The vendor can revoke his private/public key, generate a new private/public key pair and - hopefully this time - publish only the public key. BTW I believe a public key can be associated with more than one PGP private key, although doing so would still not explain the vendor's publishing a private key that could decrypt his public key encrypted data - regardless of how many other private keys could do so too. Just my ha'penny. Chris Poncelet (retired sysprog)
On 22/08/2019 20:41, Paul Gilmartin wrote: > On Thu, 22 Aug 2019 14:13:58 -0500, Joel M Ivey wrote: > >> Thanks all for the response. I'm glad I wasn't missing something. I will >> discuss further with the vendor, hoping they will recognize the risks. >> > How can the vendor recover from this without causing great > disruption, even an indefinite time in the future, to existing > customers who are rely on the improperly distributed private key? > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > . > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
