supersede key on key-server
Werner Koch
wk at gnupg.org
Tue Aug 23 09:20:32 CEST 2011
On Mon, 22 Aug 2011 18:44, Mike_Acker at charter.net said:
> result of a search... it would need to first search for the key by
> whatever search text was provided, and then search for hits on the
> fingerprint... if there is a revoke cert then you want to return that.
Keyservers store one copy of a key. A revocation certifciate is nothing
but another copy of the key with an recocation signature. The keyserver
merges both of them to one key (in OpenPGP parlance a keyblock).
A basic keyblock looks like this:
Primary_key
User-Id-1
Self-signature -- to bind Primary Key to User-Id-1
User-Id-2
Self-signature -- to bind Primary Key to User-Id-2
Sub-Key-1
Self-signature -- to bind Orimary key to Sub-Key-1
etc. Now a minimal revocation certificate for the entire key is
Primary_key
Recovation-signature -- actually a self-signature bound to
Primary-Key ewith a special attribute.
After import, a keyserver of gpg will merge them to this:
Primary_key
Recovation-signature -- actually a self-signature bound to
Primary-Key ewith a special attribute.
User-Id-1
Self-signature -- to bind Primary Key to User-Id-1
User-Id-2
Self-signature -- to bind Primary Key to User-Id-2
Sub-Key-1
Self-signature -- to bind Orimary key to Sub-Key-1
Keyservers deliver that Keyblock. It doesn't matter whether you ask for
the keyid or fingerprint of the primary key or of one of the Sub-Keys -
you will always get the above keyblock back. GPG check all
self-signatures and revocation-signatures and acts upon them.
You may also revoke just one user Id using this revocation certifciate
Primary_key
User-Id-1
Self-signature -- to bind Primary Key to User-Id-1
Revocation-Signature -- revoking User-Id-1
After merging this is
Primary_key
User-Id-1
Self-signature -- to bind Primary Key to User-Id-1
Revocation-Signature -- revoking User-Id-1
User-Id-2
Self-signature -- to bind Primary Key to User-Id-2
Sub-Key-1
Self-signature -- to bind Orimary key to Sub-Key-1
and GPG would mark User-Id-1 as revoked but still allow the use of the
key.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list