On Sun, Mar 27, 2011 at 10:47 PM, Kumba <ku...@gentoo.org> wrote: > 1. How can I revoke the old key? The revocation cert is probably on the > same drive.
You can't. You need the private key to generate a revocation certificate. The best you might be able to do is ask keyserver admins to remove it manually, or try to recover the key. Or crack RSA... :) This is one of the reasons PKI is painful. > > 2. The dev manual states not to create a key with an expiration longer than > 6 months. How does this impact items signed already if the key has to be > replaced bi-annually? (I suspect I'm not fully grasping something here w/r > to GPG). When gpg verifies signatures it takes into account the date the signature was performed. So, after this date the key is not valid for new signatures. Expiration dates are more about receiving encrypted data than sending it. Basically it tells people who have your public key to please be nice and not use this key after this date, that way I don't need to keep a copy of old keys until the end of time just in case. In your case, when your old key expires you will no longer need to worry about getting an encrypted email you can't read. They provide no security for stolen keys, since the date can be changed if you have access to the private key. This is in contrast to SSL certificates, where the CA key would be needed to do this. With SSL the expiry is more about the CA than the key itself. The only security mechanism for stolen certs is revocation. > > 3. If I'm going to start using GPG, I might as well use it for a few things. > Anyone got pointers for cross-platform use, i.e., Thunderbird on Windows? Enigmail. Haven't actually used it on windows but it is pretty transparent and I believe it supports windows. No graceful solution to keyring management that I know of, except that the same files should work on both platforms, and either platform can merge two keyring files which should make syncs easy (you're generally only adding to them all the time). Rich
