On Sunday 04 March 2012, Robert J. Hansen wrote:
> On 3/4/2012 4:13 PM, auto15963...@hushmail.com wrote:
> > Hello. Supposing I create a key with an arbitrary user ID...
> 
> This seems to me to be a simple question wrapped up in a lot of
> unnecessarily specific details: "How is it possible for a
> non-authorized person to revoke a user ID?"
> 
>       1.  Mathematical weakness in the underlying
>           algorithms (unlikely but possible)
>       2.  Critical bug in GnuPG (unlikely but possible)
>       3.  Someone's swiped your private key (disturbingly
>           possible)

4. He has left his laptop unlocked and unattended for a very short 
period of time and he is using gpg-agent with a cache-ttl > 0.

I have verified that one can generate a revocation certificate without 
entering a passphrase if one has previously signed something (e.g. an 
email). So, it was probably just a very nasty prank.

Maybe gpg shouldn't use the cached signing passphrase (or any cached 
passphrase) for generating a revocation certificate.


Regards,
Ingo

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to