Add description of managing your keys and what to do if its compromised

[MarkBennett]

I'm very new to using keys, but I was confused what to do if your private key or a device with it installed is compromised?

I'm not sure if this is I'm scope for the project, but it would be good to either explain that, or offer steps to take if it happens to new users like me.

I'm happy to make a PR adding this if you let me know what you recommend.

Thanks for the cool project! 🙂

[gabriel]

Great question.

Currently, if a key got compromised or you wanted to rotate or use new new key, you would:

• Revoke the user statement (if you have access to the key) OR remove the signed statement from the 3rd party site (or both)
• Generate a new key and post a new signed statement and publish.
• Clients see the key user statement was revoked, and search for and find new key.

This is not the best user experience. I am thinking about having the clients automatically update keys if they are rotated or updated.

Something that is nice about having signed statements associated with the key on 3rd party sites is that if you lose the key, you can still revoke the key by removing the signed statement from that site.

[gabriel]

The https://github.com/keys-pub/website repo could be updated with this info if you want to try a PR, or we can wait until the client makes this more obvious.

[MarkBennett]

Thanks for the reply @gabriel! I'll give a PR a try. I'll probably just copy what's in your comment above. 😉