> I have never understood why people seem to believe that they cannot safely > store a key backup (including the passphrase if necessary) but can safely > store a revocation certificate.
It comes into play more when entrusting others. If I give my lawyer a copy of my certificate and passphrase with instructions of "revoke these when I die," I'm giving my lawyer the power to impersonate me should my lawyer suddenly go rogue. If I give my lawyer a revocation certificate, I'm exposed to far less risk. > And it it really a good idea to use the same passphrase for both mainkey and > subkeys? This can't be answered without knowing about a specific threat that the person is trying to mitigate. I think that most models will find this to be a negligible risk. (This next quote belongs to adrelanos, not Hauke.) > Securely wiping of data is a difficult issue. We believe it is safer to > create a new keypair (a new secring.gpg) than trusting gpg to remove the > private master key from secring.gpg. First, using the royal "we" is... well, royal. "We" is appropriate when writing a committee report or if the speaker is a sitting monarch. Otherwise, "I" should be used. Second, why is a secure wipe necessary? The only information that's recoverable is public metadata. The key material itself is encrypted. If people doubt me on this, I am quite happy to post my private key to the list. So long as you've got a good passphrase on your certificate, you can post your private key in the _New York Times_. I'm unaware of any model in which a private key needs to be securely scrubbed, unless you're not putting a strong passphrase on the certificate. Even then, scrubbing data is usually a sign you've misunderstood the problem you're trying to solve. If you're concerned about sensitive data lurking on your hard drive the solution isn't to scrub the drive, it's to use an encrypted filesystem. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users