|
|
|
|
|
|
by hannob
3596 days ago
|
|
|
Seems some people are playing havoc with key ids. I got a mail earlier today I couldn't decrypt for unclear reasons. Now I understand why: It seems it was encrypted with a copy of my public key that is on the keyserver colliding with the keyid of my real key. Right now there is a revoked copy of my key there:
https://pgp.mit.edu/pks/lookup?search=hanno%40hboeck&op=inde... What's exactly going on here? Other commentors indicate that someone uploaded keys from the evil32 page to the keyservers. Have the authors of evil32 now used their private keys to revoke them? Anyway, the conclusion seems obvious: Keyids are dead, use full fingerprints. Latest gpg 2.1 versions already show full fingerprints by default. I still had a short keyid on my webpage, will change that now. |
|
|
> I saw that your clone of the strong set is revoked?
> Someone downloaded our copy of the strong set and uploaded all of the keys to the SKS keyserver network. :( While we took on this project to help prompt GPG to build a more secure ecosystem, this mass clone made the keyservers harder for everyone to use. Of course anyone could use our tools to regenerate their own strong set clone and do this again, but we'd rather our keys not be used that way.
I take that to mean that yes, they continued to be in possession of the private keys.