[ale] hosed gpg key

Michael B. Trausch mike at trausch.us
Mon Dec 12 19:02:55 EST 2011


On 12/12/2011 05:20 PM, Aaron Ruscetta wrote:
> Since I've pretty well hit all the likely alternate forms of the pass
> phrase at this point, I'm thinking there must be something else
> going on here. Is there a limit to pass phrase length or something?
> Is there an undeclared timeout on multiple attempts?

There is no limit to the passphrase that I am aware of.  My current one
is in excess of 70 characters and it works, with gpg2 at least.  I'm not
sure if any of it works differently for gpg1.

> If I'm unable to re-discover the pass phrase, how do I just go
> about trashing this key and removing it from the keyring and such?
> Would anyone in the key ring be willing to sign a new alternative
> if I were to generate it and post it to BigLumber?

Question:  Did you generate a revocation certificate when you created
your new stronger key?  If so, import the revocation certificate and
then re-upload the public key to the keyservers so that your revocation
will reach the whole keyserver network.  If not... well, there is no way
to revoke the key, and if I am understanding my gpg2 output correctly,
your key doesn't expire.

Since we all have certified both of your keys, I'd have no problem
signing your new key if you send a signed message to the ML with your
other key that you still control, and in that message put the key ID for
the new key that you need signed.  At the very least, that will prove
sufficient for me.

When you create your new key, I'd recommend that you make it expire at
some point.  It doesn't have to be 1 year; I tell people to set the
expiration for somewhere between 5 and 15 years.  The expiration
shouldn't be too frequent, because that increases the burden on yourself
(maintaining your key) and everyone else (because they have to re-sign
your key).  The only thing the expiration really guards against is the
loss of both a key and its corresponding revocation certificate.  Also,
generate a revocation certificate.  I generate mine and print it on a
piece of paper which I then put in a safe place.

A side note:  Jeremy mentioned after the social a piece of software that
can take an input file and split it into any x number of chunks, where
any y of those are required to reconstitute the original file.  That way
one could, for example, generate a revocation certificate, make 5 chunks
where any 4 are required to recreate the revocation certificate, and
give those 5 chunks to friends.  Alas, I forgot to write down the name
of the software, so I can't remember what it was.

	--- Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20111212/681a372b/attachment.bin 


More information about the Ale mailing list