OT: Revoking Old Keys... my problem

Neil Williams linux at codehelp.co.uk
Wed May 5 21:37:23 CEST 2004

On Tuesday 04 May 2004 1:48, Bill Turner wrote:
> I gathered as much from comments from others.  I still have not made the
> revocation cert.  

GnuPG documentation advice is that this comes first, immediately after 
generating the key. It isn't affected by anything you do to the public key 
after generation.

> A few questions concerning signing, and revocation.
> 1.  I saw a reference in the docs - or maybe in the 'edit-keys' portion
> of gpg - concerning 'non-revocable' signing of my key.  This seems like
> a good thing to do.  I haven't done that yet either.

Not mandatory or AFAIK default. Your key is already self-signed in the normal 
way - it was done during generation. It will also be self-signed again each 
time you make changes to the key such as new UID's etc.

IMO, non-revocable signatures are probably reserved for special uses of 
GnuPG/PGP where secondary security or precautions are used/required.

> 2.  Someone had suggested (a few actually) I change my 'gpg comment' to
> have the essentials (in the sig below) concerning the old key being
> 'bogus'.  I haven't done that yet either.  Although with gpgshell I know
> it does give an option to do that very thing.

Only by adding another UID - your comment is part of your user identity and 
cannot be changed - same as your email address. You can only add, not modify.

> Firstly, since I have not yet made the 'irrevocable signing' nor the
> 'revocation cert' of my key, should I do the 'signing' first or does
> that really matter?

Already done by default. Generate the revocation cert. NOW.

> Secondly, is it possible to change the comment in my gpg key without
> having to generate a new keypair?  If so, should I do that before I
> generate the revocation cert, afterwards, or does it matter at all?

Only by editing the key and adding a second UID.

> I suppose I am just a bit confused on the 'proper order' for all these
> things.  

The documentation order is revocation cert first, everything else as and when 
you feel like it.

> Also, since I made both keys 1024 bits, is that adequate, 
> really?  I am beginning to think perhaps I should have made the second
> key 2048 instead of 1024

The bigger the keysize the bigger the signature on emails etc. It's a personal 

> , especially if I am going with a 'expire' of 10 
> years down the road.  If 1024 bits is actually an 'appropriate' size
> then I am fine.

Most keys out there are 1024.


Neil Williams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040505/c891afbc/attachment.bin

More information about the Gnupg-users mailing list