Should gpg always generate a revocation cert?

vedaal@hush.com vedaal@hush.com
Mon Sep 22 14:50:02 2003



>Message: 4
>From: Neil Williams <linux@codehelp.co.uk>
>Organization: www.codehelp.co.uk + www.dclug.org.uk
>To: "GnuPG Users" <gnupg-users@gnupg.org>
>Subject: Re: Should gpg always generate a revocation cert?
>Date: Sun, 21 Sep 2003 13:26:18 +0100

[...]

> perhaps gpg should by default
>> generate a revocation cert when it generates a new key (put
>it in a
>> <keyid>.rev file or so)
>
>Perhaps just a default YES question in the --gen-key sequence? This
>still=20
>leaves a potentially crucial file sitting around until the user
>does=20
>something about it though. Could be a problem when users don't secure
>the=20
>=2Egnupg/ directory properly.
>
>I don't know if a default file wouldn't actually make things worse
>- if it =
>is=20
>put somewhere obvious so that it gets backed up at some point, then
>the=20
>backup becomes a liability later on. If it's not backed up, there's
>little=
>=20
>point in generating it - most of these 'lost keys' come about after
>a=20
>re-install or change of distro / HD corruption. 

[...]

a possible solution might be to have the default setting be to generate
the revocation certificate as the key is created, 
and have the revocation certificate encrypted symmetrically to the same
passphrase as the key,
then prompt for it (and possibly a backup of the key too) to be stored
on a removable disk (floppy, usb, cdrw, etc.)

and to have an over-ride choice (y,n)
at each step, as Adrian suggested

with Respect,

vedaal




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427