Am Mittwoch 17 November 2021 00:17:58 schrieb Стефан Васильев via Gnupg-users: > According to an article on the German site golem.de[1] > Germany's BSI[2] had sent its private key instead of > it's public key to a user via email, who requested its > public key.
> https://www.golem.de/news/verschluesselung-bsi-verschickt-privaten-pgp-schluessel-2111-161073.html The article says that is was one private key, password encrypted for one email address (probably a functional address for a team). I have no further information on the incident, and know of no MUA or GUI that makes attaching private key material to an email easy. The most likely scenario would be, that there was a private key in a file somewhere on the system that could be attached to an email manually. As GnuPG itself uses a directory clearly named like .gnupg/private-keys-v1.d/, there is a good chance that it was an exported private key named differently. The BSI says to have 1400 employees, so not all of them will be technical security experts, they were growing a lot. The BSI increasingly seems to use OpenPGP/MIME instead of S/MIME and is getting more accessible this way for encrypted email exchange. Overall a good case for using more WKD in the client and the server, where the pubkey would have been transfered automatically with some basic trust and no need for a manual email attachment. Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
