[prev] Mon, 01 Dec 2003 10:58:04 -0500 [next] [n/a] - [comment]
Hi folks. Long before I became the PGP gun nut that I am now, I had established a key for my old email address, mike at sixthiteration.org. Now that I have my current key, for my current e-mail address, this old key is of no use to me. Under normal circumstances, I would just revoke it. But it never occurred to me to hold on to that old secret key. So now I can't revoke it, even if I wanted to. Therefore, according to the "PGP User's Guide", I ask that anyone who might have been using that key, or has it on their keychain, disables it.
Normally, if you want to revoke your own secret key, you can use the -kdcommand to issue a revocation certificate, signed with your own secret key (see "Revoking a Public Key").
But what can you do if you lose your secret key, or if your secret key is destroyed? You can't revoke it yourself, because you must use your own secret key to revoke it, and you don't have it anymore. A future version of PGP will offer a more secure means of revoking keys in these circumstances, allowing trusted introducers to certify that a public key has been revoked. But for now, you will have to get the word out through whatever informal means you can, asking users to disable your public key on their own individual public key rings.
Other users may disable your public key on their own public key rings by using the -kd command. If a user ID is specified that does not correspond to a secret key on the secret key ring, the -kd command will look for that user ID on the public key ring, and mark that public key as disabled. A disabled key may not be used to encrypt any messages, and may not be extracted from the key ring with the -kx command. It can still be used to check signatures, but a warning is displayed. And if the user tries to add the same key again to his key ring, it will not work because the disabled key is already on the key ring. These combined features will help curtail the further spread of a disabled key.
If the specified public key is already disabled, the -kd command will ask if you want the key reenabled.
But what can you do if you lose your secret key, or if your secret key is destroyed? You can't revoke it yourself, because you must use your own secret key to revoke it, and you don't have it anymore. A future version of PGP will offer a more secure means of revoking keys in these circumstances, allowing trusted introducers to certify that a public key has been revoked. But for now, you will have to get the word out through whatever informal means you can, asking users to disable your public key on their own individual public key rings.
Other users may disable your public key on their own public key rings by using the -kd command. If a user ID is specified that does not correspond to a secret key on the secret key ring, the -kd command will look for that user ID on the public key ring, and mark that public key as disabled. A disabled key may not be used to encrypt any messages, and may not be extracted from the key ring with the -kx command. It can still be used to check signatures, but a warning is displayed. And if the user tries to add the same key again to his key ring, it will not work because the disabled key is already on the key ring. These combined features will help curtail the further spread of a disabled key.
If the specified public key is already disabled, the -kd command will ask if you want the key reenabled.