2011.07.13
古い鍵対を失効させた。
% gpg --list-keys john@example.net
pub 4096R/X0000XX0 2010-09-15
uid John Doe <john@example.net>
uid John Doe <john@us.example.net>
uid John Doe <john@example.ad.jp>
sub 2048R/0000X00X 2010-09-15 [expires: 2013-09-14]

pub 1024R/000000XX 1998-10-22
uid Doe John <john@example.net>
uid Doe John <john@example.ad.jp>
uid Doe John (since 2009.08.24) <john@us.example.net>
上が鍵が新しい鍵で、下が失効させたい古い鍵。(使う機会は少なかったけど、しかし、13年前に作った鍵なのか…。PGP 2.6.3i だったなぁ、その当時は。)

失効証明書を作成しインポート。
% gpg -o 000000XX.revoke.asc --gen-revoke 000000XX

sec 1024R/000000XX 1998-10-22 Doe John <john@example.net>

Create a revocation certificate for this key? (y/N) y

You need a passphrase to unlock the secret key for
user: "Doe John <john@example.net>"
1024-bit RSA key, ID 000000XX, created 1998-10-22

Enter passphrase:
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!

% gpg --import 000000XX.revoke.asc
gpg: key 000000XX: "Doe John <john@example.net>" revocation certificate imported
gpg: Total number processed: 1
gpg: new key revocations: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 22 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 22 signed: 4 trust: 0-, 3q, 1n, 16m, 2f, 0u
gpg: depth: 2 valid: 2 signed: 0 trust: 1-, 0q, 0n, 1m, 0f, 0u
gpg: next trustdb check due at 2017-11-30

無事に失効した。
% gpg --list-keys john@example.net
pub 4096R/X0000XX0 2010-09-15
uid John Doe <john@example.net>
uid John Doe <john@us.example.net>
uid John Doe <john@example.ad.jp>
sub 2048R/0000X00X 2010-09-15 [expires: 2013-09-14]

pub 1024R/000000XX 1998-10-22 [revoked: 2011-07-12]
uid Doe John <john@example.net>
uid Doe John <john@example.ad.jp>
uid Doe John (since 2009.08.24) <john@us.example.net>

失効した鍵対を鍵サーバーへ送信。
% gpg --send-keys 000000XX
gpg: sending key 000000XX to hkp server pgp.nic.ad.jp

% gpg --search-keys john@example.net
gpg: searching for "john@example.net" from hkp server pgp.nic.ad.jp
(1) John Doe <john@example.net>
John Doe <john@us.example.net>
John Doe <john@example.ad.jp>
4096 bit RSA key X0000XX0, created: 2010-09-15
(2) Doe John <john@example.ad.jp>
Doe John <john@example.net>
Doe John (since 2009.08.24) <john@us.example.net>
1024 bit RSA key 000000XX, created: 1998-10-22 (revoked)
Enter number(s), N)ext, or Q)uit > q

この記事へのコメント

この記事へのトラックバック
コメントを書く
お名前: [必須入力]

メールアドレス:

ホームページアドレス:

コメント: [必須入力]

認証コード: [必須入力] (画像の中の文字を半角で入力してください。)



※ブログオーナーが承認したコメントのみ表示されます。
Rebuild at 2018/11/15 20:03
×

この広告は180日以上新しい記事の投稿がないブログに表示されております。