New Revocation Certificate...

Daniel Kahn Gillmor dkg at
Sun Jun 28 22:55:11 CEST 2009

On 06/28/2009 04:44 PM, Jean-David Beyer wrote:
> If I add a subkey to my key (e.g., because the previous one expired), do I
> have to generate a new revocation certificate, or is the old one still
> good?

I'm assuming you're asking about the revocation certificate for your
your entire GnuPG-generated OpenPGP key.

That revocation certificate is designed to revoke the primary key.
Without a valid primary key, all associated subkeys are considered
invalid.  So you should not need to re-generate your revocation
certificate based on a new subkey.

This is because the action triggered by the publication of the
revocation certificate is the invalidation of the primary key.  Make sense?

Hope this helps,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090628/889ae98b/attachment.pgp>

More information about the Gnupg-users mailing list