1.0.1c test release

[Werner Koch]

On Tue, 22 Feb 2000, Lazarus Long wrote:

> I have not yet looked at either the new source, nor the new draft, (shame
> on me) but if I read the above correctly, this seems to contradict the

The change is only that the new draft makes the reason for revocation
a SHOULD.

> How is the user to know in advance what the "reason for revocation"
> will be?  The intent behind generating the certificate *immediately*
> after generating the keypair is obvious (and, IMO, laudable.)  Am I
> misreading something here?

This is indeed a problem.  The reason why you should create a
revocation certificate in advance, is for the case you lost access to
your secret key. Therefore you may wont to use "key is no longer used"
and a verbal description why.  If your key is compromised, you should
still have access to the secret key and you can do a revocation
certificate.  But, what happens if you lost your laptop with the only
copy of the secret key - it is compromised and you are not able to
revoke the key.

There are 3 solutions:  

  * Create 2 revocation certificates, one for a compromised key and
    one for the cae you lost access to the key.
 
  * Create only a compromised key revocation in advance and use this
    even if you only can't remember the passphrase.

  * I add an option to not generate a revocation certificate.  This 
    should still be allowed even if OpenPGP says SHOULD (it is not a
    MUST)

> As an aside, if this is in response to the recent changes in laws in
> the UK, wouldn't inclusion of a reason (presuming it is "Jack Straw

No, It has been been in OpenPGP since we have the RFC.

> Please advise me if there is a more appropriate channel for discussion
> than gnupg-users.  Where do I look for a copy of the proposed changes
> to the OpenPGP draft?  Is this a change to RFC 2440?

It is just that the optional reason for revocations is now a SHOULD.
It is okay to discuss this here.


  Werner