bits 0x46 - Calender Week 12, 2024

public keyservers … am I doxing myself?

One feature of keyservers is, if you upload a certificate, it never goes away.

And in most cases, the certificates are only monotonic incremental, the problem is, you can not remove a subkey or keyid without revoking it, and even if you revoked it, the information together with the revocation cert, stays on the keyserver.

For example, here is my pgp key: here I have 3 keyids and 2 subkeys.

$ gpg --list-secret-keys -------------------------------
sec   rsa4096 2020-06-07 [SC]
      DA2939BC46EF7A36FA08B89FBBEEC43923F0E695
uid           [ultimate] shrik3 <shrik3@riseup.net>
uid           [ultimate] shrik3 <shrik3@vnil.org>
uid           [ultimate] Tianhao Wang (school mail) <tianhao.wang2@mailbox.tu-dresden.de>
ssb   rsa4096 2020-06-07 [E] [expires: 2025-12-11]
ssb   rsa4096 2022-11-15 [S] [expires: 2025-12-11]

Once the pubkey is uploaded to a keyserver, there is no going back. If I decided that I shouldn’t associate my name and school email to my legal name, I can only revoke those identities by uploading a revocation cert. It’s impossible to take it down for good¹.

As matter of fact I’m already regretting uploading my certificates to the keyservers. Anyways from now on I won’t upload any certificate to keyservers other than openpgp anymore…

Why monoton?
It may sound horrible that your information can’t be deleted from the keyserver, but there are some certain security concerns. For example if the revoked identities and keys are removed from the keyserver together with the revocation cert

For people who do not have your old certificates, there is no way to validate a signature created before the revocation.
For people who already hold your old certificates, there would be no way to pass the words “hey, xyz is revoked, don’t use them anymore”: They will not invalidate a subkey or identity unless they see a revocation cert

spamming?
I can imagine a DoS attack on the keyservers…..

Fuck it, I’ll fix it myself

One good thing about open source is that if a program is broken or missing some features, I can

Latex

https://tug.org/levels.html
https://xkcd.com/2347/
https://en.wikipedia.org/wiki/Monotype_system
https://tex.stackexchange.com/a/244126
https://ultrasparky.org/school/pdf/Rhatigan_Monotype_4-line_math.pdf

Good Reads

Learn X in Y Minutes
What’s the matter with PGP? - by Matthew Green
GPG And Me
Ligatures in programming fonts: hell no
Inside Yubikey Neo

keys.openpgp.org allows to edit key via web interface, with an authentication email sent to one of the keyid addresses. keyserver.ubuntu.com and pgp.mit.edu does not allow editting at all. ↩︎

[+] click to leave a comment [+]

the comment system on this blog works via email. The button
below will generate a mailto: link based on this page's url 
and invoke your email client - please edit the comment there!

[optional] even better, encrypt the email with my public key

- don't modify the subject field
- specify a nickname, otherwise your comment will be shown as   
  anonymous
- your email address will not be disclosed
- you agree that the comment is to be made public.
- to take down a comment, send the request via email.

>> SEND COMMENT <<