Key revoking

[Nate Eldredge]

I'm trying to figure out how key revoking works.  The manual explains
all the relevant GnuPG options, but not the whole procedure.

1.  The manual tells how to generate a revocation certificate
(--gen-revoke).  What is it that gets spit out?  It says "PGP PUBLIC
KEY BLOCK", and the comment says "A revocation certificate should
follow", which would seem to imply that perhaps this isn't the
certificate itself.

1a. Once I have a revocation certificate, how do I use it?  Suppose
I've lost my secret key and want to revoke it.  What should I do with
the certificate?  I tried, for example, submitting the output of
--gen-revoke to a keyserver, but it rejects it.

2.  I figured out how to revoke a key using the `revkey' command in
--edit-key.  And indeed, once I do that, attempts to encrypt to that
user give a warning.  However, signatures still seem to be perfectly
fine.  I.e. I sign a file and then revoke the key (selecting key 1),
but even then doing --verify on the file reports that it's okay.  Is
this intentional?  It would seem, then, that if my key gets
compromised, nothing stops the bad guy from forging messages in my
name.

I'd appreciate an email CC on responses if convenient, as I'm not on
the mailing list and may miss it in checking the archives.

Thanks in advance.

-- 

Nate Eldredge
neldredge@hmc.edu