From: Greg Rose <Greg_Rose@sydney.sterling.com>
Date: Mon, 8 Jan 1996 07:47:41 +0800
To: cypherpunks@toad.com
Subject: Re: Revoking Old Lost Keys
In-Reply-To: <2.2.32.19960106101559.00919d9c@mail.teleport.com>
Message-ID: <pgpmoose.199601081027.31093@paganini.sydney.sterling.com>
MIME-Version: 1.0
Content-Type: text/plain


There hav been a lot of replies to the original
question, but I think a lot of people are missing
a simple solution.

  >>At 7:07 AM 1/6/96, Bruce Baugh wrote:
  >>>I'd like to bring up a problem I haven't seen addressed much yet, and whic
 h
  >>>I think is going to come up with increasing frequency as PGP use spreads.
  >>>
  >>>The problem is this: how can one spread the word that an old key is no
  >>>longer to be used when one no longer has the pass phrase, and cannot
  >>>therefore create a revocation certificate?

You create a revocation certificate at the time
you create the key, and store it somewhere (I'd
recommend putting it on a floppy). Then either
give it to your lawyer, with a note saying "If I
forget the passphrase, give me back this", or
just write a note to yourself, and store it in a
place where you'll find it when the time comes.

It is inconvenient if a nasty third party finds it
while you were still using the key, but much less
damaging than if they found the password.

(Someone wrote that PGP doesn't support revocation
certificates. This is not correct.)

Greg.

Greg Rose               INTERNET: greg_rose@sydney.sterling.com  
Sterling Software       VOICE:  +61-2-9975 4777    FAX:  +61-2-9975 2921
28 Rodborough Rd.       http://www.sydney.sterling.com:8080/~ggr/
French's Forest         35 0A 79 7D 5E 21 8D 47  E3 53 75 66 AC FB D9 45
NSW 2086 Australia.     co-mod sci.crypt.research, USENIX Director.