Docs central, with 'Email Self-Defence'

Peter Lebbing peter at
Sun Jun 8 20:59:41 CEST 2014

On 08/06/14 20:34, Hauke Laging wrote:
> "After creating the key create a revocation certificate, too." I still have
> to be told why it shall be possible to have a safe backup of the revocation
> certificate but impossible (or less possible) to have a safe backup of the
> secret mainkey...

This one seems easy... leakage of the revocation certificate is much more
benign. No secret stuff is compromised, and in order for the leakage to be
useful, your adversary would need to publish the revocation certificate, so you
would notice. This in stark contrast with the private key, which can be used
without you noticing, to read your secrets. And any new secrets produced in the
future, on account of you not noticing.

So the storage requirements for the revocation certificate are much less
demanding than for the backup secret keys, meaning there are more places you can
keep it, meaning you have a higher chance of still being able to access it.

... because a revocation certificate is only useful when the key backup is lost.
So obviously you should make sure that they are stored separately. This is one
of the silly recommendations I've also seen: store your revocation certificate
with your private key. That only covers the case of forgetting the passphrase;
in all other cases it's useless (I think). And that's hoping you didn't use the
same passphrase with your "encrypted USB-drive" and lost access to the
certificate as well.

It all boils down to: "a safe backup" depends on what you are backing up.

> I recommend that all qualified people do the same when encountering bad 
> articles.

The problem lies in "qualified". I think the authors of the bad advice consider
themselves qualified, for instance. Otherwise why are they giving advice.

> It seems important to me to increase the quality of information out there.

Hmmmm... this is the internet. I don't think you can keep the bad advice off the
net. You need to have the good advice in a prominent place. But maybe that's
what you meant.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list