OT: Revoking Old Keys... my problem
linux at codehelp.co.uk
Wed May 5 21:37:23 CEST 2004
On Tuesday 04 May 2004 1:48, Bill Turner wrote:
> I gathered as much from comments from others. I still have not made the
> revocation cert.
GnuPG documentation advice is that this comes first, immediately after
generating the key. It isn't affected by anything you do to the public key
> A few questions concerning signing, and revocation.
> 1. I saw a reference in the docs - or maybe in the 'edit-keys' portion
> of gpg - concerning 'non-revocable' signing of my key. This seems like
> a good thing to do. I haven't done that yet either.
Not mandatory or AFAIK default. Your key is already self-signed in the normal
way - it was done during generation. It will also be self-signed again each
time you make changes to the key such as new UID's etc.
IMO, non-revocable signatures are probably reserved for special uses of
GnuPG/PGP where secondary security or precautions are used/required.
> 2. Someone had suggested (a few actually) I change my 'gpg comment' to
> have the essentials (in the sig below) concerning the old key being
> 'bogus'. I haven't done that yet either. Although with gpgshell I know
> it does give an option to do that very thing.
Only by adding another UID - your comment is part of your user identity and
cannot be changed - same as your email address. You can only add, not modify.
> Firstly, since I have not yet made the 'irrevocable signing' nor the
> 'revocation cert' of my key, should I do the 'signing' first or does
> that really matter?
Already done by default. Generate the revocation cert. NOW.
> Secondly, is it possible to change the comment in my gpg key without
> having to generate a new keypair? If so, should I do that before I
> generate the revocation cert, afterwards, or does it matter at all?
Only by editing the key and adding a second UID.
> I suppose I am just a bit confused on the 'proper order' for all these
The documentation order is revocation cert first, everything else as and when
you feel like it.
> Also, since I made both keys 1024 bits, is that adequate,
> really? I am beginning to think perhaps I should have made the second
> key 2048 instead of 1024
The bigger the keysize the bigger the signature on emails etc. It's a personal
> , especially if I am going with a 'expire' of 10
> years down the road. If 1024 bits is actually an 'appropriate' size
> then I am fine.
Most keys out there are 1024.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Url : /pipermail/attachments/20040505/c891afbc/attachment.bin
More information about the Gnupg-users