OT: Revoking Old Keys... my problem

Adrian 'Dagurashibanipal' von Bidder avbidder at fortytwo.ch
Mon May 3 09:20:36 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 01 May 2004 03.38, Bill Turner wrote:

> So far as a 'safe' place to keep the reovation certificate, which I
> have as yet not made and am going to do so as soon as this clears the
> system, would a 'web mail' account (Lycos.com for instance) be
> considered 'safe?'

As there is no absolute safety or security, the answer to such questions 
is invariably 'it depends'.

If your primary goal is not to have another bad key floating around, so 
you want you revocation cert to be available in all cases, then a 
webmail account may be a good solution. Just remember that you can't 
store the revocation certificate in an encrypted form, so anybody 
hacking your webmail account (or any sysadmin...) could revoke your 
key.

In my case, I'd be most annoyed if my key got revoked by error, so I do 
not have the revocation certificate online anywhere. It's on printout 
and floppy *only*, and the primary secret key (which is necessary to 
generate the revocation cert) is on my home machine only, which is 
behind NAT, and switched off most of the time. All other places where 
I'm working get only a secret subkey (<http://fortytwo.ch/gpg/subkeys> 
for details), so even a compromised secret subkey won't give the 
attacker the power to revoke the key.

Of course, in my case I trade the safety of nobody being able to revoke 
my key but myself against the possibility of losing all copies of 
revocation cert and primary secret key.

Yes, a safe in a bank would be even more security in this direction, but 
that's where the overhead becomes too much when I look at what I use 
gnupg for at the moment.

greetings
- -- vbi

- -- 
The content of this message may or may not reflect the opinion of me, my
employer, my girlfriend, my cat or anybody else, regardless of the fact
whether such an employer, girlfriend, cat, or anybody else exists.  I
(or my employer, girlfriend, cat or whoever) disclaim any legal
obligations resulting from the above message.  You, as the reader of
this message, may or may not have the permission to redistribute this
message as a whole or in parts, verbatim or in modified form, or to
distribute any message at all.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: get my key from http://fortytwo.ch/gpg/92082481

iKcEARECAGcFAkCV8spgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJECqqZti935l6xtEAoIHmYJcYDmm7vZAlQgGxPJkM
0CFKAJ9pQ0imv/LMWZ9fxxpj3Xt/P26wiw==
=7eC+
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list