Renewal of revocation certificate required after adding a new identity?
Dr. Peter Voigt
pvoigt at uos.de
Mon Oct 13 18:17:28 CEST 2014
On Mon, 13 Oct 2014 00:35:20 +0200
Hauke Laging <mailinglisten at hauke-laging.de> wrote:
> Am So 12.10.2014, 23:35:16 schrieb Dr. Peter Voigt:
> > Can I still use my existing revocation certificate with my key pair
Thanks to all confirming my assumption.
> > I am supposing the revocation certificate just refers to my main
> > key ID regardless of the identities belonging to the key pair.
> To the fingerprint (or: the key data itself).
> 0x1F: Signature directly on a key
> This signature is calculated directly on a key. It binds the
> information in the Signature subpackets to the key, and is
> appropriate to be used for subpackets that provide information
> about the key, such as the Revocation Key subpacket. [...]
> BTW: You can test this. You don't kill the key / certificate as long
> as you do not upload the revocation certificate to the keyservers.
> Just make a backup of the public and the private keys (maybe not even
> necessary but may be easier).
> As long as you import the rev cert just locally you can delete it. Or
> delete (and restore from backup) the whole key if the rev sig cannot
> be deleted alone.
To be honest I have little knowledge about what is going on when a key
pair is revoked. I just know that I would have to import the revocation
certificate to my public key ring. And as soon as I have freshly
published it to a keyserver my key pair is marked revoked.
I suppose the revocation certificate being a kind of replacement of my
public key. As it is bound to the fingerprint of a key pair it can mark
the key pair revoked as a whole. I suppose such a key can never be
activated again. This is somewhat opposed to a key pair with all of its
identities being revoked. Some or all identities could later be
activated again and - moreover - this key pair could later even get
new identities not being revoked.
I would greatly appreciate anybody to confirm or correct my rough
understanding of the revocation certificate and process.
> Something else, doesn't have anything to do with your question but
> may be of interest as you work at a university:
Nice side information.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: not available
More information about the Gnupg-users