From: "Michael C. Peponis" <mianigand@unique.outlook.net>
Date: Sat, 6 Jan 1996 22:40:55 +0800
To: cypherpunks@toad.com
Subject: Re: Revoking Old Lost Keys
Message-ID: <199601060759.BAA03401@unique.outlook.net>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----


On  5 Jan 96 , Bruce Baugh wrote:

> I'd like to bring up a problem I haven't seen addressed much yet, and which
> I think is going to come up with increasing frequency as PGP use spreads.
> 
> The problem is this: how can one spread the word that an old key is no
> longer to be used when one no longer has the pass phrase, and cannot
> therefore create a revocation certificate?

It's an administrative nightmare.  I assume that you mean if the key 
is widley distributed.  If it's only circulating among a small group 
of people that know each other, no problem.  

If it's widley distributed, or on a keyserver, that becomes hard.  
First you would have to be authenticated as the origional key owner, 
ie how do I realy know that you are you, and not somebody saying you 
are the orgional key owner?

Another problem, let's say I get your public key from Bob, who signed 
your key, and Bob knows you have revoked your key, but I don't, so 
what happens to my copy of your key? 

Since there is no revokation certificate, I am forced to take Bob's 
word that you have indeed want to revoke your key, but have no way of 
verifying that without talking to you, and agin I have to go through 
the same verification process that Bob did.

Good topic. 

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMO2+BkUffSIjnthhAQFPuQP7BOBJTkqInT4nIAQ7ity4/AutSn9QusFx
FdG6iPQVG11fp2BbGtDeQMSgaFUDxXm99Oim/VINGWDmbMWhcWTAXDPpYrd2+bjH
Q9/SNs+5akQc+bbojqIjDoXas/5LL4VvbrEeSOvklpKg+GrCleJYqN+Mh2aY35ZL
04GLVJJLzSo=
=Xr5x
-----END PGP SIGNATURE-----
Regards,
Michael Peponis
PGP Key Avalible form MIT Key Server
Key fingerprint =  DD 39 66 3D AE DE 71 C2  B6 DA B2 3F 47 2A EB AC