Update FAQ about revocation certificates?

Damien Goutte-Gattat dgouttegattat at incenp.org
Thu Nov 8 16:21:58 CET 2018

Hi GnuPG folks,

The current version of the FAQ recommends creating a revocation
certificate at several places.

§ 7.17

  "We recommend you create a revocation certificate immediately
   after generating a new GnuPG certificate."

§ 8.5

  "What should I do after making my certificate?
   Generate a revocation certificate"

§ 10

  "What are some common best practices?
   [...] Generate a revocation certificate"

However, since GnuPG 2.1 a revocation certificate is now
automatically generated by GnuPG at the same time a new key pair
is created, and stored in $GNUPGHOME/openpgp-revocs.d.

Therefore the above recommendations should either be removed or at
the very least amended to explain that they are only necessary
with GnuPG < 2.1.

FWIW, I believe they should be removed completely. Rationale: It
has already been decided three years ago not to mention GnuPG 1.4
in the FAQ [1]. Since then, GnuPG 2.0 has been end-of-lifed and so
in my opinion should not be mentioned either.  Thus the FAQ should
only focus on "modern" GnuPG (>= 2.1). And with modern GnuPG there
is no need to recommend to generate a revocation certificate.

On the same topic, the answer to the question "How do I generate a
revocation certificate?" (§ 8.5) should be amended to explain that
such a revocation certificate may already have been generated.
("May", because it is possible the user asking this question has
generated his or her key a long time ago, using an older version
of GnuPG.)

Comments are welcome.



[1] https://lists.gnupg.org/pipermail/gnupg-users/2015-August/054172.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181108/7522352d/attachment.sig>

More information about the Gnupg-users mailing list