Automatically generating subkey revocation certificates
Dirk-Willem van Gulik
dirkx at webweaving.org
Fri Dec 27 20:59:52 CET 2019
> On 27 Dec 2019, at 20:52, Werner Koch <wk at gnupg.org> wrote:
> On Thu, 26 Dec 2019 23:04, Dirk-Willem van Gulik said:
>> But this does not seem to happen when doing a --quick-add-key
>> subkey. Is this intentional ? Or is there a flag one can set ?
> Right. If you want to revoke a subkey we can assume that you still have
> access to the primary key and thus it is possible to create a specific
> revocation. If you don't have access to the primary key anymore, a
> subkey revocation does not make sense because you can't create a new one
> - in that case revoke the entire keyblock using the prefabricated
Thanks - had not though of it in that fashion (in our use case - the governance is a bit less personal - and we want to be able to revoke a sub-key without much (additional) interaction -- so pre-generating them & leaving them domestic makes sense).
More information about the Gnupg-users