hi Henning!
>
> > On Wed, Mar 16, 2022 at 01:13:00PM +0100, Hubert Lombard wrote:
> > > Hello !
> > >
> > > I recently started to get interested in GPG. Last week, during my
> > > first
> > > tests, I sent my first key to 'keys.gnupg.net'
> > > but I understood only yesterday that this server could have been
> > > compromised since 2019. When I tried to revoke the key permanently,
> > > it
> > > was not found.
> > > So I deleted the key from my computer with Seahorse, and immediately
> > > after, still with Seahorse, I generated? a new key pair using the
> > > same
> > > email address and choosing the key server 'keys.openpgp.org'
> >
> > Why? The integrity of your privat key will not be affected by the
> > keyserver you put your public key on.
> >
> Oh, I didn't know, I was advised yesterday on another irc channel
> (#debian-facile) to change my key server:
>
> "They were ('keys.gnupg.net' and others) all flooded with fake keys
> mid-2019
> this is the reason why debian, among others, uses keys.openpgp.org as a
> keyserver
> see also CVE-2019-13050 (SKS servers poisoning)"

Well, that was good advice, however you didn't have to revoke your
key. Your key was not compromized by using a different key server.

You'll revoke your key when you think something is wrong with
your private key. And it basically is a public notice to
anybody else to not trust that key after a certain date. But
it will not remove the key from anywhere. It's out there for good.



> >
> > >
> > > When creating this new key pair, instead of going directly to the
> > > revocation step, I sent my public key.
> > > After that, I performed the revocation step.
> >
> > That again does not make any sense. Why would you create a key pair
> > just to revoke this immediately?
> >
> In fact, while following some instructions for use, I have just tried
> to generate the revocation certificates.
> As English is not my native language, there may have been an ambiguity
> in the form of my question.
> I mistakenly used the term "performed", when I simply tried to generate
> the certificates,
> just to have them on hand...

That is common practice. And yes I obviously misunderstood.

>
> hubert@gnu ~$ gpg --gen-revoke 185B13B0 > .gnupg/openpgp-
> revocs.d/E67C43563F94C4756557A483B2A8FF57185B13B0.rev
>
> sec rsa2048/B2A8FF57185B13B0 2022-03-15 Hubert Lombard
> <contact@hubert-lombard.website>
>
> Faut-il cr?er un certificat de r?vocation pour cette clef?? (o/N)
>
> I have left "N'
>
> I was afraid that by choosing 'o', the key would be permanently
> revoked.
>
> I will have to clarify this question.
>
> Otherwise, in my question to the list, I thought I had done the steps
> out of order :/
> But I just realized on https://emailselfdefense.fsf.org/en/ that I
> followed the steps correctly.
>
> > >
> > > Could the inversion of these 2 steps have had an impact on the fact
> > > that 'https://keys.openpgp.org/'?does not find my e-mail address?
> > > On the other hand, it does find my
> > > E67C43563F94C4756557A483B2A8FF57185B13B0 key
> > >
> > > I'm wondering at this point if there is an error I could fix or if
> > > it's
> > > better to revoke/delete this current key-pair.
> >
> > Maybe you want to read the GNU Privacy Handbook
> > https://gnupg.org/gph/en/manual.html
> > It is not a perfect beginners guide but it may give you a better
> > understanding how things are working.
> >
> The link looks like precious infos.
>
> In my bookmarks right now!
>
> Thank you for your answer.
>
> Regards
>
> >
>
> --
> Hubert Lombard <contact@hubert-lombard.website>

--
Henning Follmann | hfollmann@itcfollmann.com


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (my) E-mail address not found by 'https://keys.openpgp.org' [ In reply to ]
Hi Henning,
>
> Well, that was good advice, however you didn't have to revoke your
> key. Your key was not compromized by using a different key server.
>
> You'll revoke your key when you think something is wrong with
> your private key. And it basically is a public notice to
> anybody else to not trust that key after a certain date. But
> it will not remove the key from anywhere. It's out there for good.
Got it! I didn't know...
>
> > >
> > > >
> > >
> > In fact, while following some instructions for use, I have just tried
> > to generate the revocation certificates.
> > As English is not my native language, there may have been an
> > ambiguity
> > in the form of my question.
> > I mistakenly used the term "performed", when I simply tried to
> > generate
> > the certificates,
> > just to have them on hand...
>
> That is common practice. And yes I obviously misunderstood.
>
Thanks again Henning :)

Regards
> >

Hubert Lombard <contact@hubert-lombard.website>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (my) E-mail address not found by 'https://keys.openpgp.org' [ In reply to ]
Hi!

Just for the records

> Oh, I didn't know, I was advised yesterday on another irc channel
> (#debian-facile) to change my key server:
>
> "They were ('keys.gnupg.net' and others) all flooded with fake keys
> mid-2019

You can't talk about fake key on a keyserver. That is not the task of a
keyserver. A keyserver is just a place to store arbitrary keys. The
user needs to make sure whether the key is authentic.

The actual DoS problem was that the keyservers also carry key
signatures. This led to some very large keys (due to arbitrary added
key signature) which took very long for gpg to check. This has
meanwhile been fixed by gpg by not importing 3rd party key-signatures
anymore.

There is actual no way in an system, which on purpose is distributed and
non-controlled - to inhibit the storage of keys. The keyserver protocol
unfortunately has had no specification on how to inhibit the addition of
arbitrary key signatures for example by allowing uploads of new
key-signatures only by data signed by the actual key.

keys.openpgp.net OTOH does away with the concept of a decentralized
system and tries again (like PGP.com and keyserver.org 20 years ago) to
establish a single source for keys. That is not for what PGP and thus
GnuPG where invented. Federation is okay for keyserver, but a central
authority is not desirable.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.