OT: Revoking Old Keys... my problem

Kyle Hasselbacher kyle at toehold.com
Thu May 6 17:58:43 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, May 06, 2004 at 07:54:16AM -0700, Steve Butler wrote:
>>> Just remember that you can't store the revocation certificate in
>>> an encrypted form, so anybody hacking your webmail account
>>> (or any sysadmin...) could revoke your key.
>> 
>>From: Greg Sabino Mullane [mailto:greg at turnstep.com]
>>
>>Of course you can encrypt it. It's just a file like any other, so
>>just "gpg -ca" and then you can store it anywhere you like, where
>
>Sure you can encrypt it.  Just what are you going to do when you lose the
>secret key and are unable to decrypt it (which is the reason you have a
>separate revocation certificate in the first place)?  Just which foot are we
>shooting here?

The '-c' in Greg's suggestion indicates symetric encryption.  The
certificate will be encrypted with a passphrase (perhaps the same one you
use on the secret key, to make it easier to remember).  As long as you
remember the passphrase, you're set.  Attackers who don't know the
passphrase can't decrypt (and (ab)use) the certificate.
- -- 
Kyle Hasselbacher
kyle at toehold.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAmmCz10sofiqUxIQRAmawAKDHbVgLwFYtse5/4GpZaDQpjbnRBwCfTAcI
zMQDL0cMu+ivhgL6ccXx1xs=
=fewd
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list