[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Revoking Old Lost Keys



At 7:07 AM 1/6/96, Bruce Baugh wrote:

>I'd like to bring up a problem I haven't seen addressed much yet, and which
>I think is going to come up with increasing frequency as PGP use spreads.
>
>The problem is this: how can one spread the word that an old key is no
>longer to be used when one no longer has the pass phrase, and cannot
>therefore create a revocation certificate?

Basically, you are screwed. Any revocation you attempt will not be trusted,
as we will suspect the new "you" to be an attacker, perhaps an agent of the
NSA or the Illuminati. In the view that "you are your key," the old you no
longer exists.

Perhaps you could just move to a different city, change your name, and
create a new key. (However, be sure you write down your passphrase and
other salient information to handle your next memory loss.)

>
>In my case the problem is medical: thanks to autoimmune problems, I get
>random memory loss from time to time. Sometimes it's big - like an entire
>semester of my sophomore year of college. Sometimes it's small - like three
>old pass phrases. So there are keys of mine floating around the key servers
>that I don't want used, and which are just taking up space.

Pardon me for being politically incorrect (*), but anyone who has these
sorts of memory lapses should certainly write down the passphrases! While
it is true that writing down a passphrase increases the risk slightly that
a black bag operative will sneak into one's house and use his Minox to
record the passphrases, in practice this is a minor risk. Especially
compared to the immediate risk of losing or forgetting the passphrase.

(* I said I was being "politically incorrect" because I've found that
people these days don't want their defects and weaknesses commented upon by
others, even when they mention them themselves. Thus, cripples don't want
anyone to comment on their handicaps, and so on. Someone on this list with
"Multiple Personality Disorder" got mightily offended when someone else
mentioned MPD in a joking way in a post. Others freak out at innocent
remarks, seeing their own demons.)

So, if you are losing entire semesters worth of memory, you might want to
start writing a lot of stuff down.

Seriously, this is an example where "escrow" works. Seal an envelope with
your passphrase and any other stuff you want to remember, and leave it with
your lawyer or escrow agency with instructions to only turn it over to you.
Same as a safe deposit box, unless you forget the key. (You could forget
you have a lawyer, so better write that down somewhere, too.)

I've not forgotten my PGP passphrase, but then I've only had one PGP key in
the last several years and I've written a note to myself someplace which
describes what the passphrase is in terms I think would only be meaningful
to me. Not fully secure, but nothing really is. And secure enough.

If you've had several keys in several years, and yet you are risk of
forgetting entire semesters, maybe you ought to think about whether
encryption is all that necessary for you. (I rarely see the need to
encrypt, even as I cherish the ability and present right to encrypt, so I
naturally wonder what it is all these people who seem to be encrypting
nearly every private message they send are really concerned about....just
my opinion.)

I hope all turns out well, and I hope my candid answers to your questions
are not too politically incorrect.

--Tim May


We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."