On 08/06/14 20:34, Hauke Laging wrote: > "After creating the key create a revocation certificate, too." I still have > to be told why it shall be possible to have a safe backup of the revocation > certificate but impossible (or less possible) to have a safe backup of the > secret mainkey...
This one seems easy... leakage of the revocation certificate is much more benign. No secret stuff is compromised, and in order for the leakage to be useful, your adversary would need to publish the revocation certificate, so you would notice. This in stark contrast with the private key, which can be used without you noticing, to read your secrets. And any new secrets produced in the future, on account of you not noticing. So the storage requirements for the revocation certificate are much less demanding than for the backup secret keys, meaning there are more places you can keep it, meaning you have a higher chance of still being able to access it. ... because a revocation certificate is only useful when the key backup is lost. So obviously you should make sure that they are stored separately. This is one of the silly recommendations I've also seen: store your revocation certificate with your private key. That only covers the case of forgetting the passphrase; in all other cases it's useless (I think). And that's hoping you didn't use the same passphrase with your "encrypted USB-drive" and lost access to the certificate as well. It all boils down to: "a safe backup" depends on what you are backing up. > I recommend that all qualified people do the same when encountering bad > articles. The problem lies in "qualified". I think the authors of the bad advice consider themselves qualified, for instance. Otherwise why are they giving advice. > It seems important to me to increase the quality of information out there. Hmmmm... this is the internet. I don't think you can keep the bad advice off the net. You need to have the good advice in a prominent place. But maybe that's what you meant. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
