supersede key on key-server

Werner Koch wk at gnupg.org
Tue Aug 23 09:20:32 CEST 2011


On Mon, 22 Aug 2011 18:44, Mike_Acker at charter.net said:

> result of a search... it would need to first search for the key by
> whatever search text was provided, and then search for hits on the
> fingerprint... if there is a revoke cert then you want to return that.

Keyservers store one copy of a key.  A revocation certifciate is nothing
but another copy of the key with an recocation signature.  The keyserver
merges both of them to one key (in OpenPGP parlance a keyblock).

A basic keyblock looks like this:

     Primary_key
     User-Id-1
     Self-signature  -- to bind Primary Key to User-Id-1
     User-Id-2
     Self-signature  -- to bind Primary Key to User-Id-2
     Sub-Key-1
     Self-signature  -- to bind Orimary key to Sub-Key-1

etc.  Now a minimal revocation certificate for the entire key is

     Primary_key
     Recovation-signature -- actually a self-signature bound to
                             Primary-Key ewith a special attribute.

After import, a keyserver of gpg will merge them to this:

     Primary_key
     Recovation-signature -- actually a self-signature bound to
                             Primary-Key ewith a special attribute.
     User-Id-1
     Self-signature  -- to bind Primary Key to User-Id-1
     User-Id-2
     Self-signature  -- to bind Primary Key to User-Id-2
     Sub-Key-1
     Self-signature  -- to bind Orimary key to Sub-Key-1

Keyservers deliver that Keyblock.  It doesn't matter whether you ask for
the keyid or fingerprint of the primary key or of one of the Sub-Keys -
you will always get the above keyblock back.  GPG check all
self-signatures and revocation-signatures and acts upon them.

You may also revoke just one user Id using this revocation certifciate

     Primary_key
     User-Id-1
     Self-signature  -- to bind Primary Key to User-Id-1
     Revocation-Signature -- revoking User-Id-1

After merging this is

     Primary_key
     User-Id-1
     Self-signature  -- to bind Primary Key to User-Id-1
     Revocation-Signature -- revoking User-Id-1
     User-Id-2
     Self-signature  -- to bind Primary Key to User-Id-2
     Sub-Key-1
     Self-signature  -- to bind Orimary key to Sub-Key-1

and GPG would mark User-Id-1 as revoked but still allow the use of the
key.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list