On Thu, Jan 23, 2014 at 05:53:57PM +0000, nb.linux wrote: > Hi Uwe, > > Johannes Zarl: > > So in short: > > - a delay won't help you > > - protect your private key so this won't happen > > - always use a strong passphrase > and in addition: if you fear (or know) that your secret key was copied > from your system, revoke it! > To me, this is a very important feature of OpenPGP: _you_ can actually > do something to reduce (not more, but also not less!) harm for yourself > and others. > And, you can be prepared for such an event (i.e. having created the > revocation certificates in advance, stored them in a save but accessible > place, printed out on paper,...).
Actually, this is something I never understood. Why should people create a revocation certificate and store it in a safe place, instead of backing up the main key? So long as the primary key is encrypted and the passphrase is strong, this should not lead to any security danger. (Anyway, it's stored in a "safe" place. And a revocation certificate misused is dangerous too, as it ruins a web of trust.) And the advantages of doing so are that in case or accidental erasing of the private key (who never accidentally deleted an important file?), it also allows the main key to be retrieved. The primary key allows one to create a revocation certificate, not the other way around. So, why store a safe revocation certificate? Leo PS: Please, do not tell me one might have forgotten his passphrase. In this case there is no harm in shredding the secret key and waiting for the expiration date, answering persons emailing you encrypted files that you lost your passphrase. Anyway, in this case, you're screwed, and a revocation certificate would be no better -- unless it was stored unencrypted, at the risk of having it used when you do not want it to be. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
