1 |
On Sun, Mar 27, 2011 at 10:47 PM, Kumba <kumba@g.o> wrote: |
2 |
> 1. How can I revoke the old key? The revocation cert is probably on the |
3 |
> same drive. |
4 |
|
5 |
You can't. You need the private key to generate a revocation |
6 |
certificate. The best you might be able to do is ask keyserver admins |
7 |
to remove it manually, or try to recover the key. |
8 |
|
9 |
Or crack RSA... :) |
10 |
|
11 |
This is one of the reasons PKI is painful. |
12 |
|
13 |
> |
14 |
> 2. The dev manual states not to create a key with an expiration longer than |
15 |
> 6 months. How does this impact items signed already if the key has to be |
16 |
> replaced bi-annually? (I suspect I'm not fully grasping something here w/r |
17 |
> to GPG). |
18 |
|
19 |
When gpg verifies signatures it takes into account the date the |
20 |
signature was performed. So, after this date the key is not valid for |
21 |
new signatures. |
22 |
|
23 |
Expiration dates are more about receiving encrypted data than sending |
24 |
it. Basically it tells people who have your public key to please be |
25 |
nice and not use this key after this date, that way I don't need to |
26 |
keep a copy of old keys until the end of time just in case. In your |
27 |
case, when your old key expires you will no longer need to worry about |
28 |
getting an encrypted email you can't read. |
29 |
|
30 |
They provide no security for stolen keys, since the date can be |
31 |
changed if you have access to the private key. This is in contrast to |
32 |
SSL certificates, where the CA key would be needed to do this. With |
33 |
SSL the expiry is more about the CA than the key itself. The only |
34 |
security mechanism for stolen certs is revocation. |
35 |
|
36 |
> |
37 |
> 3. If I'm going to start using GPG, I might as well use it for a few things. |
38 |
> Anyone got pointers for cross-platform use, i.e., Thunderbird on Windows? |
39 |
|
40 |
Enigmail. Haven't actually used it on windows but it is pretty |
41 |
transparent and I believe it supports windows. No graceful solution |
42 |
to keyring management that I know of, except that the same files |
43 |
should work on both platforms, and either platform can merge two |
44 |
keyring files which should make syncs easy (you're generally only |
45 |
adding to them all the time). |
46 |
|
47 |
Rich |