Automatically generating subkey revocation certificates

Dirk-Willem van Gulik dirkx at webweaving.org
Fri Dec 27 20:59:52 CET 2019



> On 27 Dec 2019, at 20:52, Werner Koch <wk at gnupg.org> wrote:
> 
> On Thu, 26 Dec 2019 23:04, Dirk-Willem van Gulik said:
> 
>> But this does not seem to happen when doing a --quick-add-key
>> subkey. Is this intentional ? Or is there a flag one can set ?
> 
> Right.  If you want to revoke a subkey we can assume that you still have
> access to the primary key and thus it is possible to create a specific
> revocation.  If you don't have access to the primary key anymore, a
> subkey revocation does not make sense because you can't create a new one
> - in that case revoke the entire keyblock using the prefabricated
> revocation.

Thanks - had not though of it in that fashion (in our use case - the governance is a bit less personal - and we want to be able to revoke a sub-key without much (additional) interaction -- so pre-generating them & leaving them domestic makes sense).


Dw


More information about the Gnupg-users mailing list