gabriel rosenkoetter on 26 Nov 2003 17:55:03 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] PGP question--maybe off topic


Not off-topic in my opinion.

On Tue, Nov 25, 2003 at 11:39:21AM -0500, Rob Carlson wrote:
> Unfortunately I forgot that gnupg uses "dot" files, and I didn't save 
> that.  Of course the key I created for my work account had no expiration 
> either, so I can't upload a new key.

I beg your pardon?

Keys are identified by keyid, not by email address. It's certainly
*irritating* to have more than one key attached to the same email
address in the keyservers, but in the most common usage of the
keyserver (I've received a message signed by your key; I want to
go retrieve the key that signed this message so that I can verify
it; I go ask for the keyid, because I know that, not the email
address), this won't ever come up.

You can certainly send a new key to the keyservers.

Or did you mean something other by "upload"?

> My question-- is my work account email address forever damned to be 
> unable to use pgp, or is there some way (preferable) that I can use my 
> home account key with my work account in Mozilla mail?

You should simply generate a new keypair at work and use that.

Inform any correspondents with the old key that you have lost the
private key, so they should avoid encrypting to the the old key
because you won't be able to read it.

If that was really the only copy of your old key, you don't have to
worry about someone stealing it, and they shouldn't either, though
they've got no particular reason to believe that.

They've also got no particular reason to believe that you're reall
you. For some people, signing your work PGP key with your home PGP
would be enough for them to believe you. For sticklers, a full
reverification with photo ID would be necessary. (This is a personal
issue with each signer, since it's about their stating publicly that
they trust you.)

Note that you could have avoided this situation by following the
Best Practice of generating a revocation certificate (ASCII
armored) at the time of key generation, printing it, and putting
it somewhere safe. That way, if you lose the key, it's still
revocable.

> My gut hunch is I've rendered my work account useless for PGP
> forever.  Any ideas?

It would be terrible if PGP relied completely on your not destroying
your private key to function with a given email address.

On Wed, Nov 26, 2003 at 05:21:26PM -0500, LeRoy Cressy wrote:
> from your work machine emil to yourself your public key.  Then add the
> key to your key ring.

Considering he's missing his PRIVATE key at work, I don't see how
that'll help much.

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgp6MHg7RQUo9.pgp
Description: PGP signature