GPG keypair wizard not creating a revocation certificate
Ingo Klöcker
kloecker at kde.org
Tue Jul 4 19:09:13 BST 2017
On Tuesday 04 July 2017 18:08:13 Thomas Pfeiffer wrote:
> Hi KDE PIM team,
> I’ve just learned that KMail now offers users who do not have a GPG
> key to have one created for them. This as such is a nice idea, but a
> key element which is missing is the generation of a revocation
> certificate. Users who know nothing about GPG don’t even know what
> that is and therefore most likely won’t ever create one. This could
> get them into a difficult situation should they ever forget their
> password or lose their private key. Having irrevocable keys out there
> is certainly not what we want. Therefore, even if users don’t yet
> know what it’s good for, I’d strongly recommend to automatically
> generate a revocation certificate and tell them where they can find
> it and what it is good for.
Does the generated OpenPGP key expire? IMHO it should. Automatic key
expiration offers way better protection from zombie keys than a
revocation certificate. The rev certificate can be lost. People need to
remember the rev certificate if they lose their password. Then they need
to learn how to apply the rev certificate. That's exactly the hassle
that the automatic key generation tries to protect the users from.
FWIW, since GnuPG 2.1.17, by default, new keys generated with gpg expire
after 2 years [1].
Regards,
Ingo
[1] https://lists.gnupg.org/pipermail/gnupg-announce/2016q4/000400.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20170704/6b22a114/attachment.sig>
More information about the kde-pim
mailing list