Renewal of revocation certificate required after adding a new identity?

Peter Lebbing peter at digitalbrains.com
Tue Oct 14 11:05:18 CEST 2014


On 13/10/14 21:45, MFPA wrote:
> I would have thought "the whole thing with UID's and signatures and so
> on" was exactly what was being revoked by means of a revocation
> certificate.

Yes, everything is revoked.

But that is implicitly. What the revocation actually revokes is the
actual primary key itself. It revokes the same part that the fingerprint
is computed over. Mathematically, it is computed over the numbers that
make up the primary public key and its creation time.

So no matter what UID's or signatures are later added (or already
existed), from the moment the revocation certificate is published and
combined with the primary public key, that public key can never be used
again.

Remember that the original question was: do I need a new revocation
certificate when I add UID's? The answer to that is: no, because the
revocation certificate is not computed over the UID's and hence doesn't
change.

So in that sense the revocation certificate is not bound to the UID's as
I stated. However, it does also revoke the UID's in the sense you mean.

Does this make sense?

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list