Revocation Certificate

Neil Williams linux at codehelp.co.uk
Tue Jul 20 11:13:07 CEST 2004


On Tuesday 20 July 2004 8:36, Mirek Göbel wrote:
> I could yet not figure out, what a revocation certificate does.

http://www.dclug.org.uk/linux_doc/startgnupg.html#revoke

> What is a revocation certificate for?

To revoke a specific key - it is generated in advance so that if you later 
forget the passphrase you can still revoke the key. (Although you can't do 
anything else with the key). It is an external file, usually, a simple text 
file that gpg can import. It is created using the secret key, so you must 
have the passphrase when you create it, hence why you create it in advance.
:-)

> What can I do with it?

Revoke the key that generated the certificate. Nothing else.

> Why is it important?

Because it does not require the passphrase to import the file and revoke the 
key - you must take great care about how you store the certificate. Anyone 
who gets hold of your revocation certificate can revoke your key and there 
would be nothing you could do to stop it.

Also because without a certificate, if you forget the passphrase to your key 
it will languish on the keyservers forever as a seemingly active key. No key 
can be revoked without either the passphrase (and secret key) or the 
revocation certificate (no secret key needed).

If you still know your passphrase and your key is compromised, it still needs 
to be revoked and a certificate will still need to be created, imported and 
the updated key sent to keyservers. A stored certificate is just there in 
case you forget the passphrase or lose the secret key in some hard disc 
drama. (You must have a backup secret key if you want to continue using the 
key.)

Revocation is about helping others - when you know the key is 
unusable/compromised, revocation lets everyone else know too.

-- 

Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/

http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040720/e7ade978/attachment.bin


More information about the Gnupg-users mailing list