23

Quite A few years ago (in middle school) I created some gpg keys, published them to a keyserver, etc. because I was l33test kid on the block. Now I have gone through a few new computers and OS's, etc. and lost the private keys and revocation certificates. It's a good thing that I didn't create the keys with any expiration, so they can live on forever!

My question is this, are these keys going to be out their till the end of time? or at some point will they be erased? Is it true that I can't get them removed without the revocation certificates? Is their any issues I might run into with these keys existing out there forever?

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
peterw
  • 333
  • 2
  • 5
  • Related: [How long do keys stay on keyservers?](http://security.stackexchange.com/q/67633/12139) – unor Nov 11 '14 at 16:17

3 Answers3

15

"Privacy" had a different meaning when PGP got its name. Keyservers and the implications of publishing the names and metadata of people who signed your keys wasn't a well understood issue back then, but today it is a pretty serious privacy concern.

Since email addresses change, and "identity" can be reasonably tied to legal name, birth date and city of residence, I have a PGP entry up there with a little too much information, and signatures from some interesting characters.

A reasonable study of signature dates can be used to figure out where I was on what date, with whom I met and what conferences I might have attended. I would like to remove my keys and play my cards a little closer to my chest, but I can't.

To the best of my knowledge, there's no way to remove the information, even if you have the revocation certificate. They'll just be stored with the revocation to indicate that your key was compromised.

I would be very happy to be wrong about this.

The downside to having unrevoked keys in the wild aren't too serious. It can look a little unprofessional, make you harder to find on a key server, and can lead to people sending you emails you can't decrypt. Aside from that and the normal concerns about your social network leaking through the web of trust, there are no serious issues.

Flimzy
  • 655
  • 1
  • 6
  • 14
mgjk
  • 7,535
  • 2
  • 20
  • 34
8

At some point, I found no less than five published key pairs, bearing my email address. I did not create them, so I must assume that someone else did, for reasons which evade me. I am not overly concerned with these keys.

Your situation is similar, except that since the keys were really yours, you know that the private key is not in Evil Hands. I suggest you just stop worrying about it.

In an ideal world, people who want to use your public key to write you an email will first validate the public key they find in the key servers, using the Web of Trust. In the real world, they will use the key that you advertised on your Web page or sent to them in a previous email. Either way, spurious keys on key servers will be ignored.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • I wonder what the expiration date was set to on those keypairs... Chances are they've long since expired. – ewanm89 Mar 04 '13 at 16:22
  • 4
    In the real world [a lot of people will readily trust that these keys are yours](http://xkcd.com/1181/). While you may not care about those lesser beings, they may nonetheless influence your life. – Gilles 'SO- stop being evil' Mar 04 '13 at 18:16
  • Keybase.io moves the key validation a lot closer to the ideal world. – Ville Jan 10 '17 at 00:23
1

As already stated those keys will exist forever. I've also one such annoying old key 1024D/FCFAC0B0. I've marked that old key as revoked by signing it with a newly created key for the identity:

"WARNING: Key was revoked! (Identity for revoking) <revoke@example.org>"

Plus I additionally signed it with my current key.

Markus Malkusch
  • 121
  • 5