Subject: Re: Beer...and keys.
To: Curt Sampson <cjs@cynic.net>
From: Jim Wise <jwise@draga.com>
List: regional-nyc
Date: 12/18/2003 10:32:41
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 18 Dec 2003, Curt Sampson wrote:
>On Wed, 17 Dec 2003, Miles Nordin wrote:
>
>> No, you can. Just use the revocation certificate that you created at
>> the same time you generated your key.
>
>I don't quite understand this. If you lose your laptop, you presumably
>lose your revocation certificate as well. If you've backed up your
>revocation certificate somewhere safe, what's to stop you from backing
>up your key there as well? If it's not safe enough to back up your key,
>what's to stop an attacker from revoking your key and committing a
>denial of service attack?
If someone has your private key (from stealing your laptop) you
*certainly* want to issue a revocation, even if you have a backup of the
key as well as the revocation, as you have no good way of knowing how
much hardware they are, at this very moment, applying to the task of
brute-forcing your pass-phrase.
- --
Jim Wise
jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQE/4cieRxzMSZ/9vAMRAnrwAJ9PPRQiySRxL3ULkDoRAeVCAyRdJwCgqWO9
WibI3EmnUoe7Blw4paKVTuw=
=9DhC
-----END PGP SIGNATURE-----