Xref: sparky alt.security.pgp:674 sci.crypt:7568
Newsgroups: alt.security.pgp,sci.crypt
Path: sparky!uunet!think.com!sdd.hp.com!zaphod.mps.ohio-state.edu!
menudo.uh.edu!jpunix!perry
From: pe...@jpunix.com (John A. Perry)
Subject: Key Revocation Problems
Organization: J. P. and Associates, Dickinson, TX
Date: Tue, 16 Feb 1993 23:56:35 GMT
Message-ID: <C2KFuC.7Iw@jpunix.com>
Keywords: PGP keys
Lines: 48
-----BEGIN PGP SIGNED MESSAGE-----
Hello Everyone!
Several of us have been wrestling with a key revocation
problem for some time now. When I first installed PGP 2.1 I had a
weird chain of events follow. I generated my personal key and sent a
copy of my public key to Vesselin Bontchev and Ken van Wyk. This key
was posted to one of the large keyrings almost immediately. Several
hours later, I was still playing with PGP and suffered a disk crash. I
had not yet had a chance to back up my keyring. Needless to say, I
lost the keyring and now I have no way to revoke the key. The specific
key I'm talking about is 0x76A3. The key I currently use, 0xB199 is
the one I plan on using from now on. It is backed up frequently of
course. About a week ago I sent a signed message to Vesselin
explaining the problem and he agreed to add his own comments, sign it,
and post it to alt.security.pgp and sci.crypt. The message seems to
have fallen through the cracks which is why I'm posting this message.
I'm sure if Vesselin, expl...@iastate.edu, and war...@mit.edu are
reading this, they will add their own verifications of this problem.
If I receive the errant message from Vesselin, I'll repost it also.
In the meantime, if you feel this is enough verification to
remove the public key 0x76A3 from your public keyring, I sure would
appreciate it. If you require further verification, I will be glad to
discuss it on the phone. My home number is 713-534-3653 and my work
number is 409-772-2706 (the secretary). I apologize for any
inconvenience. At least this fluke chain of events may show everyone
the importance of backing up your PGP keyrings often.
Remember 0xB199 is the good one!!
-----BEGIN PGP SIGNATURE-----
Version: 2.1e
iQCVAgUBK4F/K1oWmV4X/7GZAQHRvAP/QYDZU8xD7v4y4SJbE1bgp2FVTQWOt106
YJjOAXSyKQuZKQVxLOSF2c4kq0PS3+kUQedWTvccxB6koUAp6gscBg4UFWYQAQc5
Tu5QIE/c9XHhmergEKGpVz9GDVPiolMJbKh3Ni6q/Wul8T65vtT+y9alN8KDIJZt
IGTeSspNtVo=
=whcq
-----END PGP SIGNATURE-----
--
John A. Perry - pe...@jpunix.com
jpunix!perry
PGP 2.1 signature available by fingering pe...@phil.utmb.edu
Xref: sparky alt.security.pgp:678 sci.crypt:7578
Newsgroups: alt.security.pgp,sci.crypt
Path: sparky!uunet!gatech!darwin.sura.net!paladin.american.edu!
news.univie.ac.at!hp4at!mcsun!dxcern!dscomsa!news.DKRZ-Hamburg.DE!
rzsun2.informatik.uni-hamburg.de!fbihh!bontchev
From: bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Key Revocation Problems
Message-ID: <bontchev.729974252@fbihh>
Keywords: PGP keys
Sender: ne...@informatik.uni-hamburg.de (Mr. News)
Reply-To: bont...@fbihh.informatik.uni-hamburg.de
Organization: Virus Test Center, University of Hamburg
References: <C2KFuC.7Iw@jpunix.com>
Date: 17 Feb 93 18:37:32 GMT
Lines: 63
-----BEGIN PGP SIGNED MESSAGE-----
Date: 17 Feb 93 18:37:32 GMT
pe...@jpunix.com (John A. Perry) writes:
> problem for some time now. When I first installed PGP 2.1 I had a
> weird chain of events follow. I generated my personal key and sent a
> copy of my public key to Vesselin Bontchev and Ken van Wyk. This key
> was posted to one of the large keyrings almost immediately. Several
> hours later, I was still playing with PGP and suffered a disk crash. I
[stuff delelted]
> course. About a week ago I sent a signed message to Vesselin
> explaining the problem and he agreed to add his own comments, sign it,
> and post it to alt.security.pgp and sci.crypt. The message seems to
> have fallen through the cracks which is why I'm posting this message.
I really posted it to those two newsgroups; maybe some of you have
seen it. However, the problem is that with the wide and semi-automatic
distribution of public keys, a key is like a virus; you just cannot
get rid of it... Even if you delete it from your collection (which I
did), you'll keep receiving it as an "update" from other places and
people who have not deleted it. It is enough that a copy of the key
"survives" in one collection, and it will quickly "infect" the
collections again, if you are not paying attention...
Maybe it should be a good idea to implement something like "kill
files" for PGP - e.g. files that describe public keys you don't want
to be added in your public keyring.
> I'm sure if Vesselin, expl...@iastate.edu, and war...@mit.edu are
> reading this, they will add their own verifications of this problem.
I hereby certify with my signature that what John writes is true.
> If I receive the errant message from Vesselin, I'll repost it also.
I sent it to you by private e-mail (for the second time!), didn't you
receive it?!
> Remember 0xB199 is the good one!!
I am using the user ID "jpunix"; it's easier to remember than the
above key ID.
Regards,
Vesselin
-----BEGIN PGP SIGNATURE-----
Version: 2.1
iQCVAgUBK4KHiDZWl8Yy3ZjZAQHiIwP8DwaKismZgYOxqFUEAG2OWucU0wnDMdg/
UUBTYb/BwB8QtPqyH1Pzr+1RAQvxzeCZvuAeZgWFSZtyckOyOe3qljsLzIgVcxXn
LDslYjEFbIKoG50gNKqOkMaYuC/ZhCOyQ6piqLz9OdiA1Fx/hGWo7fC1NwwupVjl
cbYJsLhLtsQ=
=uZ9U
-----END PGP SIGNATURE-----
--
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
Xref: sparky alt.security.pgp:676 sci.crypt:7574
Newsgroups: alt.security.pgp,sci.crypt
Path: sparky!uunet!portal!sdd.hp.com!ux1.cso.uiuc.edu!news.iastate.edu!
tbird.cc.iastate.edu!explorer
From: expl...@iastate.edu (Michael Graff)
Subject: Re: Key Revocation Problems
Message-ID: <explorer.729992087@tbird.cc.iastate.edu>
Keywords: PGP keys
Sender: ne...@news.iastate.edu (USENET News System)
Organization: Iowa State University, Ames IA
References: <C2KFuC.7Iw@jpunix.com>
Date: Wed, 17 Feb 1993 23:34:47 GMT
Lines: 43
--------
-----BEGIN PGP SIGNED MESSAGE-----
In <C2KFu...@jpunix.com> pe...@jpunix.com (John A. Perry) writes:
>I'm sure if Vesselin, expl...@iastate.edu, and war...@mit.edu are
>reading this, they will add their own verifications of this problem.
I have talked to John on the phone about this, and have removed the key
from my master keyring on the keyserver. Derek (war...@mit.edu) has
removed the key as well I believe.
> Remember 0xB199 is the good one!!
This is the GOOD key:
Type bits/keyID Date User ID
pub 1024/FFB199 1992/12/20 John A. Perry <home - pe...@jpunix.com>
As for Vesselin's virus analogy, he's right. All it would take is one
person to refuse to remove a key, and it's here forever.
I'll look into something which can be put into the key server software
I've written to possibly handle this sort of problem.
FYI: there are at least TWO incidents of this occuring so far. I'm
sure it won't end there.
- --Micahel Graff <expl...@iastate.edu>
PGP key on pgp-pub...@junkbox.cc.iastate.edu and other servers.
-----BEGIN PGP SIGNATURE-----
Version: 2.1e
iQCVAgUBK4LOQcX3cv7o9gWlAQEHsQQAncacTzNOj47iAqNuC/ovWP2pecxJrNoO
kqsRPx4x6lm2GwYDAl7nutBCwPPxLBWXi20rr+Drb+98Zy+TwgAIMS/fB2iStWld
WsgQbm6vwiw/7AVlI1kfhvbRZP5gjlmeg39eEDXjcKrUGfcubTRf+G5Ekmq/7CcJ
LgVU4EMPmis=
=oSIt
-----END PGP SIGNATURE-----
Xref: sparky alt.security.pgp:679 sci.crypt:7583
Path: sparky!uunet!ogicse!uwm.edu!cs.utexas.edu!asuvax!ncar!sage.cgd.ucar.edu!prz
From: p...@sage.cgd.ucar.edu (Philip Zimmermann)
Newsgroups: alt.security.pgp,sci.crypt
Subject: Re: Key Revocation Problems
Keywords: PGP keys
Message-ID: <1993Feb18.054252.8147@ncar.ucar.edu>
Date: 18 Feb 93 05:42:52 GMT
Article-I.D.: ncar.1993Feb18.054252.8147
References: <C2KFuC.7Iw@jpunix.com> <explorer.729992087@tbird.cc.iastate.edu>
Sender: ne...@ncar.ucar.edu (USENET Maintenance)
Organization: Climate and Global Dynamics Division/NCAR, Boulder, CO
Lines: 2
I will give some thought to ameliorating this problem of revoking a lost
PGP key. This may take a while before a clean solution emerges.
Xref: sparky alt.security.pgp:691 sci.crypt:7613
Newsgroups: alt.security.pgp,sci.crypt
Path: sparky!uunet!UB.com!pacbell.com!network.ucsd.edu!usc!
howland.reston.ans.net!newsserver.jvnc.net!yale.edu!ira.uka.de!
math.fu-berlin.de!news.netmbx.de!Germany.EU.net!mcsun!dxcern!dscomsa!
news.DKRZ-Hamburg.DE!rzsun2.informatik.uni-hamburg.de!fbihh!bontchev
From: bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Key Revocation Problems
Message-ID: <bontchev.730060985@fbihh>
Keywords: PGP keys
Sender: ne...@informatik.uni-hamburg.de (Mr. News)
Reply-To: bont...@fbihh.informatik.uni-hamburg.de
Organization: Virus Test Center, University of Hamburg
References: <C2KFuC.7Iw@jpunix.com> <explorer.729992087@tbird.cc.iastate.edu>
Date: 18 Feb 93 18:43:05 GMT
Lines: 41
-----BEGIN PGP SIGNED MESSAGE-----
Date: 18 Feb 93 18:43:05 GMT
expl...@iastate.edu (Michael Graff) writes:
> I'll look into something which can be put into the key server software
> I've written to possibly handle this sort of problem.
Would be better if PGP could handle it somehow... The key server
software is fine, but we should think that there are also people who
are using PGP on PCs and who do not have easy access to the net... I
think the best solution is to implement something like a kill file for
PGP - file that lists keys you don't want to be added to your public
keyring.
> FYI: there are at least TWO incidents of this occuring so far. I'm
> sure it won't end there.
There's a third one since yesterday. If you see a 384-bit key that
belongs to Ross Greenberg (the author of FluShot+) and is signed by
me, don't put it in your keyring. The good (new) key for Ross is
1024-bit (he -did- back up this one <grin>) and can be found in the
public key collection at our ftp site.
Regards,
Vesselin
-----BEGIN PGP SIGNATURE-----
Version: 2.1
iQCVAgUBK4PZ6zZWl8Yy3ZjZAQG+SwP/VTerS2os5nHiiCgx9ZECZXiNDKr9vHIX
ftyv+SBeByaFYRdQQNNSBxTJF5xgyQ3YhbbQhaTbDpYpdpDVO3BbDrE+ZjFP7qGn
avIkgquGftkzKjMDjBwM+4FYSkWDaGXgVRItsbJbeqhj1BGSaFYdmGJAuQVSSQ3f
P1znmVO0Ro4=
=OhKC
-----END PGP SIGNATURE-----
--
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
Xref: sparky alt.security.pgp:694 sci.crypt:7621
Newsgroups: alt.security.pgp,sci.crypt
Path: sparky!uunet!haven.umd.edu!darwin.sura.net!gatech!news.ans.net!
newsgate.watson.ibm.com!yktnews!admin!influenza!lucien
From: luc...@watson.ibm.com (Lucien Van Elsen)
Subject: Re: Key Revocation Problems
Sender: ne...@watson.ibm.com (NNTP News Poster)
Message-ID: <LUCIEN.93Feb19090132@fionavar.watson.ibm.com>
In-Reply-To: explorer@iastate.edu's message of Fri, 19 Feb 1993 11:34:02 GMT
Date: Fri, 19 Feb 1993 14:01:32 GMT
Disclaimer: This posting represents the poster's views,
not necessarily those of IBM
References: <C2KFuC.7Iw@jpunix.com> <16B7813208.UC445585@mizzou1.missouri.edu>
<PHR.93Feb18190547@napa.telebit.com>
<1993Feb19.042438.28922@ucsu.Colorado.EDU>
<explorer.730121642@tbird.cc.iastate.edu>
Nntp-Posting-Host: fionavar.watson.ibm.com
Organization: IBM T.J. Watson Research Center
Lines: 11
A more workable solution may be not to revoke the key if it doesn't recieve
a signed message, but instead just to have the server remove it from the
list of keys it provides. This cleans out the unused/junk keys from the
list, and doesn't have the security problems that allowing a third party to
revoke your key for you does.
-Lucien
--
-----------------------------------------------------------------------
Lucien Van Elsen IBM Research
luc...@watson.ibm.com Project Agora
Xref: sparky alt.security.pgp:696 sci.crypt:7628
Newsgroups: alt.security.pgp,sci.crypt
Path: sparky!uunet!portal!sdd.hp.com!zaphod.mps.ohio-state.edu!
menudo.uh.edu!jpunix!perry
From: pe...@jpunix.com (John A. Perry)
Subject: Re: Key Revocation Problems
Organization: J. P. and Associates, Dickinson, TX
Date: Sat, 20 Feb 1993 00:33:04 GMT
Message-ID: <C2q1J5.6K4@jpunix.com>
References: <C2KFuC.7Iw@jpunix.com>
<1993Feb19.042438.28922@ucsu.Colorado.EDU>
<explorer.730121642@tbird.cc.iastate.edu>
<LUCIEN.93Feb19090132@fionavar.watson.ibm.com>
Lines: 33
-----BEGIN PGP SIGNED MESSAGE-----
In article <LUCIEN.93F...@fionavar.watson.ibm.com>
luc...@watson.ibm.com (Lucien Van Elsen) writes:
>A more workable solution may be not to revoke the key if it doesn't recieve
>a signed message, but instead just to have the server remove it from the
>list of keys it provides. This cleans out the unused/junk keys from the
>list, and doesn't have the security problems that allowing a third party to
>revoke your key for you does.
>
> -Lucien
Sounds good in theory but I have removed the invalid key from my
servers at least twice a day for the past several days. Like Vesselin
said, it's like a virus. Anybody that decides to send their entire
public keyring to the server invariably has the bad key as part of
their public keyring if they have done any trading of public keyrings.
-----BEGIN PGP SIGNATURE-----
Version: 2.1e
iQCVAgUBK4V8N1oWmV4X/7GZAQGS9gQAgTegoqAkyVWHrXqkBbnZ3bbXqBNt/lDQ
jk0wOMTAvlv7OKMkaNtTOepuuwIMI8kDf7aNX577uyYNnWYH76BHSLILSCTKlkrf
nE3vZgEl91/MBoz0FMjFnZagPk3PTttTWWzXGCgo8aeW9kxzXDbQiHXKnQM05EUt
AoYwiHn8aQI=
=OfmD
-----END PGP SIGNATURE-----
--
John A. Perry - pe...@jpunix.com
jpunix!perry
PGP 2.1 signature available by fingering pe...@phil.utmb.edu
Xref: sparky alt.security.pgp:700 sci.crypt:7645
Newsgroups: alt.security.pgp,sci.crypt
Path: sparky!uunet!gumby!destroyer!ncar!sage.cgd.ucar.edu!prz
From: p...@sage.cgd.ucar.edu (Philip Zimmermann)
Subject: Re: Key Revocation Problems
Message-ID: <1993Feb21.031902.446@ncar.ucar.edu>
Sender: ne...@ncar.ucar.edu (USENET Maintenance)
Organization: Climate and Global Dynamics Division/NCAR, Boulder, CO
References: <LUCIEN.93Feb19090132@fionavar.watson.ibm.com>
<C2q1J5.6K4@jpunix.com> <PHR.93Feb19225224@napa.telebit.com>
Date: Sun, 21 Feb 1993 03:19:02 GMT
Lines: 6
PGP 2.2 will have a partial solution to the key revocation problem.
This partial solution will address maybe 80-90% of the hassles described
so far in these discussions. A later version of PGP will offer a better
more formal solution. So just sit tight for a little while longer.
Xref: sparky alt.security.pgp:701 sci.crypt:7659
Path: sparky!uunet!ogicse!emory!sol.ctr.columbia.edu!destroyer!
news.itd.umich.edu!honey
From: ho...@citi.umich.edu (Peter Honeyman)
Newsgroups: alt.security.pgp,sci.crypt
Subject: Re: Key Revocation Problems
Message-ID: <1m8a6s$7bb@terminator.rs.itd.umich.edu>
Date: 21 Feb 93 16:21:48 GMT
Article-I.D.: terminat.1m8a6s$7bb
References: <LUCIEN.93Feb19090132@fionavar.watson.ibm.com>
<C2q1J5.6K4@jpunix.com> <PHR.93Feb19225224@napa.telebit.com>
<1993Feb21.031902.446@ncar.ucar.edu>
Reply-To: ho...@citi.umich.edu
Distribution: world
Organization: Center for Information Technology Integration, Univ of Michigan
Lines: 9
NNTP-Posting-Host: hone.citi.umich.edu
Philip Zimmermann writes:
|> PGP 2.2 will have a partial solution to the key revocation problem.
|> This partial solution will address maybe 80-90% of the hassles described
|> so far in these discussions. A later version of PGP will offer a better
|> more formal solution. So just sit tight for a little while longer.
can you give a 25 word description? thanks.
peter
Xref: sparky alt.security.pgp:702 sci.crypt:7672
Path: sparky!uunet!gumby!destroyer!news.itd.umich.edu!honey
From: ho...@citi.umich.edu (Peter Honeyman)
Newsgroups: alt.security.pgp,sci.crypt
Subject: Re: Key Revocation Problems
Date: 22 Feb 1993 14:11:39 GMT
Organization: Center for Information Technology Integration, Univ of Michigan
Lines: 37
Distribution: world
Message-ID: <1mamur$e0l@terminator.rs.itd.umich.edu>
References: <LUCIEN.93Feb19090132@fionavar.watson.ibm.com>
<C2q1J5.6K4@jpunix.com> <PHR.93Feb19225224@napa.telebit.com>
<1993Feb21.031902.446@ncar.ucar.edu> <1m8a6s$7bb@terminator.rs.itd.umich.edu>
Reply-To: ho...@citi.umich.edu
NNTP-Posting-Host: hone.citi.umich.edu
this note just in from prz (w/ permission to reprint):
Date: Sun, 21 Feb 93 14:44:53 MST
From: p...@sage.cgd.ucar.EDU (Philip Zimmermann)
To: ho...@citi.umich.edu
Message-Id: <930221214...@sage.cgd.ucar.EDU>
Subject: Re: Key Revocation Problems
Newsgroups: alt.security.pgp,sci.crypt
In-Reply-To: <1m8a6s$7...@terminator.rs.itd.umich.edu>
References: <LUCIEN.93F...@fionavar.watson.ibm.com> <C2q1J...@jpunix.com>
<PHR.93Fe...@napa.telebit.com> <1993Feb21....@ncar.ucar.edu>
Organization: Climate and Global Dynamics Division/NCAR, Boulder, CO
PGP 2.2 will allow the user to set a flag in his own public keyring
for a particular key to deactivate that key. When that flag is set,
the following conditions hold--
1) Attempts to look up that key to use it for encryption will fail.
2) Attempts to extract it from the keyring will fail. This will reduce
the "viruslike" properties of dead keys.
3) Attempts to add the same key to the keyring again will do what it does
now, that is, fail because it is already on the keyring. This will also
reduce the viruslike properties of dead keys.
The "pgp -kd" command is used to revoke your own key. But if you use the
-kd command on someone else's public key, it will set this new deactivation
flag for this key on your own public keyring.
A more permanent solution will be implemented in a future version.
This interim solution should help reduce the hassles in the meantime.
Hopefully, most keys that must be revoked now will have the secret
key available so that a revocation certificate may be properly issued
by the key's owner with the current -kd command.
Of course, I'm not the one implementing this new feature. I'm just telling
you folks about it. :-)
Xref: sparky alt.security.pgp:704 sci.crypt:7686
Newsgroups: alt.security.pgp,sci.crypt
Path: sparky!uunet!pmafire!news.dell.com!swrinde!network.ucsd.edu!usc!
howland.reston.ans.net!newsserver.jvnc.net!gmd.de!Germany.EU.net!mcsun!
dxcern!dscomsa!news.DKRZ-Hamburg.DE!rzsun2.informatik.uni-hamburg.de!
fbihh!bontchev
From: bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Key Revocation Problems
Message-ID: <bontchev.730425999@fbihh>
Sender: ne...@informatik.uni-hamburg.de (Mr. News)
Reply-To: bont...@fbihh.informatik.uni-hamburg.de
Organization: Virus Test Center, University of Hamburg
References: <LUCIEN.93Feb19090132@fionavar.watson.ibm.com>
<C2q1J5.6K4@jpunix.com> <PHR.93Feb19225224@napa.telebit.com>
<1993Feb21.031902.446@ncar.ucar.edu>
<1m8a6s$7bb@terminator.rs.itd.umich.edu>
<1mamur$e0l@terminator.rs.itd.umich.edu>
Date: 23 Feb 93 00:06:39 GMT
Lines: 30
ho...@citi.umich.edu (Peter Honeyman) writes:
> PGP 2.2 will allow the user to set a flag in his own public keyring
> for a particular key to deactivate that key. When that flag is set,
> the following conditions hold--
> 1) Attempts to look up that key to use it for encryption will fail.
> 2) Attempts to extract it from the keyring will fail. This will reduce
> the "viruslike" properties of dead keys.
> 3) Attempts to add the same key to the keyring again will do what it does
> now, that is, fail because it is already on the keyring. This will also
> reduce the viruslike properties of dead keys.
> The "pgp -kd" command is used to revoke your own key. But if you use the
> -kd command on someone else's public key, it will set this new deactivation
> flag for this key on your own public keyring.
That's a good solution, but there should be also a way to "revive"
such keys marked as dead - for instance, if you mark them by
mistake... Otherwise we'll be running into problems again...
Regards,
Vesselin
--
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany