Revoking Old Keys... my problem

Adrian 'Dagurashibanipal' von Bidder avbidder at fortytwo.ch
Fri Apr 30 12:46:52 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 30 April 2004 11.29, Bill Turner wrote:

> I have attached my own 'new' key to this email.  The reason that the
> old key is a problem for me is that the laptop I had it stored on,
> and everything else, was stolen from me.  I do not remember my
> passphrase after almost two years.  I am just not sure how to go
> about 'properly' revoking it.
>

You'll not like that: the proper procedure is
 - never lose your key or forget your passphrase
 - never use a key when you don't have a revocation certificate prepared 
for such emergencies.

The only thing you can do: notify all people you suspect of having the 
old key that it was compromised, announce your new key. Of course, 
you'll have to redo all the key-signing you've done on the old key and 
get people to verify that this is really your new key.

Also, RUN and generate revocation certificates for all keys you use NOW. 
Store them on floppy, and print them out (seriously. You'll not be able 
to read that floppy when you need it.) Store this in a secure location. 
So if ever something like that happens again, you can still revoke that 
key.

For the same reason, it makes sense to always set an expiration date on 
all keys you use (I use 10 years - which is long enough not to cause 
trouble for me for a long time, but I won't have old keys floating 
around indefinitely if for some reason the secret key and the emergency 
revocation cert both are killed.)

As for the old key on the keyservers: tough luck, there's nothing you 
can do. You may have luck convincing one or two keyserver operators 
that they should delete your key, but since the keyservers are 
networked, and since anybody can just re-upload your old key, it would 
keep popping up again and again.

So, since you've changed your email address, you can just take that 
lesson about key handling and then forget about it all - in a few years 
nobody will even remember that it was you with that key (a common name 
like yours has advantages, I see - I'd have the additional problem that 
there isn't anyone with the same name, as far as I know:-)


greetings
- -- vbi

- -- 
featured link: http://www.pool.ntp.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: get my key from http://fortytwo.ch/gpg/92082481

iKcEARECAGcFAkCSLqBgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJECqqZti935l6FtYAn0JMS5Wx6kVrukLCrTF3nCSU
Ki+ZAJ9zdBQLNQCHQCeuHtfhYH2jyl9EBw==
=+orq
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list