Update FAQ about revocation certificates?
Damien Goutte-Gattat
dgouttegattat at incenp.org
Thu Nov 8 16:21:58 CET 2018
Hi GnuPG folks,
The current version of the FAQ recommends creating a revocation
certificate at several places.
§ 7.17
"We recommend you create a revocation certificate immediately
after generating a new GnuPG certificate."
§ 8.5
"What should I do after making my certificate?
Generate a revocation certificate"
§ 10
"What are some common best practices?
[...] Generate a revocation certificate"
However, since GnuPG 2.1 a revocation certificate is now
automatically generated by GnuPG at the same time a new key pair
is created, and stored in $GNUPGHOME/openpgp-revocs.d.
Therefore the above recommendations should either be removed or at
the very least amended to explain that they are only necessary
with GnuPG < 2.1.
FWIW, I believe they should be removed completely. Rationale: It
has already been decided three years ago not to mention GnuPG 1.4
in the FAQ [1]. Since then, GnuPG 2.0 has been end-of-lifed and so
in my opinion should not be mentioned either. Thus the FAQ should
only focus on "modern" GnuPG (>= 2.1). And with modern GnuPG there
is no need to recommend to generate a revocation certificate.
On the same topic, the answer to the question "How do I generate a
revocation certificate?" (§ 8.5) should be amended to explain that
such a revocation certificate may already have been generated.
("May", because it is possible the user asking this question has
generated his or her key a long time ago, using an older version
of GnuPG.)
Comments are welcome.
Cheers,
Damien
[1] https://lists.gnupg.org/pipermail/gnupg-users/2015-August/054172.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181108/7522352d/attachment.sig>
More information about the Gnupg-users
mailing list