linux at codehelp.co.uk
Tue Jul 20 11:13:07 CEST 2004
On Tuesday 20 July 2004 8:36, Mirek Göbel wrote:
> I could yet not figure out, what a revocation certificate does.
> What is a revocation certificate for?
To revoke a specific key - it is generated in advance so that if you later
forget the passphrase you can still revoke the key. (Although you can't do
anything else with the key). It is an external file, usually, a simple text
file that gpg can import. It is created using the secret key, so you must
have the passphrase when you create it, hence why you create it in advance.
> What can I do with it?
Revoke the key that generated the certificate. Nothing else.
> Why is it important?
Because it does not require the passphrase to import the file and revoke the
key - you must take great care about how you store the certificate. Anyone
who gets hold of your revocation certificate can revoke your key and there
would be nothing you could do to stop it.
Also because without a certificate, if you forget the passphrase to your key
it will languish on the keyservers forever as a seemingly active key. No key
can be revoked without either the passphrase (and secret key) or the
revocation certificate (no secret key needed).
If you still know your passphrase and your key is compromised, it still needs
to be revoked and a certificate will still need to be created, imported and
the updated key sent to keyservers. A stored certificate is just there in
case you forget the passphrase or lose the secret key in some hard disc
drama. (You must have a backup secret key if you want to continue using the
Revocation is about helping others - when you know the key is
unusable/compromised, revocation lets everyone else know too.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Url : /pipermail/attachments/20040720/e7ade978/attachment.bin
More information about the Gnupg-users