RE: Revoking Old Lost Keys

[Alan Olsen <alano@teleport.com>]

At 09:47 AM 1/6/96 -0000, Frank O'Dwyer wrote:
>On Saturday, January 06, 1996 09:18, Timothy C. May[SMTP:tcmay@got.net] wrote:
>>At 7:07 AM 1/6/96, Bruce Baugh wrote:
>>>I'd like to bring up a problem I haven't seen addressed much yet, and which
>>>I think is going to come up with increasing frequency as PGP use spreads.
>>>
>>>The problem is this: how can one spread the word that an old key is no
>>>longer to be used when one no longer has the pass phrase, and cannot
>>>therefore create a revocation certificate?
>>
>>Basically, you are screwed. Any revocation you attempt will not be trusted,
>>as we will suspect the new "you" to be an attacker, perhaps an agent of the
>>NSA or the Illuminati. In the view that "you are your key," the old you no
>>longer exists.
>
>This is true, but the "old you" can be resurrected if you can get enough 
>people to believe your new key using any out-of-band means available
>to you.  You can also put a comment in your new key's uid explaining the
>problem and how to verify the new key. You will find it very hard to use this 
>new key for a while, though, during the transition period. Many people will
take 
>the existence of two keys with the same uid as suspicious in itself, since
it at 
>least indicates some kind of attack (even if only a denial of service
attack).  
There are times when you want multiple keys with the same ID.  I have two
key sizes becuase one is an older key.  I keep it around for use with people
who are using versions that do not support the larger keys.  (I have run
into this once from a sometimes user of PGP.  He finally upgraded.)  To
aleviate the suspicion, I have the two keys sign each other.

>This is really a usability flaw with current PGP.

Only if you use the name to refer to the key and not the hex ID.  (I found
out the hard way that some front ends use either the last key created or
whatever they feel like for signing keys and/or signing messages.  I am
still trying to straighten out some of the weird results of that.)
Fortunatly, some programs will use the hex ID to refer to the key so there
is no confusion.

>The PGP formats do allow for a 'revocation' certificate, but PGP doesn't
>implement it (yet, I guess).  In any case, it's not really strong enough, 
>since what it says is "I retract all my previous statements that this key is 
>related to this user".  This'd mean that you'd have to visit everyone who'd
ever 
>signed your key and get them to issue this retraction. What would be needed 
>for this problem is either an "anti-certificate" ("This key does not belong
to this 
>user"), or else some convention. For example, if two _trusted_ keys are
found for the 
>same uid, the most recent one could be chosen, and the earlier one be purged 
>from keyservers, etc.  This may be possible with current PGP.  I haven't
tried it, 
>but since I have some keys which have fallen into disuse, I will need to do so 
>sometime.).

Revocations are supported, but they require the passphrase.  (I have a
number of revokations on my keyring from various folks.)  The problem here
is occasions where you have forgotten the passphrase.  (I have an old
keyring that I need to go and revoke all of the old keys on it.  I have not
used them in a year or two.  I doubt if they are even on the keyserver...)
Eventually there will be a way of revoking keys in the circumstance.
Something similar to a notary (or a combination of notaries) who can vouch
and say "hey, this guy really did lose his keys".

Alan Olsen -- alano@teleport.com -- Contract Web Design & Instruction
        `finger -l alano@teleport.com` for PGP 2.6.2 key 
              http://www.teleport.com/~alano/ 
"Governments are potholes on the Information Superhighway." - Not TCMay