Revocation questions

David Shaw
Wed Jan 16 02:43:02 2002

On Tue, Jan 15, 2002 at 05:07:36PM -0800, Jeffery Cann wrote:

> I was signing my emails (in KDE Kmail) with a gpg signature I
> created based on an email account that is no longer valid, and I am
> unsure if I should:
> 1.  Publish my revocation certificate and then generate a new keypair.  My key
> has not been compromised, so I do not know if that is the strict use of
> revocation,
> 2.  Expire my current keypair and then generate a new keypair.
> 3.  Keep current keypair and add a new userid to my current keypair.  If I do
> this, can I reset the new userid to be the primary one?

All of these are valid options.  #1 or #2 may not be the best thing to
do if you have lots of signatures on your key which you would then
have to replace.

With many signatures, #3 is a good way to go, and yes, the new userid
will be the primary one (the current gpg uses the most recent userid
as the primary one - the new gpg currently in test lets you pick any
userid you like as primary).  You may also want to revoke the old user
ID with the invalid email address.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson