On Wed, Mar 16, 2022 at 07:39:35PM +0100, Hubert Lombard wrote: > Hi Henning! > > > On Wed, Mar 16, 2022 at 01:13:00PM +0100, Hubert Lombard wrote: > > > Hello ! > > > > > > I recently started to get interested in GPG. Last week, during my > > > first > > > tests, I sent my first key to 'keys.gnupg.net' > > > but I understood only yesterday that this server could have been > > > compromised since 2019. When I tried to revoke the key permanently, > > > it > > > was not found. > > > So I deleted the key from my computer with Seahorse, and immediately > > > after, still with Seahorse, I generated a new key pair using the > > > same > > > email address and choosing the key server 'keys.openpgp.org' > > > > Why? The integrity of your privat key will not be affected by the > > keyserver you put your public key on. > > > Oh, I didn't know, I was advised yesterday on another irc channel > (#debian-facile) to change my key server: > > "They were ('keys.gnupg.net' and others) all flooded with fake keys > mid-2019 > this is the reason why debian, among others, uses keys.openpgp.org as a > keyserver > see also CVE-2019-13050 (SKS servers poisoning)"
Well, that was good advice, however you didn't have to revoke your key. Your key was not compromized by using a different key server. You'll revoke your key when you think something is wrong with your private key. And it basically is a public notice to anybody else to not trust that key after a certain date. But it will not remove the key from anywhere. It's out there for good. > > > > > > > > When creating this new key pair, instead of going directly to the > > > revocation step, I sent my public key. > > > After that, I performed the revocation step. > > > > That again does not make any sense. Why would you create a key pair > > just to revoke this immediately? > > > In fact, while following some instructions for use, I have just tried > to generate the revocation certificates. > As English is not my native language, there may have been an ambiguity > in the form of my question. > I mistakenly used the term "performed", when I simply tried to generate > the certificates, > just to have them on hand... That is common practice. And yes I obviously misunderstood. > > hubert@gnu ~$ gpg --gen-revoke 185B13B0 > .gnupg/openpgp- > revocs.d/E67C43563F94C4756557A483B2A8FF57185B13B0.rev > > sec rsa2048/B2A8FF57185B13B0 2022-03-15 Hubert Lombard > <contact@hubert-lombard.website> > > Faut-il créer un certificat de révocation pour cette clef ? (o/N) > > I have left "N' > > I was afraid that by choosing 'o', the key would be permanently > revoked. > > I will have to clarify this question. > > Otherwise, in my question to the list, I thought I had done the steps > out of order :/ > But I just realized on https://emailselfdefense.fsf.org/en/ that I > followed the steps correctly. > > > > > > > Could the inversion of these 2 steps have had an impact on the fact > > > that 'https://keys.openpgp.org/' does not find my e-mail address? > > > On the other hand, it does find my > > > E67C43563F94C4756557A483B2A8FF57185B13B0 key > > > > > > I'm wondering at this point if there is an error I could fix or if > > > it's > > > better to revoke/delete this current key-pair. > > > > Maybe you want to read the GNU Privacy Handbook > > https://gnupg.org/gph/en/manual.html > > It is not a perfect beginners guide but it may give you a better > > understanding how things are working. > > > The link looks like precious infos. > > In my bookmarks right now! > > Thank you for your answer. > > Regards > > > > > -- > Hubert Lombard <contact@hubert-lombard.website> -- Henning Follmann | hfollm...@itcfollmann.com _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users