#367 new

Inform user about revocation certification creation and storage location

Reported by steve | April 25th, 2016 @ 05:07 PM

Since GPG Suite 2015.06 a revocation certificate is created whenever a new key is created.
Before, when a user lost their secret key there was nothing they could do about it, since only very few have created a revocation certificate.
With this change at least they could revoke their key and tell other users they should no longer be using their key and instead use a new one.

With laptops being used by many users however, it's not safe to keep the revocation certificate on that laptop, since an attacker might get access to both the secret key and the revocation certificate.
While the secret key is probably protected by a password, they could still abuse the revocation certificate.

In the future we should inform the user that a revocation certificate has been created, whenever they create a new key, why that is helpful but also why it's a potential security risk to keep it on the internal hard drive and guide them through a process to move it onto a USB drive or other external medium.

In addition, periodical checks should see if revocation certificates are on the hard drive and remind the user to move it onto an external medium.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Shared Ticket Bins

Referenced by