Store revoke cert. in symmetric file?
faramir.cl at gmail.com
Thu Dec 9 01:17:53 CET 2010
-----BEGIN PGP SIGNED MESSAGE-----
El 07-12-2010 16:32, David Shaw escribió:
> On Dec 7, 2010, at 11:56 AM, Chris Poole wrote:
>>> Why not just store the GPG encrypted file directly with the "strong passphrase that I know" ?
>> I'm happy to do that, I'm just trying to keep the "very long,
>> complicated passphrases I have to remember" to as few as possible.
>> I really just want to make sure that storing my revoke certificate
>> this way (and not in any unencrypted form like on a piece of paper in
>> a safe location) isn't doing something stupid.
> It's not necessarily stupid, but it might not be ideal. The idea behind generating a revoke certificate ahead of time is to protect you in case you lose access (forget the passphrase, delete the key, etc, etc) to your secret key. Storing it in an encrypted bundle doesn't really help you if you forget the passphrase to the bundle.
I (but that is ME, just my opinion) would remove that 50 characters
long randomly generated passphrase. Chances are if you don't use it very
often, you will forget it, and then you won't be able to revoke your
keys. Or maybe, I would change it for a shorter password, easy to
remember, just in case somebody steals the rev-certs while I'm at the
rest-room (well, probably replacing my keys would require less time than
to change all my passwords).
IMHO (but again, it's just my opinion), revocation certificates don't
need to be protected as much as your private keys. If somebody revokes
your keys, that's bad, and you need to make new keys. But that person
won't be able to sign things on your name or read your encrypted
messages. It's like if somebody cuts your credit card in half: you need
to replace it, but your money remains safe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Gnupg-users