OT: Revoking Old Keys... my problem
Adrian 'Dagurashibanipal' von Bidder
avbidder at fortytwo.ch
Mon May 3 09:20:36 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Saturday 01 May 2004 03.38, Bill Turner wrote:
> So far as a 'safe' place to keep the reovation certificate, which I
> have as yet not made and am going to do so as soon as this clears the
> system, would a 'web mail' account (Lycos.com for instance) be
> considered 'safe?'
As there is no absolute safety or security, the answer to such questions
is invariably 'it depends'.
If your primary goal is not to have another bad key floating around, so
you want you revocation cert to be available in all cases, then a
webmail account may be a good solution. Just remember that you can't
store the revocation certificate in an encrypted form, so anybody
hacking your webmail account (or any sysadmin...) could revoke your
In my case, I'd be most annoyed if my key got revoked by error, so I do
not have the revocation certificate online anywhere. It's on printout
and floppy *only*, and the primary secret key (which is necessary to
generate the revocation cert) is on my home machine only, which is
behind NAT, and switched off most of the time. All other places where
I'm working get only a secret subkey (<http://fortytwo.ch/gpg/subkeys>
for details), so even a compromised secret subkey won't give the
attacker the power to revoke the key.
Of course, in my case I trade the safety of nobody being able to revoke
my key but myself against the possibility of losing all copies of
revocation cert and primary secret key.
Yes, a safe in a bank would be even more security in this direction, but
that's where the overhead becomes too much when I look at what I use
gnupg for at the moment.
- -- vbi
The content of this message may or may not reflect the opinion of me, my
employer, my girlfriend, my cat or anybody else, regardless of the fact
whether such an employer, girlfriend, cat, or anybody else exists. I
(or my employer, girlfriend, cat or whoever) disclaim any legal
obligations resulting from the above message. You, as the reader of
this message, may or may not have the permission to redistribute this
message as a whole or in parts, verbatim or in modified form, or to
distribute any message at all.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: get my key from http://fortytwo.ch/gpg/92082481
-----END PGP SIGNATURE-----
More information about the Gnupg-users