Renewal of revocation certificate required after adding a new identity?

Dr. Peter Voigt pvoigt at
Mon Oct 13 18:17:28 CEST 2014

On Mon, 13 Oct 2014 00:35:20 +0200
Hauke Laging <mailinglisten at> wrote:

> Am So 12.10.2014, 23:35:16 schrieb Dr. Peter Voigt:
> > Can I still use my existing revocation certificate with my key pair
> Yes.
Thanks to all confirming my assumption.

> > I am supposing the revocation certificate just refers to my main
> > key ID regardless of the identities belonging to the key pair.
> To the fingerprint (or: the key data itself).
> 0x1F: Signature directly on a key
>        This signature is calculated directly on a key.  It binds the
>        information in the Signature subpackets to the key, and is
>        appropriate to be used for subpackets that provide information
>        about the key, such as the Revocation Key subpacket. [...]
> BTW: You can test this. You don't kill the key / certificate as long
> as you do not upload the revocation certificate to the keyservers.
> Just make a backup of the public and the private keys (maybe not even 
> necessary but may be easier).
> As long as you import the rev cert just locally you can delete it. Or 
> delete (and restore from backup) the whole key if the rev sig cannot
> be deleted alone.
To be honest I have little knowledge about what is going on when a key
pair is revoked. I just know that I would have to import the revocation
certificate to my public key ring. And as soon as I have freshly
published it to a keyserver my key pair is marked revoked.

I suppose the revocation certificate being a kind of replacement of my
public key. As it is bound to the fingerprint of a key pair it can mark
the key pair revoked as a whole. I suppose such a key can never be
activated again. This is somewhat opposed to a key pair with all of its
identities being revoked. Some or all identities could later be
activated again and - moreover - this key pair could later even get
new identities not being revoked.

I would greatly appreciate anybody to confirm or correct my rough
understanding of the revocation certificate and process.

> Something else, doesn't have anything to do with your question but
> may be of interest as you work at a university:
Nice side information.

> Hauke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: </pipermail/attachments/20141013/4759d6b6/attachment.sig>

More information about the Gnupg-users mailing list