Store revoke cert. in symmetric file?
Faramir
faramir.cl at gmail.com
Thu Dec 9 01:17:53 CET 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
El 07-12-2010 16:32, David Shaw escribió:
> On Dec 7, 2010, at 11:56 AM, Chris Poole wrote:
>
>>> Why not just store the GPG encrypted file directly with the "strong passphrase that I know" ?
>>
>> I'm happy to do that, I'm just trying to keep the "very long,
>> complicated passphrases I have to remember" to as few as possible.
>>
>> I really just want to make sure that storing my revoke certificate
>> this way (and not in any unencrypted form like on a piece of paper in
>> a safe location) isn't doing something stupid.
>
> It's not necessarily stupid, but it might not be ideal. The idea behind generating a revoke certificate ahead of time is to protect you in case you lose access (forget the passphrase, delete the key, etc, etc) to your secret key. Storing it in an encrypted bundle doesn't really help you if you forget the passphrase to the bundle.
I (but that is ME, just my opinion) would remove that 50 characters
long randomly generated passphrase. Chances are if you don't use it very
often, you will forget it, and then you won't be able to revoke your
keys. Or maybe, I would change it for a shorter password, easy to
remember, just in case somebody steals the rev-certs while I'm at the
rest-room (well, probably replacing my keys would require less time than
to change all my passwords).
IMHO (but again, it's just my opinion), revocation certificates don't
need to be protected as much as your private keys. If somebody revokes
your keys, that's bad, and you need to make new keys. But that person
won't be able to sign things on your name or read your encrypted
messages. It's like if somebody cuts your credit card in half: you need
to replace it, but your money remains safe.
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBCAAGBQJNACAxAAoJEMV4f6PvczxAtCQIAJwkxXfFliaRzI0WXvZ9q/eF
NGaOa31M9zsbzVuAHkrqyws/ipCxc5r7BOq2VhKz/7yncZ2mRWSzq4OgY1nqmUw2
OhZ0V/OqpoBC/2Ichzf3t/RB97Rs7KeWeRCtI9MP6OeOIPrCN+B8+bGOoCR9aj9m
+HKDc20d2pDAEwvovByu1/MmhlvKfSClUVWInJ3JYqbm9DCJ9hxU56IAswKv/QEi
LBoEzefEr8npHa45JfEBp4FHbqq+E7A3S8opI1VWOpE1l0wce8QLy9jkG1ApPsCy
+0THtAPkbTs8TRWqbrMOBfcOqqSlRL/6NjIZPP383pvqQJaYwoLENIF+HhrvijM=
=aOhg
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list