On Sunday 04 March 2012, Robert J. Hansen wrote: > On 3/4/2012 4:13 PM, auto15963...@hushmail.com wrote: > > Hello. Supposing I create a key with an arbitrary user ID... > > This seems to me to be a simple question wrapped up in a lot of > unnecessarily specific details: "How is it possible for a > non-authorized person to revoke a user ID?" > > 1. Mathematical weakness in the underlying > algorithms (unlikely but possible) > 2. Critical bug in GnuPG (unlikely but possible) > 3. Someone's swiped your private key (disturbingly > possible)
4. He has left his laptop unlocked and unattended for a very short period of time and he is using gpg-agent with a cache-ttl > 0. I have verified that one can generate a revocation certificate without entering a passphrase if one has previously signed something (e.g. an email). So, it was probably just a very nasty prank. Maybe gpg shouldn't use the cached signing passphrase (or any cached passphrase) for generating a revocation certificate. Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users