Update FAQ about revocation certificates?
dgouttegattat at incenp.org
Thu Nov 8 16:21:58 CET 2018
Hi GnuPG folks,
The current version of the FAQ recommends creating a revocation
certificate at several places.
"We recommend you create a revocation certificate immediately
after generating a new GnuPG certificate."
"What should I do after making my certificate?
Generate a revocation certificate"
"What are some common best practices?
[...] Generate a revocation certificate"
However, since GnuPG 2.1 a revocation certificate is now
automatically generated by GnuPG at the same time a new key pair
is created, and stored in $GNUPGHOME/openpgp-revocs.d.
Therefore the above recommendations should either be removed or at
the very least amended to explain that they are only necessary
with GnuPG < 2.1.
FWIW, I believe they should be removed completely. Rationale: It
has already been decided three years ago not to mention GnuPG 1.4
in the FAQ . Since then, GnuPG 2.0 has been end-of-lifed and so
in my opinion should not be mentioned either. Thus the FAQ should
only focus on "modern" GnuPG (>= 2.1). And with modern GnuPG there
is no need to recommend to generate a revocation certificate.
On the same topic, the answer to the question "How do I generate a
revocation certificate?" (§ 8.5) should be amended to explain that
such a revocation certificate may already have been generated.
("May", because it is possible the user asking this question has
generated his or her key a long time ago, using an older version
Comments are welcome.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 228 bytes
Desc: not available
More information about the Gnupg-users