New Revocation Certificate...
Jean-David Beyer
jeandavid8 at verizon.net
Sun Jun 28 23:16:25 CEST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel Kahn Gillmor wrote:
| On 06/28/2009 04:44 PM, Jean-David Beyer wrote:
|> If I add a subkey to my key (e.g., because the previous one expired), do I
|> have to generate a new revocation certificate, or is the old one still
|> good?
|
| I'm assuming you're asking about the revocation certificate for your
| your entire GnuPG-generated OpenPGP key.
|
| That revocation certificate is designed to revoke the primary key.
| Without a valid primary key, all associated subkeys are considered
| invalid. So you should not need to re-generate your revocation
| certificate based on a new subkey.
|
| This is because the action triggered by the publication of the
| revocation certificate is the invalidation of the primary key. Make sense?
|
| Hope this helps,
|
Fine; it is a nuisance to generate it each time, but I would have hated to
find I could not use it. Yes, that is what I meant. If the primary key is
compromised, I would wish to revoke it and everything on it.
Too bad I would lose all the signatures on it, but since it would be no
good, there would be no sense in transferring the signatures to my new key,
even if that were possible (and I hope it is not).
- --
~ .~. Jean-David Beyer Registered Linux User 85642.
~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939.
~ /( )\ Shrewsbury, New Jersey http://counter.li.org
~ ^^-^^ 17:10:01 up 10 days, 3:59, 3 users, load average: 4.84, 4.48, 4.31
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iD8DBQFKR92pPtu2XpovyZoRAt3dAKCVERCpnUAcC6gzC22OpP97NgS7DACfel5X
0AoDxHPi87BlpF3P1VHGv9Q=
=UzS0
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list