OT: Revoking Old Keys... my problem
turner_bill at sbcglobal.net
Tue May 4 02:48:50 CEST 2004
Steve Butler wrote:
> I'm not sure that I'd consider any place on the WEB as safe for a
> cert. Perhaps a bank vault or a heavy fire safe at home. Committing the
> entire revocation cert to memory would be a little extreme!
> -----Original Message-----
> From: Bill Turner [mailto:turner_bill at sbcglobal.net]
> Sent: Friday, April 30, 2004 6:38 PM
> To: Jerry Windrel
> Jerry Windrel wrote:
>>The problem of having a key that you cannot revoke, and the partial
>>solution I outlined, reminds me somewhat of the situation in the Book
> So far as a 'safe' place to keep the revocation certificate, which I
> as yet not made and am going to do so as soon as this clears the system,
> would a 'web mail' account (Lycos.com for instance) be considered
> 'safe?' If I had done that before I would not be having this problem
> CONFIDENTIALITY NOTICE: This e-mail message, including any
attachments, is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not
the intended recipient, please contact the sender by reply e-mail and
destroy all copies of the original message.
I gathered as much from comments from others. I still have not made the
revocation cert. Here's what I have done though. And why I have not
yet made the revoke cert.
1. I was able to change the expire date. I set it for 10 years down
the road as someone had suggested that and his reasoning seemed sound to me.
2. I have added a comment into my email sig concerning the 'bogus' key
and the new key.
3. I have installed GnuPG Shell and could also get WinPTools if wanted
but so far it seems that gpgshell has everything I really need it to do.
4. I have been spending a lot of time reading docs re: gpg, Mozilla
and enigmail. A lot of time. That has raised a few questions for me.
5. I have not been actually using the gpg key to sign anything until I
have the answers to a couple of questions. If it turns out that I am
going to end up revoking this key as well - something I will do as a
last resort only - I don't want to be putting more copies of the key out
there then there already are.
A few questions concerning signing, and revocation.
1. I saw a reference in the docs - or maybe in the 'edit-keys' portion
of gpg - concerning 'non-revocable' signing of my key. This seems like
a good thing to do. I haven't done that yet either.
2. Someone had suggested (a few actually) I change my 'gpg comment' to
have the essentials (in the sig below) concerning the old key being
'bogus'. I haven't done that yet either. Although with gpgshell I know
it does give an option to do that very thing.
Firstly, since I have not yet made the 'irrevocable signing' nor the
'revocation cert' of my key, should I do the 'signing' first or does
that really matter?
Secondly, is it possible to change the comment in my gpg key without
having to generate a new keypair? If so, should I do that before I
generate the revocation cert, afterwards, or does it matter at all?
I suppose I am just a bit confused on the 'proper order' for all these
things. Also, since I made both keys 1024 bits, is that adequate,
really? I am beginning to think perhaps I should have made the second
key 2048 instead of 1024, especially if I am going with a 'expire' of 10
years down the road. If 1024 bits is actually an 'appropriate' size
then I am fine. I just need a bit of guidance on the right order to do
the 'irrevocable local signing' and the 'revocation cert' generation.
One final question which I will post to the group under a fresh topic
Have a good one.
"Whatever you do will be insignificant, but it is very important that
you do it." Mahatma Gandhi.
"All that is necessary for the triumph of evil is for good men to do
nothing." Edmund Burke.
"What have you done to make the world a better place today? Got 30
seconds? Feed somebody. <http://thehungersite.com>" Bill Turner
The following information is from a key which has been compromised.
Please contact me directly via email to obtain an updated and current key.
"Bill Turner <wildbill at speakeasy.net>"
Type bits /keyID Date User ID
pub 1024D/89F6CC2B 2002/10/18 Bill Turner <wildbill at speakeasy.net>
Key fingerprint = 2AC6 D850 97A0 5D3A FB22 9237 24DA 6DCC 89F6 CC2B
sig 89F6CC2B Bill Turner <wildbill at speakeasy.net>
My current (and valid) GPG Public key info follows:
"Bill Turner <turner_bill at sbcglobal.net>"
Type bits /keyID Date User ID
pub 1024D/7A85CF68 2004/04/28 Bill Turner (Tux Rox!)
<turner_bill at sbcglobal.net>
Key fingerprint = 763D 95D2 CB20 7763 5303 8097 A7D7 6B5D 7A85 CF68
sig 7A85CF68 Bill Turner (Tux Rox!) <turner_bill at sbcglobal.net>
More information about the Gnupg-users