Revocation certificate creation (was: options files)
On Tue, 26 Feb 2013 01:25, cr...@2ndquadrant.com said: I really wish a 1y or 2y expiry was the default and that gpg prompted you to generate a revcert as part of key generation. I spend a lot of I wish I had done that right from the beginning. The reason why I did not was the fear that then the revocation certificate would be readily available on the disk and 3 things may happen: - The user accidentally imports that certificate and it would eventually end up on the keyservers. - Someone else gets access to the revocation certificate and sends it to the keyserver. - The disk crashed and the user has no backup. Reviewing this today I may say that the first could be mitigated by indenting the lines of the revocation certificate so that GPG would no be able to import it directly. The second is not a real issue. The third is probably the most likely threat; however, it would not be worse than not having a revocation certificate at all. Given that the default for smartcards is to store the backup on disk and ask the user to move it to a safer place, we might as well do something similar for revocation certificates. Comments? Regarding a default expiration date: It may be useful if GUIs would do this (as long as they also offer an option to prolong the expiration). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate creation
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi Werner, Given that the default for smartcards is to store the backup on disk and ask the user to move it to a safer place, we might as well do something similar for revocation certificates. Comments? my vote: yes. Non-intrusive information about what next steps should be. When creating a key using Enigmail, it asks the user to save a rev cert. CLI should do the same. Regarding a default expiration date: It may be useful if GUIs would do this (as long as they also offer an option to prolong the expiration). Personally, I used to use expiration dates but found it unconvenient. On newer keys, I rather make sure a have a rev cert in a safe place and set no expiry. But that's a personal preference. And yes, a user really should do one or the other at least. Concerning expiration I vote to set to 3 years at least, but there are different scenarios that have requirements: private messaging, company keys, ... Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (MingW32) Comment: Dies ist eine elektronische Signatur - http://www.enigmail.net/ iQGcBAEBAwAGBQJRLKBEAAoJEKGX32tq4e9WIyQMAJ6tN9/xtYSsZMbn+5m/N6yD e/HGd4uBHwJRGwTCqMOowIDqAOoXJAyKQ5VqwMXZoaDblC3HLp9kSHfEgxGPjQPR aVorAzs9AmRDUv7hfyzdtktIKT5fLJANfM/tJzHO3yBQHkfvQdHf3Q5wCyM4Px3H i6MYyYFPNWeGGdDT4DvdFuQVfyWSrVq/UFK5l7WyBxqnfr6jpljTe7So04QdHExS rhaTdBIzfba66U7MYu8zsNtSRdjQT55HSmmwFuPKm9dYrG+6vTa5PWUajFyXo2dq NDnUUonNDZUJde8prUJVJvGzW89eSS9CpgAB2ZpFgsHLv4gmHYX64IOAcPkAtRls XAmbJDFKCn7CwGmFpwOcTq0df5wjHewLepGkdk3URShlikHJeYx/SiS78ToUUmfp 0bWonjDT2k0qpUDrFBtEwchrUh6z5jy4BgVHA+Z4m684+cgtBS61H8qCk0ZRwsz9 r42hIUTxUCwQPi01aLnBM7my0pCIWq+j/3vFaMJu3w== =5TNP -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate creation
On Tue, 26 Feb 2013 12:45, o...@enigmail.net said: my vote: yes. Non-intrusive information about what next steps should be. When creating a key using Enigmail, it asks the user to save a rev cert. CLI should do the same. You mean printing a hint to create a recovation certificate would be enough? Similar like the Note that this key cannot be used for encryption. You may want to use the command --edit-key to generate a subkey for this purpose. you see if you don't use the defaults? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate creation
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi Werner, When creating a key using Enigmail, it asks the user to save a rev cert. CLI should do the same. You mean printing a hint to create a recovation certificate would be enough? well, first it's just my opinion. Second, I'd vote for a hint _at least_. I'd prefer a question to the user whether he/she wants to create one. Same applies for the key backup itself! Even with question, there should be one sentence explaining why the user should care about it, like If your private key is lost or broken or gets compromised, you might want to mark your public key invalid if you (or someone) put it on a public key server. You can do so using a revocation certificate. Would you like to create a revocation certificate now? (if yes, ask for typical causes, maybe even multiple, IMHO no expert freetext cause - those that do know this also know how to use args.) [Farewell message prior to exiting] Mind to store a copy of your private and public key if rev cert was createdand the revocation certificate(s) /if on a reliable offline media and save that in a place only you have access to. Well, that's a lot to read, maybe there's a shorter way to tell but it should be readable by the average user. Again: my personal preference. Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (MingW32) Comment: Dies ist eine elektronische Signatur - http://www.enigmail.net/ iQGcBAEBAwAGBQJRLLqmAAoJEKGX32tq4e9W0mIL/2oe7xQr+i7APk66K/gu6bI/ KK5nty4M7rnuTJ3FFSgnlf/4bSNJ/5omZrN0s1iI3lczijtjEh7AYyMIzCE6BcvZ HcMtEqXkvoU7cPM+REXnGf9NaH2GOdhsHdI+1LPqSuSlEVXzj/kzcm1QwdhdpFnH OcZROGB//TCWPMUpK0684X1w5XXDZJBOQ6YpYK3R/3IwhFoI54CSBKpGEwrskvVq sJ1xIfggc9LYXnKUe2cMbdWNl2ovKcQmqixMviF4T+bvOeoBPX031VTIARVmMy1W TkxT1FavS1bZdEzGYx73DwdI1Je+7n/UqwCpu3/0FuCUhxMKdDPB8Xw4GG6JwgWt 5gds5d6lGiZLMdu+fposLm9FQQPvy1UT8lONe2XVml7/Jag2o5pV08sv7abdIyi3 o0VzMWaDqIwVrSvW/gWcJVcH8kbLr3KWYZDQ5GEn8/FXIEUR5sWxhbUqe+jk10Gz YEzqGMlwFlui6RGrFp7tByp148AnWeiZRNrgoJOFBQ== =PtDr -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate creation
Am Di 26.02.2013, 14:37:49 schrieb Olav Seyfarth: well, first it's just my opinion. Second, I'd vote for a hint _at least_. I am a big fan of hints, too. If these get improved / extended an option like --no-hints=all --no-hints=noencryptionkey,norevocationcertificate,... may be offered for those who feel bothered as a very easy, trivial to maintain feature. Or --no-long-hints=... in case the short texts get longer. These hints should contain the URL of the respective gnupg.org doc page, too. IIRC this is already done for non-cross signed signing subkeys. Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate creation
On Tue, 26 Feb 2013 15:16, mailinglis...@hauke-laging.de said: I am a big fan of hints, too. If these get improved / extended an option like --no-hints=all Well, we have the --expert option. If it is used we could assume that a hint is not required. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users