New Revocation Certificate...

Jean-David Beyer jeandavid8 at
Sun Jun 28 23:16:25 CEST 2009

Hash: SHA1

Daniel Kahn Gillmor wrote:
| On 06/28/2009 04:44 PM, Jean-David Beyer wrote:
|> If I add a subkey to my key (e.g., because the previous one expired), do I
|> have to generate a new revocation certificate, or is the old one still
|> good?
| I'm assuming you're asking about the revocation certificate for your
| your entire GnuPG-generated OpenPGP key.
| That revocation certificate is designed to revoke the primary key.
| Without a valid primary key, all associated subkeys are considered
| invalid.  So you should not need to re-generate your revocation
| certificate based on a new subkey.
| This is because the action triggered by the publication of the
| revocation certificate is the invalidation of the primary key.  Make sense?
| Hope this helps,
Fine; it is a nuisance to generate it each time, but I would have hated to
find I could not use it. Yes, that is what I meant. If the primary key is
compromised, I would wish to revoke it and everything on it.

Too bad I would lose all the signatures on it, but since it would be no
good, there would be no sense in transferring the signatures to my new key,
even if that were possible (and I hope it is not).

- --
~  .~.  Jean-David Beyer          Registered Linux User 85642.
~  /V\  PGP-Key: 9A2FC99A         Registered Machine   241939.
~ /( )\ Shrewsbury, New Jersey
~ ^^-^^ 17:10:01 up 10 days, 3:59, 3 users, load average: 4.84, 4.48, 4.31
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS -


More information about the Gnupg-users mailing list