Question: revocating a key without pollution

David Shaw dshaw@jabberwocky.com
Wed Dec 19 01:06:02 2001


--3V7upXqbjpZ4EhLz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Dec 14, 2001 at 08:41:14PM -0500, Martin Blais wrote:

> My current secret key has been compromised (literally: my home
> computer was stolen this weekend).  I will soon regenerate another
> keypair.
>=20
> When I publish my new public key, I would like to publish the
> revocation certificate for the old key as well, so that my friends
> not use it anymore to send me data, but I would like to avoid
> publishing the old public key with it. Even though it will be marked
> revoked, it would pollute the key rings of new friends with my old
> revoked key.
>=20
> In other words, I want to publish a chunk that contains ONLY:
>=20
>  - my new public key
>  - a revocation certificate for my old public key
>=20
> I can only seem to generate a chunk with the following:
>=20
>  - my new public key
>  - my old public key, along with the revocation certificate.

Try this:

gpg --gen-revoke (old_keyid) > data.asc
gpg --armor --export (new_keyid) >> data.asc

If you already have the revocation certificate for your old key handy,
you can just copy it to data.asc.  The important thing here is that
you append the new key information to the same file.

Distribute the resulting data.asc to your friends.  If they have your
old key, it'll be revoked.  If they don't have your old key, they'll
see an error ("can't apply revocation certificate") which they can
ignore.

Either way, they'll get the new key.

Note that this trick works with GnuPG.  It probably won't work with
PGP (and almost certainly won't work if you send the file to a
keyserver).

David

--=20
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+--------------------------------------------------------------------------=
-+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

--3V7upXqbjpZ4EhLz
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6c-cvs (GNU/Linux)

iQEVAwUBPB/ZZoccwqs8s7QVAQHOxAf+PAMbLrtyPAA+gCUxiGCRmnEHwB7dzRt7
3EYGC7PTpVahVeyEYJuz/1GNZhnyW9VR/XEy2b342+Z9M+4E8ikLTcRetWrO453M
bgTSdpt7gfAw6ynBhhN/3WajSs08v7S5ZYN1FxlwGt7GOl/4R23AH1eZu7T6Ib6s
sZxjUkDYTgjnL1G80DaASacQVPl1szbZHj4GkWmfeSGmUIFqHk0fZziGOTd45ZR3
J62NNS6M8ceWoY/4V9LWsTY35/excP8GuWawtiR2/nml53suGq2AlPSGLGOGzgYT
kEf5NszjxIVulYAC/u/W1uxX8iQ8qnVfcFQfurBmk8S1llaoQTys+g==
=gpdf
-----END PGP SIGNATURE-----

--3V7upXqbjpZ4EhLz--