On Wed, Jan 04, 2006 at 07:01:17PM +0100, Christoph Anton Mitterer wrote: > David Shaw wrote: > > >If an attacker compromises the keyserver or in any way distributes > >your key himself, he can remove the new self-sig, leaving the old one > >behind. > > > > > Isn't it possible to revoke the older selfsig?
Sure, but you have exactly the same problem as before: an attacker can simply unrevoke it by removing the revocation packet. > Of course, it's still possible for an attacer to compromise the > keyserver and/or distribute the key himself, but that risk exists always > (e.g. when revoking the whole key - which is the same as revoking all > the 0x13 selfsigs....) Revoking the whole key is not the same as revoking all selfsigs. One revokes the key. The other makes the key completely untrusted and untrustable. They're not at all the same. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
