HOWTO Revoke a key without having any backup of the key pair ????

David Shaw
Wed Feb 13 21:48:02 2002

On Wed, Feb 13, 2002 at 08:10:39PM +0100, Chris Niekel wrote:
> > If you don't have a revocation certificate, there is no way to mark
> > your key as invalid. And the administrators of the keyservers will not
> > remove your key. Why? Because there is now way to verify you as the
> > valid owner of the key. They won't remove the key. (Not mentioning
> I'm glad I made a revocation key. But the point that there's no way to
> know it's you could be partially wrong.
> If I have my key signed by another person, he knows the key is owned by
> me. So he should be able to vouch that I own the key.

Yes indeed.

> Ofcourse, you
> can't trust the signer to be speaking for the real person (he/she could
> be speaking for you without you knowing), but maybe something that works
> could be devised? 

There is a feature in the OpenPGP spec for this called a revocation
key (PGP calls it "designated revoker").  It works by having the key
owner designate a key that is permitted to issue revocations for the
key owner's key.

It presumes you *really* trust that person :)

I actually started implementing this for GnuPG, but work intervened.
It's about halfway done (it can accept and handle revocations, but it
can't yet add a designated revoker to a key, or issue revocations).
If there is interest, I'll see if I can find some time to finish it


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson