Hello Sean,
It’s interesting that the revocation comments do not seem to play a role, at least not one that we can see.
I am disappointed to learn that once our information hits the servers, it’s there forever. I expected that the key servers would behave a similar fashion to the internet servers. That is, once the DNS data has been changed or domain name has been deleted, the servers would incorporate the new information by either updating the DNS stuff or dropping the domain altogether. I would have expected the key gpg data to be timestamped, so the servers could coordinate the information without overwriting previously deleted information. Still, your response is helpful.
Out of curiosity, what happens if the certificate expires? Does it disappear then? If so, could one change an expiry date to the next day, re-upload it, and then have it disappear from the server once the expiry date has passed?
Thank you for providing a good summary on creating a new key and deleting the old one.
Your Step 3 caused me some grief because I don’t know how to use my revocation certificate. Out of curiosity, I used Kleopatra to open my revocation certificate. The good news is that it worked–my certificate was revoked. The bad news is, my certificate was revoked.
When I opened my revocation certificate using Kleopatra, I had expected a warning message or to see the revocation certificate on a separate line. Instead, there was NO warning. Just boom–existing certificate was gone.
So I had to discover a way to restore my certificate. Here’s the steps that I followed:
- Import my saved Private Key. Kleopatra says that the Key has been revoked.
- Take note of the Key-ID
- Delete Key from Kleopatra by selecting it and then deleting it.
- Using the command line prompt:
4a) gpg --expert --delete-key Key-ID
4b) Confirm by pressing: y
- Import my saved Private Key again. Kleopatra is happy with it; however, OwnerTrust was changed.
- I increased the trust level to “Ownertrust” to “Ultimate.” I believe I right mouse clicked on the certificate and hit “Certify Certificate,” or I used one the commands under the “Certificate Menu.” Somehow I managed to restore the Ownertrust level to “Ultimate.”
I used the following website and looked at the “answer” for some guidance.
http://superuser.com/questions/608336/un-revoke-pgp-key
My process differs somewhat. So if my process doesn’t work for others, they can try the “answer.”
Now that I restored my revoked key, my question is:
** How do I send my Revocation Certificate to the key server?
Switching to the next topic, I like your suggestion of signing the NewKey with the OldKey. That’s clever.
You stated, “THE ONLY WAY TO BE 100% CERTAIN IS TO GET THE KEY DIRECTLY FROM THE OWNER!”
The New York Times publishes their Fingerprint for confidential news tips. Please see here: https://www.nytimes.com/newsgraphics/2016/news-tips/
Interestingly under the email section, they call the Fingerprint a “Key.” However, when you search for the New York Times on the key server, you can verify that you have the correct Public Key because its fingerprint matches that of their webpage’s fingerprint. While not getting the key directly from the New York Times, you should be confident that the key is legitimate because of the fingerprints match. I believe we’re saying the same thing–that is, verify from the source that the key is valid.
Incidentally, browsing through this New York Times page piqued my curiosity and led me down this rabbit hole of wanting to understand PGP encryption.
Our last topic is subkeys. I read through your paragraph and very superficially skimmed Alex Cabal’s site. I do plan to go back soon to Cabal’s site for a more thorough read. I like the idea of having a “backup plan” in case your computer is stolen or lost. Perhaps another way to mitigate problems with a stolen or lost computer is to encrypt your entire computer using BitLocker. With BitLocker, the thief is presumably unable to use your computer.
You mention, “They can be created and revoked independently from your main key. By default, when you create a key with Kleopatra, you get a main key and one subkey.”
When I created a “key,” I created one public and one private key. I am not sure about a subkey. Can you please elaborate a bit further?
Thank you very much Sean for your patience and assistance. I look forward to your responses to my comments and questions. I believe I am getting close to obtaining a reasonable understanding of how to use PGP encryption.
Best regards,
Kevin