Should gpg always generate a revocation cert?

Neil Williams
Sun Sep 21 15:16:32 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Sunday 21 Sep 2003 11:43 am, Adrian 'Dagurashibanipal' von Bidder wrote:
> Yo!
> Since there is a 'Lost my key' thread every few weeks: perhaps gpg should
> by default
>  * generate a revocation cert when it generates a new key (put it in a
> <keyid>.rev file or so)

Perhaps just a default YES question in the --gen-key sequence? This still=20
leaves a potentially crucial file sitting around until the user does=20
something about it though. Could be a problem when users don't secure the=20
=2Egnupg/ directory properly.

I don't know if a default file wouldn't actually make things worse - if it =
put somewhere obvious so that it gets backed up at some point, then the=20
backup becomes a liability later on. If it's not backed up, there's little=
point in generating it - most of these 'lost keys' come about after a=20
re-install or change of distro / HD corruption. The .rev file will be lost =
the same time as secring.gpg.

The .rev file cannot be protected by GnuPG itself, so overall it may be bet=
left off the filesystem.=20

The only thing that comes to mind is a question :
"It is strongly recommended to print out a revocation certificate in case t=
key becomes lost or compromised or your filesystem becomes corrupted. Pleas=
turn on your printer before answering Y."

>  * print lengthy explanations about 'the key can not, under no
> circumstances, be deleted from the keyservers. Really. We mean it. You can
> ask in the mailing lists, we will tell you this again.'


> Of course these features could be disabled by use of the
> --i-am-no-newbie-thank-you-very-much flag.
> (Yes, this is really a feature that should be offered by the user friendly
> GUI keymangaer app that users should use - but I guess the majority of new
> users today starts out by using gpg from the commandline.)

Let GnuPG take the lead, frontend programs will have to follow if it's the=
default operation of GnuPG itself.


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)