Hi Henning! > On Wed, Mar 16, 2022 at 01:13:00PM +0100, Hubert Lombard wrote: > > Hello ! > > > > I recently started to get interested in GPG. Last week, during my > > first > > tests, I sent my first key to 'keys.gnupg.net' > > but I understood only yesterday that this server could have been > > compromised since 2019. When I tried to revoke the key permanently, > > it > > was not found. > > So I deleted the key from my computer with Seahorse, and immediately > > after, still with Seahorse, I generated a new key pair using the > > same > > email address and choosing the key server 'keys.openpgp.org' > > Why? The integrity of your privat key will not be affected by the > keyserver you put your public key on. > Oh, I didn't know, I was advised yesterday on another irc channel (#debian-facile) to change my key server:
"They were ('keys.gnupg.net' and others) all flooded with fake keys mid-2019 this is the reason why debian, among others, uses keys.openpgp.org as a keyserver see also CVE-2019-13050 (SKS servers poisoning)" > > > > > When creating this new key pair, instead of going directly to the > > revocation step, I sent my public key. > > After that, I performed the revocation step. > > That again does not make any sense. Why would you create a key pair > just to revoke this immediately? > In fact, while following some instructions for use, I have just tried to generate the revocation certificates. As English is not my native language, there may have been an ambiguity in the form of my question. I mistakenly used the term "performed", when I simply tried to generate the certificates, just to have them on hand... hubert@gnu ~$ gpg --gen-revoke 185B13B0 > .gnupg/openpgp- revocs.d/E67C43563F94C4756557A483B2A8FF57185B13B0.rev sec rsa2048/B2A8FF57185B13B0 2022-03-15 Hubert Lombard <contact@hubert-lombard.website> Faut-il créer un certificat de révocation pour cette clef ? (o/N) I have left "N' I was afraid that by choosing 'o', the key would be permanently revoked. I will have to clarify this question. Otherwise, in my question to the list, I thought I had done the steps out of order :/ But I just realized on https://emailselfdefense.fsf.org/en/ that I followed the steps correctly. > > > > Could the inversion of these 2 steps have had an impact on the fact > > that 'https://keys.openpgp.org/' does not find my e-mail address? > > On the other hand, it does find my > > E67C43563F94C4756557A483B2A8FF57185B13B0 key > > > > I'm wondering at this point if there is an error I could fix or if > > it's > > better to revoke/delete this current key-pair. > > Maybe you want to read the GNU Privacy Handbook > https://gnupg.org/gph/en/manual.html > It is not a perfect beginners guide but it may give you a better > understanding how things are working. > The link looks like precious infos. In my bookmarks right now! Thank you for your answer. Regards > -- Hubert Lombard <contact@hubert-lombard.website> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users