desig-revoke

Kyle Hasselbacher Kyle Hasselbacher <kyle-exp-1094237056.2998d7@toehold.com>
Wed Sep 3 20:43:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Sep 03, 2003 at 06:47:30PM +0100, Neil Williams wrote:

>--desig-revoke
>                 Generate a designated revocation certificate for a key.  This
>                 allows a user (with  the  permission  of  the  keyholder)  to
>                 revoke someone elses key.
>
>Is this a possible solution for revoking old keys that are simply out of use, 
>including those where the secret key has been lost?

Yes, but only if you plan ahead.  To designate a revoker requires the
secret key.  When you create the key (or after), you designate some Other,
who you trust to revoke your key at the right time.  If your secret key is
lost, you can contact this Other and request revocation.  That way, it's a
nice alternative to a fixed expiration date.

It can also be useful if you want one of your keys to be able to revoke
another.  For instance, if you have a separate key for work or a laptop,
you can make your more secure key the designated revoker for when the job
or laptop is lost.
- -- 
Kyle Hasselbacher       The attacker must vanquish;
kyle@toehold.com        the defender need only survive.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/VjZ/10sofiqUxIQRAjyeAJ4mwhwzCX62Uxem6FR5syxPm+ip8ACfSfi/
tdb2xUzFlCiicfZZEH/LyN4=
=BpNV
-----END PGP SIGNATURE-----