07 September 2018
This week we:
Two years ago I created a PGP Key, pushed it to a key server and then forgot about it. I also forgot my password that I used to secure it 🤦 This basically renders the key useless. Worse still, it didn't have an expiry date! Fortunately, PGP has a way you can mark such a dud key as
revoked. The catch is that in order to do this, you need to have generated a revocation certificate... which is impossible if you've forgotten your password! 😡
We figured it'd be sensible for Fluidkeys to automatically create this revocation certificate for you when you create a key and back it up for you. That way, if you do ever run in to problems with they key it's easy to mark it as revoked.
We've refreshed our homepage at www.fluidkeys.com. On it we now have a checklist of features working towards our 1.0 release. We also decided to make our Trello board (of prioritised tasks) public. If you really want to snoop on us, this is the detail 🔎
On Wednesday evening, Paul presented at the monthly Liverpool Linux User Group. He spoke about the superpowers that PGP can give people, but the challenges they face in using it. We also demoed Fluidkeys. Thanks to everyone who came along we had a great discussion afterwards. We were looking for connections to sysadmins that might want to test it and for introductions to open source entrepreneurs who'd successfully built businesses around their software.
Here at the @livlug meeting at @DoESLiverpool this evening to hear about #PGP #encryption and #privacy and FluidKeys (their new project) from @paul_furley and @idrysdale #weeknotes pic.twitter.com/FQiVghujaW— Adrian McEwen (@amcewen) September 5, 2018
We've got Fluidkeys generating new keys, or linking to keys you've already made in GPG. Now time for something more useful: key rotation!
Key rotation is what it sounds like, tossing out an old one, and replacing it with a new one. OpenPGP allows you to do key rotation without having to make a whole new key, but it involves fiddly subkeys and in practice very few people do it.
If your key becomes compromised the amount of data you've exposed will be limited.
With some ciphers, the more data that you've encrypted with your key, the easier it will be to crack. By rotating the key you limit the amount of data you'll ever use against each one. (more on that on crypteron.com)
Confession time: I don't rotate my key. 😈
Fluidkeys 0.2, by automatically rotating my key, would be instantly useful... And it's a step towards a team service that would do this and keep them all in sync across your organisation. But I'm getting ahead of myself. More on that soon...