Introduction to OpenPGP key revocation
The OpenPGP key revocation is the process of appending a special signature to an OpenPGP public key that marks it as not usable any more.
In this chapter we are going to discuss the reasons for revoking a key, how can we revoke a key and the standard revocation codes.
The general reasons for revoking a key are when the private key password has been compromised, the private key has been lost or a newer public key has been issued.
How to revoke
The ways to revoke a key provided by DidiSoft OpenPGP Library for .NET are:
1. Direct key revocation – revoke the public key by signing it as revoked with the corresponding private key
2. With a Revocation certificate – create upfront a special revocation certificate and use it lately to revoke the public key
3. With a designated revoker – mark a third party public key as a designated revoker and use it lately to revoke the public key
Revocation codes
When we revoke an OpenPGP public key we can specify a revocation reason code and description (custom description). Below are listed the standard revocation reason codes specified in the OpenPGP RFC:
/// No reason specified RevocationLib.REASON_NO_REASON; /// The key is superseded RevocationLib.REASON_KEY_SUPERSEDED; /// The key has been compromised RevocationLib.REASON_KEY_COMPROMISED; /// The key is no longer used RevocationLib.REASON_KEY_NO_LONGER_USED; /// User Id is no longer used RevocationLib.REASON_USER_NO_LONGER_USED; |
Summary
This chapter was a short introduction to OpenPGP key revocation. It discussed the reasons for revoking a key, the possible ways to revoke a key and the main revocation codes.
Related reading: Direct key revocation, Revocation certificate, Designated revoker