Problem with revoking my old key

Charly Avital shavital at
Fri Jan 27 07:12:08 CET 2006

Hash: SHA256

Running Thunderbird version 1.5 (20051201) + enigmail 0.94.0, Macintosh
OSX 10.4.4, GnuPG 1.4.2.

When I received Daniel's message, TB+Enigmail indicated, in a colored
strip over the message's text "click the Decrypt icon to import key" (I
don't remember the exact words).

When I clicked that icon, a message was displayed "...cannot import
revocation certificate key 9438F4F0...". Again, I don't remember the
exact words, but that was the gist of the message.

I then searched for Daniel's keys with CLI:
$ gpg -search-keys daniel at (I don't have to specify the
keyserver in CLI, this is done in GPGPreferences, a feature of MacGPG,
which is the GnuPG for the Mac Project)

This produced two keys:
one created 2002-10-20
one created 2006-01-25

Both keys were valid, none contained any trace of revocation.

I then went back to Daniel's original message, clicked again the Decrypt
icon, and GnuPG[via TB+enigmail] displayed a long message the gist of
which was the successful import of the revocation certificate, and
detailing other data e.g. trust levels, etc.

Went to
$ gpg --edit-key 9438F4F0
with the following output:
- -----
This key was revoked on 2006-01-26 by DSA key 9438F4F0 Daniel Löfquist
<daniel at>
pub  1024D/9438F4F0  created: 2002-10-20  revoked: 2006-01-26  usage: CSA
                     trust: unknown       validity: revoked
This key was revoked on 2006-01-26 by DSA key 9438F4F0 Daniel Löfquist
<daniel at>
sub  1024g/DDF10144  created: 2002-10-20  revoked: 2006-01-26  usage: E
[ revoked] (1). Daniel Löfquist <daniel at>
- -----

I don't know whether Daniel has already followed David Shaw's
suggestion: import the revocation certificate into Daniel's keyring, and
they upload the resulting public key keyblock to a keyserver, which is
the standard way to use a revocation certificate. I am sure that when I
downloaded Daniel's keys from a keyserver ( the key was
not revoked.

I have *not* of course uploaded the revoked public key keyblock to a
keyserver. That's Daniel's privilege.

Therefore it seems that by importing the revocation certificate as it
appeared in Daniel's email, *when the corresponding key was present in
my keyring* gpg actually revoked the key.

If this is what happened, that means that when one has obtained the
revocation certificate, it is possible to revoke the corresponding key
in one's own keyserver, without the intervention of the certificate's
issuer, and I believe that is detailed in GnuPG documentation. This is
why revocation certificates must be carefully saved and protected in the
issuer's system, until such time the user him/herself needs to apply the

Wouldn't it be "better" if the actual application of the revocation
certificate would be conditioned to the use of the key's passphrase,
thus limiting the revocation certificate's application to the key's
owner only?

Just 2¢


Jean-David Beyer wrote the following on 1/26/06 9:52 PM:
> Daniel Löfquist wrote:

>>> Now I've been trying to upload the revocation certificate to the various
>>> keyservers but none of them wants to accept it. For example, when I try
>>> uploading it to I get this as a response:
>>> Add failed: Malformed Key --- unexpected packet type and/or order of packets
>>> Am I doing something wrong or why is my key not being accepted by the keyservers?
>>> //Daniel

> I get the same message when I try to import your key. So if it is not you,
> it is both Thunderbird 1.5 and the keyserver. I would not expect both to be
> buggy in the same way.
> --
>   .~.  Jean-David Beyer          Registered Linux User 85642.
>   /V\  PGP-Key: 9A2FC99A         Registered Machine   241939.
>  /( )\ Shrewsbury, New Jersey
>  ^^-^^ 21:50:00 up 6 days, 13:17, 5 users, load average: 4.22, 4.41, 4.58

Gnupg-users mailing list
Gnupg-users at

Version: GnuPG v1.4.2 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list