OT: Revoking Old Keys... my problem

Steve Butler sbutler at fchn.com
Tue May 4 16:56:24 CEST 2004


I don't think the additional signatures on the key will affect the
revocation cert.  In fact, the revocation cert is just another signature
that states "this guy is bad!" -- or something to that effect.

As for key size, most of the clients we (First Choice Health Network) deal
with have moved to either 2048 or 4096.  But then, we are faced with HPAA
regulations here in the US that mandate encryption for PHI (personal health
information) being transmitted over the web.  We moved our key from 1024 to
2048 a couple of years ago.

-----Original Message-----
From: Bill Turner [mailto:turner_bill at sbcglobal.net]
Sent: Monday, May 03, 2004 5:49 PM
To: Steve Butler

Steve Butler wrote:
 > I'm not sure that I'd consider any place on the WEB as safe for a 
revocation
 > cert.  Perhaps a bank vault or a heavy fire safe at home.  Committing the
 > entire revocation cert to memory would be a little extreme!
 >
 > -----Original Message-----
 > From: Bill Turner [mailto:turner_bill at sbcglobal.net]
 > Sent: Friday, April 30, 2004 6:38 PM
 > To: Jerry Windrel
 >
 > as yet not made and am going to do so as soon as this clears the system,
 > would a 'web mail' account (Lycos.com for instance) be considered
 > 'safe?'  If I had done that before I would not be having this problem

Hello Steve,

I gathered as much from comments from others.  I still have not made the

Firstly, since I have not yet made the 'irrevocable signing' nor the
'revocation cert' of my key, should I do the 'signing' first or does
that really matter?

Secondly, is it possible to change the comment in my gpg key without
having to generate a new keypair?  If so, should I do that before I
generate the revocation cert, afterwards, or does it matter at all?

I suppose I am just a bit confused on the 'proper order' for all these
things.  Also, since I made both keys 1024 bits, is that adequate,
really?  I am beginning to think perhaps I should have made the second
key 2048 instead of 1024, especially if I am going with a 'expire' of 10
years down the road.  If 1024 bits is actually an 'appropriate' size
then I am fine.  I just need a bit of guidance on the right order to do
the 'irrevocable local signing' and the 'revocation cert' generation.


CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.





More information about the Gnupg-users mailing list