Deleting a designated revoker
dshaw at jabberwocky.com
Fri Mar 16 15:13:08 CET 2007
On Thu, Mar 15, 2007 at 04:14:13PM -0600, Kurt Fitzner wrote:
> In PGP desktop 9.5, I can delete a designated revoker from my keyring.
> Having used GnuPG pretty much exclusively, I was under the impression
> this was impossible. It wouldn't be an issue, but having torn my hair
> out for several days over why CACert's OpenPGP signature system wouldn't
> sign my key, I finally figured out it doesn't handle keys with revokers
> on it.
> Since deleting a revoker is possible, might I suggest that GPG
> incorporate this ability.
This is not exactly true. You can certainly delete the packet that
says "this key has a designated revoker", but note that there is no
way to undo the designation if the key has been distributed. It's
like a signature from a key you don't own: you could delete the
signature packet, but you can't revoke it. Designated revoker
signatures are irrevocable as part of the OpenPGP protocol, even
though they are issued from your own key.
What PGP is doing is just deleting the packet. If you sync with a
keyserver that has your key, the packet will just come back.
All that said, yes, GPG has no way to delete designated revoker
packets. The only way to do it is export your public key and run
'gpgsplit' on it. Then delete the packet you want to get rid of and
'cat' the packets back together.
More information about the Gnupg-users