[kde-doc-english] Re: Revocation Certificates??

Sat Jul 30 17:33:22 CEST 2011

> Am Donnerstag, 23. Juni 2011, um 10:44:28 schrieb Rolf Eike Beer:
>> > Am Mittwoch, 22. Juni 2011, um 20:43:03 schrieb Rolf Eike Beer:
>> >> Am Mittwoch, 22. Juni 2011, 17:15:19 schrieb Burkhard Lück:
>> >> > Hi Daniel,
>> >> >
>> >> > am Dienstag, 21. Juni 2011, um 05:37:32 schrieb Daniel U. Thibault:
>> >> > >    GnuPG4Win/Kleopatra prominently warns about creating a
>> revocation
>> >> > >
>> >> > > certificate before uploading a key pair to a PGP server.  But
>> there
>> >>
>> >> is
>> >>
>> >> > > a) no option to do this offered by the wizard and, more
>> importantly,
>> >>
>> >> b)
>> >>
>> >> > > absolutely no mention of how to do this in the help.  The
>> interface
>> >>
>> >> is
>> >>
>> >> > > of no help, giving absolutely no hint of how to do this.
>> >> > >
>> >> > >    I eventually found guidance at
>> >> > >
>> >> > > http://www.emiic.net/reference/57-encrypting-email.  Not obvious
>> at
>> >> > > all.
>> >> >
>> >> > This is about KGpg, right?
>> >> >
>> >> > Your a) seems to be a claim about a missing feature/warning/bug in
>> >>
>> >> KGpg,
>> >>
>> >> > please report at bugs.kde.org product KGpg.
>> >> >
>> >> > Your b) could be solved adding some infos about a revocation
>> >>
>> >> certificate
>> >>
>> >> > to the KGpg Handbook?
>> >>
>> >> Yes, please file a wishlist for KGpg on b.k.o and I'll see to get
>> this
>> >> done
>> >> for SC 4.8. There currently is no interface to create a revocation
>> >> certificate for an existing key. You are however asked if you want to
>> >> create one with a new key.
>> >>
>> >> I don't think complaining about a revocation certificate on every
>> upload
>> >> is
>> >> a good idea. But maybe we could do this with a
>> >> dont-show-this-dialog-again
>> >> thing. Please file a seperate wishlist if you want this implemented
>> and
>> >> provide some good arguments to convince me.
>> >
>> > KGpg has an action "Revoke Key" in the context menu, which opens the
>> > "Create
>> > Revocation Certificate" dialog.
>> > But the documentation does not mention revocation.
>> >
>> > Eike would you mind to add something about revocation to the handbook,
>> we
>> > could ship the updated doc with 4.7.1.
>>
>> Ups, indeed. Since even I forgot about it how is anyone else supposed to
>> know? ;) Yes, I think I'll cook up some text for this. Suggestions
>> welcome.
>>
> Ping Eike

Ok, I would commit the following text early next week if there aren't any
better proposals:

A key pair that has expired can be brought back into an operational state
as long as you have access to the private key and the passphrase. To
reliably render a key unusable you need to revoke it. Revoking is done by
adding a special revokation signature to the key.

These revokation signature can be created together with the key. In this
case it is stored in a separate file. This file can later be imported into
the keyring and is then attached to the key rendering it unusable. Please
note that to import this signature to the key no password is required.
Therefore you should store this revokation signature in a safe place,
usually one that is different from you key pair. It is a good advise to
use a place that is detached from your computer, either copy it to an
external storage device like an USB stick or print it out.

If you have not created such a detached revokation on key creation you can
create such a revokation signature at any time choosing Key -> Revoke key
***, optionally importing it to your keyring immediately.

*** Currently this item is only available in the context menu. I'll move
this from the context menu to the key menu for 4.7.1. The context menu
should provide shortcuts to the often used items. Revoking a key is
seldomly used (if at all) so it has no reason to be in the context menu at
all.

Greetings,

Eike