'sensitive' designated revoker -- are the keyservers still aware?

David Shaw dshaw at jabberwocky.com
Thu Feb 1 21:04:27 CET 2007

On Thu, Feb 01, 2007 at 11:23:58AM -0800, snowcrash+gnupg-users wrote:
> if i've added a designated revoker to a key, WITH the 'sensitive' flag.
> am i correct that:
> (1) the 'sensitive' flag prevents the *export* of the add'l/designated
> revoker's key
> (2) the keyservers still learn/know that there IS a designated
> revoker, AND its KeyID/UID

Not exactly.  When exporting a key that has a sensitive designated
revoker set, the key is exported, but the designated revoker
information is not included.  Anyone looking at the key from the
outside cannot tell the difference between this state, and no
designated revoker set at all.  However, if the designated revoker has
in fact revoked the key, then the designated revoker information IS
included, along with the revocation.

The idea behind this is that the relationship between the designated
revoker and the key owner is sensitive, and so we must not reveal the
identity designated revoker until we absolutely must (i.e. when they
actually revoke the key).

Note that there is an option "export-sensitive-revkeys" which tells
GPG to export the designated revoker information even if the key isn't
revoked.  This essentially pretends that the "sensitive" flag is not
set.  Under normal circumstances, you don't want to do this.


More information about the Gnupg-users mailing list