Renewal of revocation certificate required after adding a new identity?
Dr. Peter Voigt
pvoigt at uos.de
Mon Oct 13 18:17:28 CEST 2014
On Mon, 13 Oct 2014 00:35:20 +0200
Hauke Laging <mailinglisten at hauke-laging.de> wrote:
> Am So 12.10.2014, 23:35:16 schrieb Dr. Peter Voigt:
> > Can I still use my existing revocation certificate with my key pair
>
> Yes.
>
>
Thanks to all confirming my assumption.
> > I am supposing the revocation certificate just refers to my main
> > key ID regardless of the identities belonging to the key pair.
>
> To the fingerprint (or: the key data itself).
>
> http://tools.ietf.org/html/rfc4880#section-5.2.1
>
> 0x1F: Signature directly on a key
> This signature is calculated directly on a key. It binds the
> information in the Signature subpackets to the key, and is
> appropriate to be used for subpackets that provide information
> about the key, such as the Revocation Key subpacket. [...]
>
> BTW: You can test this. You don't kill the key / certificate as long
> as you do not upload the revocation certificate to the keyservers.
> Just make a backup of the public and the private keys (maybe not even
> necessary but may be easier).
>
> As long as you import the rev cert just locally you can delete it. Or
> delete (and restore from backup) the whole key if the rev sig cannot
> be deleted alone.
>
To be honest I have little knowledge about what is going on when a key
pair is revoked. I just know that I would have to import the revocation
certificate to my public key ring. And as soon as I have freshly
published it to a keyserver my key pair is marked revoked.
I suppose the revocation certificate being a kind of replacement of my
public key. As it is bound to the fingerprint of a key pair it can mark
the key pair revoked as a whole. I suppose such a key can never be
activated again. This is somewhat opposed to a key pair with all of its
identities being revoked. Some or all identities could later be
activated again and - moreover - this key pair could later even get
new identities not being revoked.
I would greatly appreciate anybody to confirm or correct my rough
understanding of the revocation certificate and process.
>
> Something else, doesn't have anything to do with your question but
> may be of interest as you work at a university:
>
> http://www.openpgp-schulungen.de/fuer/hochschulen/
>
Nice side information.
>
> Hauke
Regards,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: </pipermail/attachments/20141013/4759d6b6/attachment.sig>
More information about the Gnupg-users
mailing list