Should gpg always generate a revocation cert?
Sun Sep 21 15:16:32 2003
Content-Description: signed data
On Sunday 21 Sep 2003 11:43 am, Adrian 'Dagurashibanipal' von Bidder wrote:
> Since there is a 'Lost my key' thread every few weeks: perhaps gpg should
> by default
> * generate a revocation cert when it generates a new key (put it in a
> <keyid>.rev file or so)
Perhaps just a default YES question in the --gen-key sequence? This still=20
leaves a potentially crucial file sitting around until the user does=20
something about it though. Could be a problem when users don't secure the=20
=2Egnupg/ directory properly.
I don't know if a default file wouldn't actually make things worse - if it =
put somewhere obvious so that it gets backed up at some point, then the=20
backup becomes a liability later on. If it's not backed up, there's little=
point in generating it - most of these 'lost keys' come about after a=20
re-install or change of distro / HD corruption. The .rev file will be lost =
the same time as secring.gpg.
The .rev file cannot be protected by GnuPG itself, so overall it may be bet=
left off the filesystem.=20
The only thing that comes to mind is a question :
"It is strongly recommended to print out a revocation certificate in case t=
key becomes lost or compromised or your filesystem becomes corrupted. Pleas=
turn on your printer before answering Y."
> * print lengthy explanations about 'the key can not, under no
> circumstances, be deleted from the keyservers. Really. We mean it. You can
> ask in the mailing lists, we will tell you this again.'
> Of course these features could be disabled by use of the
> --i-am-no-newbie-thank-you-very-much flag.
> (Yes, this is really a feature that should be offered by the user friendly
> GUI keymangaer app that users should use - but I guess the majority of new
> users today starts out by using gpg from the commandline.)
Let GnuPG take the lead, frontend programs will have to follow if it's the=
default operation of GnuPG itself.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----