[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [openpgp] OpenPGP private certification



On Wed, Apr 8, 2015 at 6:53 AM, Werner Koch <wk@xxxxxxxxx> wrote:
> On Thu,  2 Apr 2015 18:09, phill@xxxxxxxxxxxxxxx said:
>
>> Since the key servers won't allow me to revoke the cert for the
>> private key I have no control over, I think that it would be more
>
> They allow that but you need to have a key prepared for this:
>
>  5.2.3.15.  Revocation Key
>
>    (1 octet of class, 1 octet of public-key algorithm ID, 20 octets of
>    fingerprint)
>
>    Authorizes the specified key to issue revocation signatures for this
>    key.  Class octet must have bit 0x80 set.  If the bit 0x40 is set,
>    then this means that the revocation information is sensitive.  Other
>    bits are for future expansion to other kinds of authorizations.  This
>    is found on a self-signature.
>
> ("gpg --edit-key, addrevoker" to set such a key and "gpg --desig-revoke"
>  to issue a revocation)

If I could remember my passphrase then I would not need to revoke.

My point here is that if we want to get a billion people using
encrypted mail then it has to offer iPhone class usability, not OK for
1990s usability.


There are plenty of ways that the scheme could be fixed. Since key
server enrollment can be made automatic, it would be pretty easy to
renew the enrollment once every n months and discard keys that have
not been renewed for 5 years or for more than a year if there is a
replacement key.

Having the key servers continue to regurgitate false or stale data
forever because there is no way to stop them does not seem like an
acceptable plan to me.

_______________________________________________
openpgp mailing list
openpgp@xxxxxxxx
https://www.ietf.org/mailman/listinfo/openpgp