Revoke and expire
Henry Hertz Hobbit
hhhobbit at securemecca.net
Wed Jun 13 22:02:14 CEST 2007
gnupg-users-request at gnupg.org wrote:
David Shaw <dshaw at jabberwocky.com> wrote:
> On Mon, Jun 11, 2007 at 10:24:23PM +0530, Hardeep Singh wrote:
>> Hi
>>
>> When a key is revoked using the revocation certificate, does it have
>> the same effect as reaching the expiry date of the key? In other words
>> if I set a key to no expire but generate a revocation certificate, it
>> is equally safe?
>
> They're similar, but different. A key that has reached its expiration
> date is not usable, but a new expiration date can be put on it that
> makes the key usable again. A key that has been revoked cannot be
> easily un-revoked.
>
> Note that I'm talking about whole keys here. It is possible to
> un-revoke a revoked user ID on a key.
How do you unrevoke a key, especially if it is on the keyservers?
I can think of making a backup of the key, revoking it and then
sending the revocation to the keyservers, then unpacking the non-
revoked folder, extending the date, and squirreling that away in
some safe deposit box just in case I need it some time in the future.
Once you are pretty sure you will never need it again you can destroy
the backup. But that means it is only unrevoked for myself. Was
that what you meant?
But more to the point, what would most people prefer for somebody
else to do when they no longer intend to use a key, especially if
it is on the keyservers - allow it to expire or revoke it with
some message like "key deprecated"? This is more along the line
of human usability and preferences, not technical. I am assuming
from what has been said that most people want the key revoked,
rather than just allowing it to elapse and expire like Johannes
Ullrich does. Any opinions?
HHH
--
Why hack in when you can drive in on Hwys. 80, 110, 194, 220, 443, 993,
994 & 995?
More information about the Gnupg-users
mailing list