Question: revocating a key without pollution

David Shaw
Wed Dec 19 01:06:02 2001

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Dec 14, 2001 at 08:41:14PM -0500, Martin Blais wrote:

> My current secret key has been compromised (literally: my home
> computer was stolen this weekend).  I will soon regenerate another
> keypair.
> When I publish my new public key, I would like to publish the
> revocation certificate for the old key as well, so that my friends
> not use it anymore to send me data, but I would like to avoid
> publishing the old public key with it. Even though it will be marked
> revoked, it would pollute the key rings of new friends with my old
> revoked key.
> In other words, I want to publish a chunk that contains ONLY:
>  - my new public key
>  - a revocation certificate for my old public key
> I can only seem to generate a chunk with the following:
>  - my new public key
>  - my old public key, along with the revocation certificate.

Try this:

gpg --gen-revoke (old_keyid) > data.asc
gpg --armor --export (new_keyid) >> data.asc

If you already have the revocation certificate for your old key handy,
you can just copy it to data.asc.  The important thing here is that
you append the new key information to the same file.

Distribute the resulting data.asc to your friends.  If they have your
old key, it'll be revoked.  If they don't have your old key, they'll
see an error ("can't apply revocation certificate") which they can

Either way, they'll get the new key.

Note that this trick works with GnuPG.  It probably won't work with
PGP (and almost certainly won't work if you send the file to a


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6c-cvs (GNU/Linux)