Keyserver First Time User

Some suggestions for the first time user. Additions and corrections welcomed. Please be sure to read about revocation before you leave.

• Read our disclaimer and look through the help file (somewhat out of date). This will give you a better idea of what you can expect from this keyserver (the help file is not written with either PGP 5.0 or this version of the keyserver in mind, however).
• Look through some of the FAQs
  Alright, no one expects you to read all of that, but know where to find useful information. Much of the guidance that follows is adapted from the comp.security.pgp FAQ, which you may want to consult for more up-to-date instructions.
  
• Need help with PGP 5.0? Try Brad Knowles' PGP 5 Tips
• Signing someone else's key?
  • Download the key you need from the keyserver
    Use the keyserver Search page.
  • Verify that this is the key you want to sign
    This is the most important step. You must be satisfied about the ownership of the key you are going to sign, and about the identity of the owner. Consult the comp.security.pgp FAQ on this, PGP documentation, and experienced colleagues. The key should be signed by its owner before you sign it (see below).
  • Sign this key
    pgp -ks [-u yourid]
pgp -kxa
    (You will create a file with the signed key)
  • Upload the signed key to the keyserver
    Paste the signed key into the keyserver Submit form.
• Adding a key?
  • Create your key
  • Sign your own key
    See signing instructions above. You must sign your own key to avoid fraud. See Walther Soldierer's article.
  • Upload your key to the keyserver
• Revoking your key?
  • Upload your revocation certificate to the keyserver
    This is the only way your key can be disabled.

• Key removal, revocation, and disabling IMPORTANT! Please read!

  "Help! I've lost my passphrase!" "My key's been compromised!" "My secret key's been destroyed, and there's no backup!" "Someone made a fake key for me and is circulating it on the keyservers!" [The first case is by the far the most common.] These explanations usually accompany a request to disable, remove, or revoke a key on the keyservers, because the key is now invalid.

  The only practical way to deal with the invalid PGP key problem is to create a key revocation certificate in advance. Please read the instructions. (This is taken directly from the comp.security.pgp FAQ.)

  1. Make a backup of your public and secret keyrings.
  2. Revoke your key with pgp -kd youruserid.
  3. Extract the revoked key to a file with pgp -kxa youruserid. This file is what the manual calls the revocation certificate.
  4. Store the certificate (file) in a safe location, for example on a floppy which you keep someplace else. Leaving it on line is not recommended for security reasons.
  5. Restore the backed-up keyrings. (If you don't, you lose use of your PGP key.)
  6. Remember to check the certificate every year, and re-create it when necessary. Floppies or other backup media may age and become unreliable or unreadable.
  7. When (and only when) your PGP key becomes invalid, submit your revocation certificate to the key server as described above.

  Why? Key removal is useless, since the key can be recreated and/or uploaded at any time. Revocation is possible only so long as you know your secret key's passphrase. Disabling a key is possible, but is impractical; it will only happen if you are personally known to us, or someone makes us an offer we can't refuse. Disabling keys is a service that is more appropriate to a key certificate authority (which you are, in a sense, for your personal keyrings). Please read the help file. The keyservers are not certificate authorities and can take no responsibility for the contents.

  Another viewpoint on the same topic, from the MIT keyserver.