OpenPGP key revocation is an action that marks an OpenPGP public key as not usable any more.
OpenPGP key revocation basics
OpenPGP key revocation must be performed in the cases when our private key is compromised or not needed any more. The revocation process internally consists of appending a special revocation signature to the public key that makes it impossible to be used any more.
Possible reasons for such action are when:
- someone steals our private key and password
- we have generated a new stronger key pair and the old one is not needed any more
- the password for the private key has been lost (in this case only a designated revoker or a revocation certificate can revoke the key)
There are three ways to revoke a key described in the OpenPGP standard: directly, with a revocation certificate and through a designated revoker key.
When we revoke a key we have to specify a revocation reason code and an optional description note. Below are shown the possible revocation reason codes:
/** No reason specified */ RevocationLib.REASON_NO_REASON /** Key is superseded */ RevocationLib.REASON_KEY_SUPERSEDED /** Key has been compromised */ RevocationLib.REASON_KEY_COMPROMISED /** Key is no longer used */ RevocationLib.REASON_KEY_NO_LONGER_USED /** User Id is no longer used */ RevocationLib.REASON_USER_NO_LONGER_USED |
Refer to the chapters below for detailed examples that demonstrate how to perform OpenPGP key revocation in Java:
Revoke a public key directly (direct key revocation),
