Question: revocating a key without pollution

Martin Blais
Sat Dec 15 02:44:01 2001


My current secret key has been compromised (literally: my home computer was 
stolen this weekend).  I will soon regenerate another keypair.

When I publish my new public key, I would like to publish the revocation 
certificate for the old key as well, so that my friends not use it anymore to 
send me data, but I would like to avoid publishing the old public key with 
it. Even though it will be marked revoked, it would pollute the key rings of 
new friends with my old revoked key.

In other words, I want to publish a chunk that contains ONLY:

 - my new public key
 - a revocation certificate for my old public key

I can only seem to generate a chunk with the following:

 - my new public key
 - my old public key, along with the revocation certificate.

Is it doable?  How do I do it?

I have tried importing the revoked key with a blank db, and gpg DOES add that 
revoked key to the ring, which is exactly what I'd like to avoid.

The way I'd expect it to work would be to ignore revoked keys when importing. 
 When I try to import a simple revocation certificate (without the associated 
key), gpg correctly ignores the certificate because it doesn't have the 
corresponding key, which is exactly what I want:

lima:~/tmp$ gpg --import D1775F1D.revoke 
gpg: Warning: using insecure memory!
gpg: key D1775F1D: no public key - can't apply revocation certificate
gpg: Total number processed: 1

I mean, I could publish the simple revocation certificate itself separately 
and ask my friends to import that, but that seems like a pain in the bleep.  
I'd rather include it in my new published key chunk.

I've been grinding in the GPG documentation for a while, and I cannot seem to 
find an answer to this question.  My head spins now.

Thanks for your answers.
Please Cc to, I'm not a member of this list.