Question: revocating a key without pollution
Martin Blais
blais@iro.umontreal.ca
Sat Dec 15 02:44:01 2001
Hi.
My current secret key has been compromised (literally: my home computer was
stolen this weekend). I will soon regenerate another keypair.
When I publish my new public key, I would like to publish the revocation
certificate for the old key as well, so that my friends not use it anymore to
send me data, but I would like to avoid publishing the old public key with
it. Even though it will be marked revoked, it would pollute the key rings of
new friends with my old revoked key.
In other words, I want to publish a chunk that contains ONLY:
- my new public key
- a revocation certificate for my old public key
I can only seem to generate a chunk with the following:
- my new public key
- my old public key, along with the revocation certificate.
Is it doable? How do I do it?
I have tried importing the revoked key with a blank db, and gpg DOES add that
revoked key to the ring, which is exactly what I'd like to avoid.
The way I'd expect it to work would be to ignore revoked keys when importing.
When I try to import a simple revocation certificate (without the associated
key), gpg correctly ignores the certificate because it doesn't have the
corresponding key, which is exactly what I want:
lima:~/tmp$ gpg --import D1775F1D.revoke
gpg: Warning: using insecure memory!
gpg: key D1775F1D: no public key - can't apply revocation certificate
gpg: Total number processed: 1
I mean, I could publish the simple revocation certificate itself separately
and ask my friends to import that, but that seems like a pain in the bleep.
I'd rather include it in my new published key chunk.
I've been grinding in the GPG documentation for a while, and I cannot seem to
find an answer to this question. My head spins now.
Thanks for your answers.
Please Cc to blais@iro.umontreal.ca, I'm not a member of this list.
--
M.