Of Public Key Servers, Revocation and Key ID's

Neil Williams linux at codehelp.co.uk
Wed Nov 17 10:12:39 CET 2004


On Wednesday 17 November 2004 5:43 am, Servie Platon wrote:
> Based from my understanding, after we create our key
> pair we are
> supposed to create a revocation certificate right away
> so that
> in the event that our key pair in particular private
> key has
> been compromised or regarded as useless we can revoke
> it
> anytime.

Yes. Keep it safe, don't keep it on your filesystem and don't keep it anywhere 
that someone will be able to find it or where you might enter it 
accidentally. Many people print them out, it's only a few lines of text.

> Now, if we would like our public keys to be readily
> available to
> everyone for verification purposes, public keyserver
> are
> available to us so we could upload these.

Yes.

> 1. Assuming, I wanted to revoke KeyID#1 which I
> uploaded to
> penguin.de. How do I do this?

Import the revocation certificate into your local keyring and then send the 
revoked key to the keyserver. Anyone can do this, once they have access to 
the revocation certificate they don't need access to the secret key, so be 
careful where you store it!

$ gpg --import revcert.asc
$ gpg --keyserver subkeys.pgp.net --send-key 0xKeyID#1

> I did some tinkering using gpg keys, (gpg shell),
> highlighted
> the UserID (KeyID) in question, went to keys - import,
> then
> selected revcert.asc for KeyID#1. After which, went to
> Keys-Update from Key-Server and selected penguin.de.
>
> Now, to check if this has been revoked at the prompt,
> I see my
> KeyID with revoke in it. Does this mean locally my Key
> has been
> revoked or it has been revoked at the public key
> server as well?

Most keyservers have a web interface that will show you the status of the key.

Alternatively:
1. Export your public key to a file.
2. Delete your own public key from your local keyring.
3. Import your public key from the keyserver.
4. Verify it has been revoked.

> 2. How do we check for the KeyID's that it really
> comes from
> that person? For instance, I post here and it displays
> my Key
> ID, how do you guys check my KeyID if in case, I have
> already
> posted this to a public key server?

We have to meet in person, exchange key fingerprints and verify photo ID. Then 
we sign each other's keys. The signed keys are uploaded to keyservers. People 
who trust me to properly verify keys will usually accept yours as verified.
http://www.codehelp.co.uk/html/neilwilliams.html
http://gnupg.neil.williamsleesmill.me.uk/book1.html
http://www.cryptnet.net/fdp/crypto/gpg-party.html

> 3. And finally, if I have uploaded my public key to a
> public key
> server and I deleted my keys locally without doing a
> revocation
> certificate and updated the key server hosting my key.
> And after
> awhile, I created myself another key pair for the same
> UserID
> which I deleted before without revoking. Will this
> pose as a
> problem for me considering it might confuse other
> people such as
> yourself trying to figure out which key is being used
> since
> there are two entries of KeyIDs?

Potentially yes, it makes things awkward but not difficult. You should always 
revoke a key that is:
1. compromised or
2. the only UID is invalid (e.g. the specified email account no longer 
operates) or
3. the key itself is no longer in use or
4. if you've forgotten the passphrase for your secret key.

Revoking a key prevents anyone using it to encrypt to you. It should be used 
when either the encrypted message could be read by someone else or when you 
no longer have the ability to receive and/or decrypt the message using that 
key.

> I really do need some pointers on how to manage my
> keys properly
> and I feel this is the place where I could find the
> answers.

Please read the FAQ's before posting.
http://www.gnupg.org/gph/en/manual.html
http://www.gnupg.org/
http://www.dclug.org.uk/linux_adm/gnupg.html

-- 

Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/

http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20041117/da78e635/attachment.bin


More information about the Gnupg-users mailing list