Of Public Key Servers, Revocation and Key ID's

Jens Kubieziel gnupg at kubieziel.de
Wed Nov 17 13:25:35 CET 2004 

* Servie Platon schrieb am 2004-11-17 um 06:43 Uhr:
> Based from my understanding, after we create our key pair we are
> supposed to create a revocation certificate right away so that in the
> event that our key pair in particular private key has been compromised
> or regarded as useless we can revoke it anytime.

ACK. That should be the first step after generating the key.

> Now, if we would like our public keys to be readily available to
> everyone for verification purposes, public keyserver are available to
> us so we could upload these.

You should use a keyserver which synchronises with others. So
subkeys.pgp.net or random.sks.keyserver.penguin.de are both good
choices. Furthermore you can publish your key at your website.

> 1. Assuming, I wanted to revoke KeyID#1 which I uploaded to
> penguin.de. How do I do this? 

gpg --import $REVOCATION_CERTIFIFCATE
You should also upload this revoked key to a keyserver.

> Now, to check if this has been revoked at the prompt, I see my KeyID
> with revoke in it. Does this mean locally my Key has been revoked or
> it has been revoked at the public key server as well?

You could check a keyservers webinterface (e.g.
http://subkeys.pgp.net:11371/). If the key is revoked, then you'll see
it there.

You can also create a new testuser on your sytem and receive your key.
If "gpg --listkeys" shows the key as revoked, than it is revoked.

> 2. How do we check for the KeyID's that it really comes from that
> person? For instance, I post here and it displays my Key ID, how do
> you guys check my KeyID if in case, I have already posted this to a
> public key server?

Normally you have to do some keysignings. That means you have to meet
other people, check their passports, their fingerprints. If all seems
OK, you sign the others key. If the other one thinks that all is OK,
he'll sign your key. "gpg --list-sigs $KEYID" shows you a list of all
signatures a key has.

If you have signed person B's key and B has signed C's key and you trust
B than you can (more or less) be sure, that C is C.

> I really do need some pointers on how to manage my keys properly and I
> feel this is the place where I could find the answers.

You can check http://www.gnupg.org/(en)/documentation/index.html I guess
it answers some of your questions.

-- 
Jens Kubieziel                                   http://www.kubieziel.de
Willst du abnehmen? - Dann pflücke Obst. Erhard Horst Bellermann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20041117/e6323047/attachment-0001.bin

More information about the Gnupg-users mailing list