Help me to import my secret key please
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun May 9 15:33:24 CEST 2010
On 05/09/2010 04:40 AM, Charly Avital wrote:
> Yes, you can gnerate a new key pair with the same user ID email, the key
> server will accept it. Do not forget to generate a revocation
> certificate and to store in a safe place.
Yup, Charly is correct about this. You can actually have as many keys
as you like with the same UID in the public keyservers.
> You might want to indicate in
> the comment of the new key that the previous key (key ID) is not usable,
> if yoi plan to upload the new public key to a key server
I'm not sure exactly what Charly means here, but i strongly recommend
you do *not* put this kind of remark in the comment section of the User
ID for your new key (between the name and the e-mail). A better
approach is to make a key transition document that describes the
situation, sign it with the new key, and post it publicly. For example:
http://fifthhorseman.net/key-transition-2007-06-15.txt
(if you still had access to your old key, you could have signed the
transition statement with it too)
So why do i think you shouldn't put it in the comment section of your
new User ID? Your User ID is the linkage between your key and your
real-world identity. When you ask people to "sign your key", you are
asking them to certify (a) that this key belongs to you, and (b) that
they believe this User ID does really belong to you too. If your User
ID contains a string that does not really relate to you, you're asking
people to certify something unusual and potentially meaningless.
Also, consider the situation 5 years from now -- hopefully you'll still
be able to use the key you made today. Do you really want a remark
about this legacy key to follow you for 5 years?
Lastly, since you can't revoke the old key outright, you might consider
contacting everyone who has already certified it and asking them to
revoke their signatures on the key. You can point them to your
published key transition document as a start, but you'll probably want
to also contact them offline -- this is also a good opportunity for you
to ask them to certify your new key. That way, in the future, there
will be no valid certifications on your old key, and which key people
should choose for you should become clearer.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100509/a690bf7f/attachment.pgp>
More information about the Gnupg-users
mailing list