OT: Revoking Old Keys... my problem
turner_bill at sbcglobal.net
Sat May 1 03:38:27 CEST 2004
Jerry Windrel wrote:
> At the risk of veering off topic...
> The problem of having a key that you cannot revoke, and the partial
> solution I outlined, reminds me somewhat of the situation in the Book
> of Esther where a king sent out a proclamation signed with his signet
> ring. The rule in those days that a proclamation signed with the
> king's signet ring could never be revoked, not even by the king
> himself (similar to the "non-repudiation" property of digital
> signatures). When the king later regretted that proclamation, the
> only solution was to send out another (non-revokable) proclamation
> that mitigated the effect of the first one.
General consensus seems to be I'm trying to lock the door after the
horse is stolen. Well, that I knew already. My primary objective in
posting the question was to find out how to avoid this type of situation
again in the future.
I saw several good ideas and advice. Since I have only sent this key to
a couple places so far I am going to do as most folks suggested and make
a change to show that the 'old' key is no longer accurate. Alas, I also
set this one with no expiration date and it seems that is one of the
major mistakes I made before. Well, I may end up redoing the whole key
again because I don't want to go through this 'forever' bad key floating
about any more.
So far as a 'safe' place to keep the reovation certificate, which I have
as yet not made and am going to do so as soon as this clears the system,
would a 'web mail' account (Lycos.com for instance) be considered
'safe?' If I had done that before I would not be having this problem
now. It would have been safely out of harms way when my laptop got
stolen. As it is, yes, this is 'unpleasant' but after 47 years I have
had far more unpleasant things happen to me. And far many more that
Seems the 'irrevocable' second proclamation from 'the king' is in order
here. :) Good analogy btw. Book of Esther isn't often quoted. Perhaps
it should be.
In case you couldn't tell I'm pretty much a 'babe in the woods' so far
as gpg is concerned. I thought it was simply a matter of making a key
pair, sending it out to the people you wanted to communicate with, and
going merrily along the way. I'm finding out that was a very naive
assumption on my part.
Well, you know what they say about what happens when you 'assume' right?
For the moment I will no longer be signing anything with my 'new' key
until such time as I can make the revocation certificate, get it onto a
safe site on the web, (as well as printed out and on floppy), and will
see if I can change the expiration without having to completely redo the
key from scratch. I have the 'gpg manual.pdf' on the disk and will be
spending the rest of the evening going through it.
Thank God for places like this. This is why I flat out love Linux and
GNU so much. You get a *community* that wants to help each other out.
Just because it's the 'right thing to do' and no other reason. If only
the rest of the world would catch on. Well, there's hope still.
Thanks much to all who replied. You gave me some good ideas. And you
didn't beat me up too badly. laughing....
More information about the Gnupg-users