Revoking Old Keys... my problem
Adrian 'Dagurashibanipal' von Bidder
avbidder at fortytwo.ch
Fri Apr 30 12:46:52 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Friday 30 April 2004 11.29, Bill Turner wrote:
> I have attached my own 'new' key to this email. The reason that the
> old key is a problem for me is that the laptop I had it stored on,
> and everything else, was stolen from me. I do not remember my
> passphrase after almost two years. I am just not sure how to go
> about 'properly' revoking it.
You'll not like that: the proper procedure is
- never lose your key or forget your passphrase
- never use a key when you don't have a revocation certificate prepared
for such emergencies.
The only thing you can do: notify all people you suspect of having the
old key that it was compromised, announce your new key. Of course,
you'll have to redo all the key-signing you've done on the old key and
get people to verify that this is really your new key.
Also, RUN and generate revocation certificates for all keys you use NOW.
Store them on floppy, and print them out (seriously. You'll not be able
to read that floppy when you need it.) Store this in a secure location.
So if ever something like that happens again, you can still revoke that
For the same reason, it makes sense to always set an expiration date on
all keys you use (I use 10 years - which is long enough not to cause
trouble for me for a long time, but I won't have old keys floating
around indefinitely if for some reason the secret key and the emergency
revocation cert both are killed.)
As for the old key on the keyservers: tough luck, there's nothing you
can do. You may have luck convincing one or two keyserver operators
that they should delete your key, but since the keyservers are
networked, and since anybody can just re-upload your old key, it would
keep popping up again and again.
So, since you've changed your email address, you can just take that
lesson about key handling and then forget about it all - in a few years
nobody will even remember that it was you with that key (a common name
like yours has advantages, I see - I'd have the additional problem that
there isn't anyone with the same name, as far as I know:-)
- -- vbi
featured link: http://www.pool.ntp.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: get my key from http://fortytwo.ch/gpg/92082481
-----END PGP SIGNATURE-----
More information about the Gnupg-users