| 1 |
On Sun, Mar 27, 2011 at 10:47 PM, Kumba <kumba@g.o> wrote: |
| 2 |
> 1. How can I revoke the old key? The revocation cert is probably on the |
| 3 |
> same drive. |
| 4 |
|
| 5 |
You can't. You need the private key to generate a revocation |
| 6 |
certificate. The best you might be able to do is ask keyserver admins |
| 7 |
to remove it manually, or try to recover the key. |
| 8 |
|
| 9 |
Or crack RSA... :) |
| 10 |
|
| 11 |
This is one of the reasons PKI is painful. |
| 12 |
|
| 13 |
> |
| 14 |
> 2. The dev manual states not to create a key with an expiration longer than |
| 15 |
> 6 months. How does this impact items signed already if the key has to be |
| 16 |
> replaced bi-annually? (I suspect I'm not fully grasping something here w/r |
| 17 |
> to GPG). |
| 18 |
|
| 19 |
When gpg verifies signatures it takes into account the date the |
| 20 |
signature was performed. So, after this date the key is not valid for |
| 21 |
new signatures. |
| 22 |
|
| 23 |
Expiration dates are more about receiving encrypted data than sending |
| 24 |
it. Basically it tells people who have your public key to please be |
| 25 |
nice and not use this key after this date, that way I don't need to |
| 26 |
keep a copy of old keys until the end of time just in case. In your |
| 27 |
case, when your old key expires you will no longer need to worry about |
| 28 |
getting an encrypted email you can't read. |
| 29 |
|
| 30 |
They provide no security for stolen keys, since the date can be |
| 31 |
changed if you have access to the private key. This is in contrast to |
| 32 |
SSL certificates, where the CA key would be needed to do this. With |
| 33 |
SSL the expiry is more about the CA than the key itself. The only |
| 34 |
security mechanism for stolen certs is revocation. |
| 35 |
|
| 36 |
> |
| 37 |
> 3. If I'm going to start using GPG, I might as well use it for a few things. |
| 38 |
> Anyone got pointers for cross-platform use, i.e., Thunderbird on Windows? |
| 39 |
|
| 40 |
Enigmail. Haven't actually used it on windows but it is pretty |
| 41 |
transparent and I believe it supports windows. No graceful solution |
| 42 |
to keyring management that I know of, except that the same files |
| 43 |
should work on both platforms, and either platform can merge two |
| 44 |
keyring files which should make syncs easy (you're generally only |
| 45 |
adding to them all the time). |
| 46 |
|
| 47 |
Rich |
Archives