Should gpg always generate a revocation cert?
Neil Williams
linux@codehelp.co.uk
Sun Sep 21 15:16:32 2003
--Boundary-02=_ujZb/blnWUhHCJr
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline
On Sunday 21 Sep 2003 11:43 am, Adrian 'Dagurashibanipal' von Bidder wrote:
> Yo!
>
> Since there is a 'Lost my key' thread every few weeks: perhaps gpg should
> by default
> * generate a revocation cert when it generates a new key (put it in a
> <keyid>.rev file or so)
Perhaps just a default YES question in the --gen-key sequence? This still=20
leaves a potentially crucial file sitting around until the user does=20
something about it though. Could be a problem when users don't secure the=20
=2Egnupg/ directory properly.
I don't know if a default file wouldn't actually make things worse - if it =
is=20
put somewhere obvious so that it gets backed up at some point, then the=20
backup becomes a liability later on. If it's not backed up, there's little=
=20
point in generating it - most of these 'lost keys' come about after a=20
re-install or change of distro / HD corruption. The .rev file will be lost =
at=20
the same time as secring.gpg.
The .rev file cannot be protected by GnuPG itself, so overall it may be bet=
ter=20
left off the filesystem.=20
The only thing that comes to mind is a question :
"It is strongly recommended to print out a revocation certificate in case t=
his=20
key becomes lost or compromised or your filesystem becomes corrupted. Pleas=
e=20
turn on your printer before answering Y."
> * print lengthy explanations about 'the key can not, under no
> circumstances, be deleted from the keyservers. Really. We mean it. You can
> ask in the mailing lists, we will tell you this again.'
Definitely.
> Of course these features could be disabled by use of the
> --i-am-no-newbie-thank-you-very-much flag.
>
> (Yes, this is really a feature that should be offered by the user friendly
> GUI keymangaer app that users should use - but I guess the majority of new
> users today starts out by using gpg from the commandline.)
Let GnuPG take the lead, frontend programs will have to follow if it's the=
=20
default operation of GnuPG itself.
=2D-=20
Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk
http://www.biglumber.com/x/web?qs=3D0x8801094A28BCB3E3
--Boundary-02=_ujZb/blnWUhHCJr
Content-Type: application/pgp-signature
Content-Description: signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/bZjuiAEJSii8s+MRApjcAKCKKoLPAf+uS47LS+7CYwlzfY0yAACfZgqp
DonYcxzUXl5BvCWK0U9nuHI=
=4kp7
-----END PGP SIGNATURE-----
--Boundary-02=_ujZb/blnWUhHCJr--