Key revoking

Werner Koch
Mon, 14 Feb 2000 12:32:09 +0100

On Sun, 13 Feb 2000, Nate Eldredge wrote:

> 1. The manual tells how to generate a revocation certificate
> (--gen-revoke). What is it that gets spit out? It says "PGP PUBLIC
> KEY BLOCK", and the comment says "A revocation certificate should
> follow", which would seem to imply that perhaps this isn't the
> certificate itself.
Frankly it is not a complete key but only the certificate. OpenPGP mandates that this should be a key with the revocation certificate. I decided nbot to emit this because this way you can print it out and type it in if you ever will need it. The Horrowitz keyservers ( should now all accept these standalone revocations. Don't know about NAIs certserver. Making a real valid revocation is however trivial: import the revocation into your keyring using Gnupg and the do a regular export or --send-keys.
> fine. I.e. I sign a file and then revoke the key (selecting key 1),
> but even then doing --verify on the file reports that it's okay. Is
If you use the defaults in key generation, than key(1) is the encryption key and you used the primary key to create the signature. A primary key can only be revoked using the --gen-revoke command.
> I'd appreciate an email CC on responses if convenient, as I'm not on
> the mailing list and may miss it in checking the archives.