Revocation certificates

Werner Koch wk at
Fri Jan 24 07:47:15 CET 2014

On Thu, 23 Jan 2014 23:15, ekleog at said:

> Oh? I thought the most common reason was test keys, and tutorials which explain
> step-by-step how to make a keypair and push it on a keyserver, without telling

Obviously, I don't have no hard evidence for the claim that forgotten
passpharses are a reason for many unusable keys.  However, I have heard
too many times statements like “Please don't encrypt to that key; I -
uhmm - can't remember my passphrase”.

> And keys with an expiration date are someday deleted, while keys, even revoked,
> without are never, are they?

No they are not deleted.  They are still useful for signature
verification.  Think about gnupg 1.0.0 which has been signed by a long
expired key of mine - verifying it still gives some evidence that the
tarball is genuine.  The key merely expired.  If I had reasons to assume
that the key is compromised I would issue a revocation.  Verification
tools show that.

> BTW, revocation certificates are not produced by default either. So, why not
> advise people to put an expiration date, instead of counselling them

The reason why they are not generated by default is that I am sure that
many people would accidentally publish the revocation.  That is not
optimal and thus my current plan is to create a revocation be default
but modify the armored file so that it can only be imported after
editing the file.

> Well, my question is then: Why not restore the key immediately (having stored it
> at the place you would have stored the revocation certificate), and revoke it
> then?

The key is of course stored at a bank safe.  The sheet/cdrom with the
revocation is in the drawer of my desk.

> the usefulness of revocation certificate, just the advice always popping out to
> generate a revocation certificate in any case, without thinking of whether it
> would be useful.

Okay, that is a different thing.  I plan to change that with a notice
saying which file has the edited revocation certificate.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list