Revoking Old Keys... my problem

Neil Williams linux at
Fri Apr 30 13:22:16 CEST 2004

On Friday 30 April 2004 10:29, Bill Turner wrote:
> Hello,
> I have a problem I am not sure how to deal with.  Put as plainly as I
> know how, there is an old key out there, 
> The reason that the old 
> key is a problem for me is that the laptop I had it stored on, and
> everything else, was stolen from me.  I do not remember my passphrase
> after almost two years.  I am just not sure how to go about 'properly'
> revoking it.

A passphrase (even if you could remember it) is useless without the secret 
key. If you don't have a backup of the secret key from that laptop, forget 
trying to remember the passphrase (if you follow) because you cannot use it 
to revoke this key.

If you also do not have a revocation certificate (GnuPG advice is to create 
one immediately after generating the new key, print it out (v.small) and 
delete the file) then this key is doomed to hang around on keyservers for 
ever with no realistic possibility of being revoked or deleted.

> The email address that was based on is at an ISP I no longer use, not
> that it matters really. I am just confused about the 'correct' procedure

Correct procedure is to always have a revocation certificate stored somewhere in case you lose the use of the secret key. The certificate can be 
used by anyone, it just needs to be imported into a keyring that already 
holds the public key to be revoked - no secret key or passphrase is required 
to use the revocation certificate, which is why it must be kept safe! Then, 
the revoked key should be sent to the keyservers and the keyserver merge the 
two and show the key as revoked.

If you have no revocation certificate and no backup of the secret key, you 
haven't got a prayer. You can't really ask for the correct procedure now when 
you've already ignored the correct procedure that would have prevented the 
problem in the first place!

> here.  There are people I was exchanging email with that have that key,
> and not the new one, so I just am not clear how to do this.

Tell them directly - and QUICKLY, they could be justifiably upset that you 
hadn't told them immediately the laptop was stolen! Explain that you were 
careless not to have the revocation certificate or a backup and that the old 
key must never be used again. 


Neil Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040430/7ab376ed/attachment.bin

More information about the Gnupg-users mailing list