Blog |Follow Nick on Twitter| About
 

Here's the story, moons ago when I started in security somebody told me all about Pretty Good Privacy (PGP) in my enthusiasm I got straight on to downloading a copy; now this was a long time ago and I can't remember if it was freeware or a trial from pgp.com, but either way I got straight onto generating a public/private key pair.

Since I was still on new technology enthusiasm I made sure that my private key had a very, very strong password, all happy with my success I then try to encrypt a file to myself only to find I could not open the encrypted file. After a few trys of drying to decrypt the file I give up and decide that I must have "typo'd" the password when generating the key, no matter, I simply delete the key pair and start again. For a second time I use a very, very strong password for key generation and encrypt a file, sadly the same thing happens, I just cannot decrypt the files. For the third key I use something new, still a strong password but now 10char instead of the 50 (yes it was a sentence) I used before.

All is fine until I then start sending emails to my colleagues whom inform me that there 4 keys on the web - DOH! It appears that my client at the time was set to automagically sync it's keys with the server and has published my rubbish keys to the internet!

But the story of key woe doesn't end there, by a strange course of coincidence a week before I was due to leave that company my laptop hard-drive burnt out taking my private keys with it, so now there are 4 keys on the internet (with two different e-mail addresses) which I cannot revoke.

At the time I remember finding this faqwhich basically says if you've published a public key and lost the private - Tough! As such these keys have ever since layed unused on their server, you would think that they would automatically clear down keys that clients never request.... oh well!

I've started using PGP at work again and wanted to somehow clear up the mess I created all them years ago. The "you can't delete" still stands but I foundthis useful article which explains something you can do. If you generate new key-pairs sign the old public keys, and revoke your new key you can "show to the world" that you know that key and since you've revoked yours it probably can't be trusted. So that's what I've tried to do, the whole PGP key managment thing is still a bit of a mine-field but, if you search for me hopefully what I've achieved is...

PGP Key 895C5474 belongs to me (I just generated it) I have signed my mistakes, Keys 165E3E9, 884FA434 & 17A50106 and revoked 895C5474.
PGP Key B9E407B7 also is a new one of mine, I have signed 825E0D45 and revoked B9E407B7.

The other key AC4DA9FA is my new work key and is still valid.

My personal public key has not been published (yet) but is available here.

Fingers crossed I've taken enough precautions (backing up keys and passwords in separate secure locations) that this will never happen again, but I guess only time will tell, we all make mistakes :)

 

 
Nick Bettison ©