Key Revocation

Key Revocation Key revocation is the process of disowning a key. With disowning comes other complexities like making the disowning public knowledge so as to prevent people from using the key wrongly.

Traditional public key systems maintain a list of revoked keys, duly signed by the certification authority. Persons who may wish to use a key for encryption have the obligation to go through this list to make sure the key is still usable and has not been revoked.

The list is called a certification revocation list (CRL). This once again is costly on the resources. It involves downloading the updated list from time to time from the server, verifying the signature, and checking for revocation every time encryption is carried out. It needs additional software and resources. Keygloo has a lighter solution to the problem. The user can simply cancel a Keygloo number in case of any compromise of the private key.

This is done by entering the Keygloo number in the cancellation page and clicking ‘submit’. This is a two-step process so as to ensure the legitimacy of cancellation. On requisition for cancellation of the Keygloo number, the user receives an email to his primary email id that he uses to sign up. This email contains the pass phrase to confirm cancellation of Keygloo number and a link to the confirmation page. On following the link and entering the pass phrase in the form there, the Keygloo number is cancelled.

The number and the associated public key, since then, will be deleted from the Keygloo public key distribution server. Any requests for deleted public keys will simply be turned down. Since Keygloo encrypted communications will generally take place within a small circle involving only those people to whom the user reveals his Keygloo number, informing them through word of mouth or a simple email not to use the cancelled Keygloo number is trivial.