trunk/Doc/winpt.texi

\input texinfo

@setfilename WinPT

This file describes the Windows Privacy Tray program and its main functions

This file is free under the terms of the GNU General Public License v2.

Copyright (C) 2006 Timo Schulz

Version 0.0.0

@settitle WinPT - The Windows Privacy Tray; a free GPG front-end for Windows

@section Requirements for WinPT

First you need to have a working GnuPG 1.4 installtion on the machine you
plan to install WinPT. If you don't have GPG in your machine, please
visit http://www.gnupg.org and download the latest GPG version there.
It comes with a graphical installer so there is no need to do this
step manually.

You need at least Windows 98/2K/XP, but Windows XP or better is
recommend. The program also works on NT/95/ME but there is no support
for these OS versions any longer.

@section A short Introduction

WinPT is a graphical GnuPG front-end which resides in the task bar.
It is divided into several, so-called, managers. There is a manager
for the keyring, for files and for smart cards. The aim of the program
is to secure email communication and to perform file encryption.

@subsection What is GnuPG
GnuPG is a tool for secure communication and data storage.
It can be used to encrypt data and to create digital signatures.
It includes an advanced key management facility and is compliant
with the proposed Internet standard as described in RFC2440.

@subsection The Web of Trust
For a detailled description of these and other GnuPG topics, I
recommend the available literature at http://www.gnupg.org. But
at least a general overview should be given here.

The certification scheme of OpenPGP does not base on a hirachical
approach. Instead it uses a combination of ownertrust and direct
key certification. Here is an example with Alice, Bob, Carol and Dave.

Alice knows Bob and checked the fingerprint of Bob's key when he
met him personally. Thus she knows that the key really belongs to
its owner and he trusts Bob to certify other keys. Then she issued
a signature on Bob's key. Bob knows Carol and also checked her identity.
Then he signed her key. Alice does not know Carol, but he knows Bob
and Bob trusts Carol. And because Alice trusts Bob, at a level she
decided before, he also trusts Carol. It's a transitiv relation.
Dave is isolated and does not know anybody from the mentioned persons,
thus he is not in the WoT.
Another very important point is, that the signer can decide,
after the certification, how much he trusts the key owner to
certify other keys.

It is very important to check the identify of a key owner. Mostly
this is done by comparing the fingerprint, which were submitted
by phone or written down at a personal meeting, with the fingerprint
of the key in the keyring. Please bear in mind that anybody can create
a key with an email address and a specific name. Thus it is not
recommend to sign keys without doing this check before!

The fingerprint of the key is hexadecial (160-bit) sequence divided
into 10 groups of 4 hex digits. You can get the fingerprint of a key
by opening the key property dialog. There you can mark the fingerprint
and copy it to the clipboard.

Example: 1D75 8108 5BC9 D9FB E78B  2078 ED46 81C9 BF3D F9B4

@section Installation of the Program

It is always recommend to use the latest version of the program. You
can download it from http://wald.intevation.org/projects/winpt.
Download the zip file with the binaries inside and unpack them in
a folder. All files need to be in the same folder, so if you change
the folder don't forget to move all files.
You should also download and verify the signature of the packet to 
make sure that the release is really authentic.

To activate the program you just need to start WinPT.exe. You should
now see a little (golden key) icon in the taskbar which indicates that 
the program is running. If you want to quit the program, right click
on the symbol and select "Exit".

Alternative, you may use one of the graphical GPG installers which
are available on the internet. I recommend to use Gpg4Win which
includes a set of very useful privacy tools, beside WinPT and it
is very easy to use with an average size (~4MB). For non-German
speaking users, I recommend the light version because it does not
contain the 2 German PDF manuals.

@subsection Getting the Source of the Program
As free software, according to the GNU General Public License,
WinPT also offers the source code for the program. It can be used
for reviews, to compile your own binary and/or to modify and/or
redistribute it or just to learn how it works. The source is available
at the same place you downloaded the binary. If not, you should
contact the author of the site.
The entire program can be build with free software; the default
environment is a cross-compiler hosted on a Linux box. All you
need is the mingw32 packages, a working autoconf environment
and the libs WinPT depends on (currently gpgme and libgpg-error).
It is also possible to build the binary with cygwin/mingw32 on
Windows but this environment is not actively supported and propably
needs adjustment of the source.

@subsection Configure the Program
After the installation not much of the default settings need to
be changed. If you prefer a special keyserver, it is propably a good 
idea to open the keyserver dialog and to set one of the existing 
keyservers as the default or create a new entry and mark it as the 
new default. The default keyserver is subkeys.pgp.net, which is
the best choice for most users.

@subsection GPG Options
For expert users, the GPG preference dialog might contain some
interesting options. For example to set the expiration date of
a signature and/or to set the signing level for key signing.
It also allows to set a default 'encrypt-to' key and to set
the comment in ASCII armored files.

@subsection Preferences
In the WinPT preference dialog, the user can modify and/or disable
the default options. For new users it is suggested to leave the
default values as they are, except when there are problems related
to the hotkeys.

To enable keyring backups, the user can either decide to use the
GPG home directory as the backup folder or any other folder. In
the latter case, a folder needs to be chosen.


@section The First Start

This section is only important for people who never installed
and/or used WinPT before.

When the program is started the first time, it offers two choices.
The one is to generate a key pair and the other is to copy
existing GPG keyrings into the current installation.

We assume the user will select the first entry.

Now a new dialog is shown which requests some information from
the user to allow a meaningful association between the key and
the user. If the user prefer RSA keys, the check box should be marked. 
If the entered data is OK, WinPT then generates a new key pair. As long
as this step takes, a progress dialog is shown to indicate the 
enduring process. When the generation of the keypair is done, WinPT 
offers the chance to backup the existing keyrings. This is definitely
an important decision because if the keyring will get corrupted
or lost, there is no way to recover the encrypted data. That is
why it is also important to store the backup, at least of the
secret keyring, at a @strong{safe} place.

@section Keyserver Access

An easy way to retrieve keys is the keyserver. You can think of
it like a huge database with a lot of keys as its content. It is 
possible to search keys by a pattern, a keyid or even a fingerprint.
WinPT allows to access different kind of keyservers. For example
LDAP, HKP, Finger and HTTP. But the focus will be set on HKP because
this is the common case.

In some situations WinPT asks the user whether to retrieve keys 
automatically. One example is the signature verification when the 
key that issued the signature was not found in the keyring.

The main keyserver dialog allows to fetch one or more keys directly
or to search for a given pattern.

@subsection Retrieve a key by Key ID
The best way to fetch a key from the server is by the key ID.
Just enter the key ID, it is always a good idea to prefix it
with 0x and click the "Receive" button.

An example:

pattern: 0xBF3DF9B4

[Receive]


@subsection Retrieve a key by its email address
If you only know the email address from your partner, you can
enter it instead of the key ID. It is unlikely but possible
that there are more keys with the same address. In this situation,
WinPT will warn you that multiple keys were imported. The difference
to the search function is, that the keys were dirctly fetched and
not displayed as a key result list.


An example:

pattern: name_of_friend@@gmx.net

[Receive]


@subsection Search for a key by pattern
If you want to communicate with a new mail partner and you are
not sure about the key ID, it can be useful to search for his
email address. This address is considered as quite unique.

An example:

pattern: winpt@@windows-privacy-tray.com

[Search]

Now a dialog is opened with a list of all keys which matched
the search string. If the name @strong{and} the email address
is known, the matching key should be selected and "Receive"
should be clicked. Then the key will be downloaded and added
to your keyring. Now you can encrypt data with this key, for
example an email.

@subsection Sending a Key to the Keyserver
After you generated a new key pair, it is a good idea to send your
key to the keyserver to make it available for other users. If you
issue a signature, the key ID is part of the signature and people can 
automatically retrieve your key when they try to verify the signature.

Actually, the action is performed in the Key Manager and not in the
keyserver dialog. Just open the Key Manager, select the key you want
to send right-click on it and chose "Send to Keyserver" in the popup
menu. Then a message box with the result is shown.

@subsection Add, Delete or Edit a Keyserver Entry
The keyserver dialog allow to change the existing keyserver entries,
to delete them or to add new entries. Just right click on a selected
item and a popup menu will be shown with ("Edit", "Remove" and "New").

@section Using the Clipboard

A major aim from the first day was, that the program does not
depend on a special mailer client. For this reason it uses the
clipboard to encrypt and/or sign data.
For the examples, let's assume that you want to write a new
mail or that you received a mail protected by GnuPG.

@subsection Encrypt Data in the Clipboard
Just copy the text from the mailer window into the clipboard.
This is usually done by CTRL+C, make sure you really selected
all portions of the text. Then right-click on the tray icon
and select Clipboard->Encryption. Now a dialog is shown to
select the recipients. This means you need to select all
keys which should be able to decrypt the mail. Confirm with "OK".
GnuPG now encrypts the data with the selected recipients. At the
end a message box with the result is shown. Now the clipboard should 
contain the encrypted data. Just paste it into the mailer window.
The output should contain a header and a footer
"BEGIN PGP MESSAGE" and "END PGP MESSAGE.

@subsection Decrypt/Verify Data from the Clipboard

@subsection Sign the Clipboard

@section The Key Manager

This part of the program is propably most important for many users.
It contains function to manage your keyring and to perform actions
which are required and/or useful in the OpenPGP environment.

@subsection Tips

@itemize @bullet

@item
If you want to import quickly a key from a into the keyring, just
drag and drop the file into the Key Manager window. Then the import
procedure will be automatically started.

@item
Key which were fetched from keyservers often contain a lot of,
maybe obsolete, self signatures, if you want to get rid of them
you can use the Key Edit->Clean feature. Just start the edit
dialog and select the clean command. That's it.

@item
The keyserver dialog does not allow to import a key directly
via an URL, as an alternative you may use the "Import HTTP..."
feature in the Key Manager. With it you can directly fetch keys
from the web (Example: http://www.users.my-isp.de/~joe/gpg-keys.asc).

@item
To customize the parameters of the generated key, you can use
the expert key generation. It allows you to set the public key
algorithm and/or the size of the key directly.

@item
Most of the list view based dialogs allow to use the right
mouse button, to show popup menus with available commands.

@end itemize

@subsection Create a Revocation Certificate

It is very important to do this step early as possible. With this
certificate, you can revoke your entire key. The reason for this
can be for example, that your key is no longer used or even compromised.
After you generated the revoc cert, you should move it to a secure place
because anybody who gets access to it, can render your key unuseable.

Just right-click on your key and select "Revoke Cert". If you do this
step directly after key generation, there is no need to change the 
default values. Just select a file name and enter the passphrase.
The program issues a warning which should be read carefully.

@subsection Adding a new secondary key

For most users the existing keys in the key pair are enough
and no extra key is needed. But there are some exceptions.

@itemize @bullet

@item
The primary key has no secondary key and the primary key is not
able to encrypt data. In this case it can be a good idea to
add a secondary encryption key.

@item
A lot of people use secondary encryption keys with an expiration
date. Usually the key is valid for 1-2 years. After the key is expired,
a new key is needed in order to encrypt data.

@end itemize

What kind of public key algorithm should be selected is a matter
of taste. RSA and ElGamal are both capable for encryption. For most
users it's a good idea to let the program chose the key size (in bits).
The default settings should be secure enough for most purposes.

@subsection Adding a new user ID
If you got a new email account, it's propably a good idea to
add these new account to your key also. For example:

A new account was registed at gmail.com (john.doo@@gmail.com).
Then you should create a new user ID with the following fields:

name: John Doo

email: john.doo@@gmail.com

comment: (optional)

Now email programs are able to associate this address with your
key when somebody wants to send you a protected mail to this account.

@subsection Adding a photographic ID
With this function you can add a photo to your public. It will be
displayed in the key property dialog.

You just need to select a JPEG file which contains the photo and
enter your passphrase and confirm with OK. Please read the note
in the dialog carefully to make sure the photo has a proper size
(file, height and weight).

@subsection Adding a new designated revoker
If you want to allow another key to revoke your own key, this
might be useful if you lost your secret or a simliar situation,
you can use this function to add a designated revoker to your key.

All you need to do is to select the key you want to add as a desig
revoker. But please bear in mind that this procedure cannot be undone
and that this person really has the power to make your public key
unuseable. You really should trust the selected key, in case it is
not a key owned by yourself.

@subsection Export a Public Key
There are several reason why to export a public key and there
are also several ways to do it. If you want to send the key
directly to a mail recipient, you can select the key, right-click,
and select "Send Key to Mail Recipient". As an alternative, you
can also export it to the clipboard or to a file. To export a
key to the clipboard, you can select "Copy key to Clipboard"
in the popup menu of the selected key. To export it to a file,
you need to select the menu "Key" and then "Export...". The
program will automatically suggest a name for the output.

@subsection Import a Public Key
Similar to the key import, the import of a key can be done in
several ways. First, let's assume you got a mail with an OpenPGP
key included as inline text. Then you can use the current window
feature and "Decrypt/Verify" to import the key. Alternative you
also may use the clipboard. To achieve this, you first need to
select the entire key (CTRL+A) and then copy it to the clipboard
(CTRL+C), then use the Key Manager (Edit->Paste) to import it.
If the key is stored as an attachment, or you want to import
a key from a file in general, just drag the file and drop it
into the Key Manager window or use "Key" -> "Import...".

@bye
1	\input texinfo
2
3	@setfilename WinPT
4
5	This file describes the Windows Privacy Tray program and its main functions
6
7	This file is free under the terms of the GNU General Public License v2.
8
9	Copyright (C) 2006 Timo Schulz
10
11	Version 0.0.0
12
13	@settitle WinPT - The Windows Privacy Tray; a free GPG front-end for Windows
14
15	@section Requirements for WinPT
16
17	First you need to have a working GnuPG 1.4 installtion on the machine you
18	plan to install WinPT. If you don't have GPG in your machine, please
19	visit http://www.gnupg.org and download the latest GPG version there.
20	It comes with a graphical installer so there is no need to do this
21	step manually.
22
23	You need at least Windows 98/2K/XP, but Windows XP or better is
24	recommend. The program also works on NT/95/ME but there is no support
25	for these OS versions any longer.
26
27	@section A short Introduction
28
29	WinPT is a graphical GnuPG front-end which resides in the task bar.
30	It is divided into several, so-called, managers. There is a manager
31	for the keyring, for files and for smart cards. The aim of the program
32	is to secure email communication and to perform file encryption.
33
34	@subsection What is GnuPG
35	GnuPG is a tool for secure communication and data storage.
36	It can be used to encrypt data and to create digital signatures.
37	It includes an advanced key management facility and is compliant
38	with the proposed Internet standard as described in RFC2440.
39
40	@subsection The Web of Trust
41	For a detailled description of these and other GnuPG topics, I
42	recommend the available literature at http://www.gnupg.org. But
43	at least a general overview should be given here.
44
45	The certification scheme of OpenPGP does not base on a hirachical
46	approach. Instead it uses a combination of ownertrust and direct
47	key certification. Here is an example with Alice, Bob, Carol and Dave.
48
49	Alice knows Bob and checked the fingerprint of Bob's key when he
50	met him personally. Thus she knows that the key really belongs to
51	its owner and he trusts Bob to certify other keys. Then she issued
52	a signature on Bob's key. Bob knows Carol and also checked her identity.
53	Then he signed her key. Alice does not know Carol, but he knows Bob
54	and Bob trusts Carol. And because Alice trusts Bob, at a level she
55	decided before, he also trusts Carol. It's a transitiv relation.
56	Dave is isolated and does not know anybody from the mentioned persons,
57	thus he is not in the WoT.
58	Another very important point is, that the signer can decide,
59	after the certification, how much he trusts the key owner to
60	certify other keys.
61
62	It is very important to check the identify of a key owner. Mostly
63	this is done by comparing the fingerprint, which were submitted
64	by phone or written down at a personal meeting, with the fingerprint
65	of the key in the keyring. Please bear in mind that anybody can create
66	a key with an email address and a specific name. Thus it is not
67	recommend to sign keys without doing this check before!
68
69	The fingerprint of the key is hexadecial (160-bit) sequence divided
70	into 10 groups of 4 hex digits. You can get the fingerprint of a key
71	by opening the key property dialog. There you can mark the fingerprint
72	and copy it to the clipboard.
73
74	Example: 1D75 8108 5BC9 D9FB E78B 2078 ED46 81C9 BF3D F9B4
75
76	@section Installation of the Program
77
78	It is always recommend to use the latest version of the program. You
79	can download it from http://wald.intevation.org/projects/winpt.
80	Download the zip file with the binaries inside and unpack them in
81	a folder. All files need to be in the same folder, so if you change
82	the folder don't forget to move all files.
83	You should also download and verify the signature of the packet to
84	make sure that the release is really authentic.
85
86	To activate the program you just need to start WinPT.exe. You should
87	now see a little (golden key) icon in the taskbar which indicates that
88	the program is running. If you want to quit the program, right click
89	on the symbol and select "Exit".
90
91	Alternative, you may use one of the graphical GPG installers which
92	are available on the internet. I recommend to use Gpg4Win which
93	includes a set of very useful privacy tools, beside WinPT and it
94	is very easy to use with an average size (~4MB). For non-German
95	speaking users, I recommend the light version because it does not
96	contain the 2 German PDF manuals.
97
98	@subsection Getting the Source of the Program
99	As free software, according to the GNU General Public License,
100	WinPT also offers the source code for the program. It can be used
101	for reviews, to compile your own binary and/or to modify and/or
102	redistribute it or just to learn how it works. The source is available
103	at the same place you downloaded the binary. If not, you should
104	contact the author of the site.
105	The entire program can be build with free software; the default
106	environment is a cross-compiler hosted on a Linux box. All you
107	need is the mingw32 packages, a working autoconf environment
108	and the libs WinPT depends on (currently gpgme and libgpg-error).
109	It is also possible to build the binary with cygwin/mingw32 on
110	Windows but this environment is not actively supported and propably
111	needs adjustment of the source.
112
113	@subsection Configure the Program
114	After the installation not much of the default settings need to
115	be changed. If you prefer a special keyserver, it is propably a good
116	idea to open the keyserver dialog and to set one of the existing
117	keyservers as the default or create a new entry and mark it as the
118	new default. The default keyserver is subkeys.pgp.net, which is
119	the best choice for most users.
120
121	@subsection GPG Options
122	For expert users, the GPG preference dialog might contain some
123	interesting options. For example to set the expiration date of
124	a signature and/or to set the signing level for key signing.
125	It also allows to set a default 'encrypt-to' key and to set
126	the comment in ASCII armored files.
127
128	@subsection Preferences
129	In the WinPT preference dialog, the user can modify and/or disable
130	the default options. For new users it is suggested to leave the
131	default values as they are, except when there are problems related
132	to the hotkeys.
133
134	To enable keyring backups, the user can either decide to use the
135	GPG home directory as the backup folder or any other folder. In
136	the latter case, a folder needs to be chosen.
137
138
139	@section The First Start
140
141	This section is only important for people who never installed
142	and/or used WinPT before.
143
144	When the program is started the first time, it offers two choices.
145	The one is to generate a key pair and the other is to copy
146	existing GPG keyrings into the current installation.
147
148	We assume the user will select the first entry.
149
150	Now a new dialog is shown which requests some information from
151	the user to allow a meaningful association between the key and
152	the user. If the user prefer RSA keys, the check box should be marked.
153	If the entered data is OK, WinPT then generates a new key pair. As long
154	as this step takes, a progress dialog is shown to indicate the
155	enduring process. When the generation of the keypair is done, WinPT
156	offers the chance to backup the existing keyrings. This is definitely
157	an important decision because if the keyring will get corrupted
158	or lost, there is no way to recover the encrypted data. That is
159	why it is also important to store the backup, at least of the
160	secret keyring, at a @strong{safe} place.
161
162	@section Keyserver Access
163
164	An easy way to retrieve keys is the keyserver. You can think of
165	it like a huge database with a lot of keys as its content. It is
166	possible to search keys by a pattern, a keyid or even a fingerprint.
167	WinPT allows to access different kind of keyservers. For example
168	LDAP, HKP, Finger and HTTP. But the focus will be set on HKP because
169	this is the common case.
170
171	In some situations WinPT asks the user whether to retrieve keys
172	automatically. One example is the signature verification when the
173	key that issued the signature was not found in the keyring.
174
175	The main keyserver dialog allows to fetch one or more keys directly
176	or to search for a given pattern.
177
178	@subsection Retrieve a key by Key ID
179	The best way to fetch a key from the server is by the key ID.
180	Just enter the key ID, it is always a good idea to prefix it
181	with 0x and click the "Receive" button.
182
183	An example:
184
185	pattern: 0xBF3DF9B4
186
187	[Receive]
188
189
190	@subsection Retrieve a key by its email address
191	If you only know the email address from your partner, you can
192	enter it instead of the key ID. It is unlikely but possible
193	that there are more keys with the same address. In this situation,
194	WinPT will warn you that multiple keys were imported. The difference
195	to the search function is, that the keys were dirctly fetched and
196	not displayed as a key result list.
197
198
199	An example:
200
201	pattern: name_of_friend@@gmx.net
202
203	[Receive]
204
205
206	@subsection Search for a key by pattern
207	If you want to communicate with a new mail partner and you are
208	not sure about the key ID, it can be useful to search for his
209	email address. This address is considered as quite unique.
210
211	An example:
212
213	pattern: winpt@@windows-privacy-tray.com
214
215	[Search]
216
217	Now a dialog is opened with a list of all keys which matched
218	the search string. If the name @strong{and} the email address
219	is known, the matching key should be selected and "Receive"
220	should be clicked. Then the key will be downloaded and added
221	to your keyring. Now you can encrypt data with this key, for
222	example an email.
223
224	@subsection Sending a Key to the Keyserver
225	After you generated a new key pair, it is a good idea to send your
226	key to the keyserver to make it available for other users. If you
227	issue a signature, the key ID is part of the signature and people can
228	automatically retrieve your key when they try to verify the signature.
229
230	Actually, the action is performed in the Key Manager and not in the
231	keyserver dialog. Just open the Key Manager, select the key you want
232	to send right-click on it and chose "Send to Keyserver" in the popup
233	menu. Then a message box with the result is shown.
234
235	@subsection Add, Delete or Edit a Keyserver Entry
236	The keyserver dialog allow to change the existing keyserver entries,
237	to delete them or to add new entries. Just right click on a selected
238	item and a popup menu will be shown with ("Edit", "Remove" and "New").
239
240	@section Using the Clipboard
241
242	A major aim from the first day was, that the program does not
243	depend on a special mailer client. For this reason it uses the
244	clipboard to encrypt and/or sign data.
245	For the examples, let's assume that you want to write a new
246	mail or that you received a mail protected by GnuPG.
247
248	@subsection Encrypt Data in the Clipboard
249	Just copy the text from the mailer window into the clipboard.
250	This is usually done by CTRL+C, make sure you really selected
251	all portions of the text. Then right-click on the tray icon
252	and select Clipboard->Encryption. Now a dialog is shown to
253	select the recipients. This means you need to select all
254	keys which should be able to decrypt the mail. Confirm with "OK".
255	GnuPG now encrypts the data with the selected recipients. At the
256	end a message box with the result is shown. Now the clipboard should
257	contain the encrypted data. Just paste it into the mailer window.
258	The output should contain a header and a footer
259	"BEGIN PGP MESSAGE" and "END PGP MESSAGE.
260
261	@subsection Decrypt/Verify Data from the Clipboard
262
263	@subsection Sign the Clipboard
264
265	@section The Key Manager
266
267	This part of the program is propably most important for many users.
268	It contains function to manage your keyring and to perform actions
269	which are required and/or useful in the OpenPGP environment.
270
271	@subsection Tips
272
273	@itemize @bullet
274
275	@item
276	If you want to import quickly a key from a into the keyring, just
277	drag and drop the file into the Key Manager window. Then the import
278	procedure will be automatically started.
279
280	@item
281	Key which were fetched from keyservers often contain a lot of,
282	maybe obsolete, self signatures, if you want to get rid of them
283	you can use the Key Edit->Clean feature. Just start the edit
284	dialog and select the clean command. That's it.
285
286	@item
287	The keyserver dialog does not allow to import a key directly
288	via an URL, as an alternative you may use the "Import HTTP..."
289	feature in the Key Manager. With it you can directly fetch keys
290	from the web (Example: http://www.users.my-isp.de/~joe/gpg-keys.asc).
291
292	@item
293	To customize the parameters of the generated key, you can use
294	the expert key generation. It allows you to set the public key
295	algorithm and/or the size of the key directly.
296
297	@item
298	Most of the list view based dialogs allow to use the right
299	mouse button, to show popup menus with available commands.
300
301	@end itemize
302
303	@subsection Create a Revocation Certificate
304
305	It is very important to do this step early as possible. With this
306	certificate, you can revoke your entire key. The reason for this
307	can be for example, that your key is no longer used or even compromised.
308	After you generated the revoc cert, you should move it to a secure place
309	because anybody who gets access to it, can render your key unuseable.
310
311	Just right-click on your key and select "Revoke Cert". If you do this
312	step directly after key generation, there is no need to change the
313	default values. Just select a file name and enter the passphrase.
314	The program issues a warning which should be read carefully.
315
316	@subsection Adding a new secondary key
317
318	For most users the existing keys in the key pair are enough
319	and no extra key is needed. But there are some exceptions.
320
321	@itemize @bullet
322
323	@item
324	The primary key has no secondary key and the primary key is not
325	able to encrypt data. In this case it can be a good idea to
326	add a secondary encryption key.
327
328	@item
329	A lot of people use secondary encryption keys with an expiration
330	date. Usually the key is valid for 1-2 years. After the key is expired,
331	a new key is needed in order to encrypt data.
332
333	@end itemize
334
335	What kind of public key algorithm should be selected is a matter
336	of taste. RSA and ElGamal are both capable for encryption. For most
337	users it's a good idea to let the program chose the key size (in bits).
338	The default settings should be secure enough for most purposes.
339
340	@subsection Adding a new user ID
341	If you got a new email account, it's propably a good idea to
342	add these new account to your key also. For example:
343
344	A new account was registed at gmail.com (john.doo@@gmail.com).
345	Then you should create a new user ID with the following fields:
346
347	name: John Doo
348
349	email: john.doo@@gmail.com
350
351	comment: (optional)
352
353	Now email programs are able to associate this address with your
354	key when somebody wants to send you a protected mail to this account.
355
356	@subsection Adding a photographic ID
357	With this function you can add a photo to your public. It will be
358	displayed in the key property dialog.
359
360	You just need to select a JPEG file which contains the photo and
361	enter your passphrase and confirm with OK. Please read the note
362	in the dialog carefully to make sure the photo has a proper size
363	(file, height and weight).
364
365	@subsection Adding a new designated revoker
366	If you want to allow another key to revoke your own key, this
367	might be useful if you lost your secret or a simliar situation,
368	you can use this function to add a designated revoker to your key.
369
370	All you need to do is to select the key you want to add as a desig
371	revoker. But please bear in mind that this procedure cannot be undone
372	and that this person really has the power to make your public key
373	unuseable. You really should trust the selected key, in case it is
374	not a key owned by yourself.
375
376	@subsection Export a Public Key
377	There are several reason why to export a public key and there
378	are also several ways to do it. If you want to send the key
379	directly to a mail recipient, you can select the key, right-click,
380	and select "Send Key to Mail Recipient". As an alternative, you
381	can also export it to the clipboard or to a file. To export a
382	key to the clipboard, you can select "Copy key to Clipboard"
383	in the popup menu of the selected key. To export it to a file,
384	you need to select the menu "Key" and then "Export...". The
385	program will automatically suggest a name for the output.
386
387	@subsection Import a Public Key
388	Similar to the key import, the import of a key can be done in
389	several ways. First, let's assume you got a mail with an OpenPGP
390	key included as inline text. Then you can use the current window
391	feature and "Decrypt/Verify" to import the key. Alternative you
392	also may use the clipboard. To achieve this, you first need to
393	select the entire key (CTRL+A) and then copy it to the clipboard
394	(CTRL+C), then use the Key Manager (Edit->Paste) to import it.
395	If the key is stored as an attachment, or you want to import
396	a key from a file in general, just drag the file and drop it
397	into the Key Manager window or use "Key" -> "Import...".
398
399	@bye