How should GnuPG’s `–desig-revoke` command be used

gnupgpgppublic-key

How should the GnuPG command --desig-revoke be used, and in which cases should you use it? According to the manual:

–desig-revoke name
Generate a designated revocation certificate for a key. This allows a user (with the permission of the keyholder) to revoke someone else's key.

And there is a related action in --edit-key:

addrevoker
Add a designated revoker to the key. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default (see export-options).

Second, is this ability to allow someone else to revoke your PGP key GnuPG-specific, or is it part of the OpenPGP standard?

Best Answer

Delegating revocations

How should the GnuPG command --desig-revoke be used?

The command --desig-revoke adds a special kind of signature to your public key which allows another key (which you specify) to create revocation certificates for your key at a later date. Running the command does not actually create a revocation certificate, it just publicly allows others to do so. Regard it as a delegation of revocation.

Running gpg --edit-key, followed by addrevoker does the exactly same thing, but from within the key edit menu.

Use Cases

... and in which cases should you use it?

This can be especially useful for larger organizations, where central revocation of employee keys might be useful.

I can also imagine that when using shared keys, where only multiple users together can use the key (so the secret key is distributed) might want to use this option, so every user can individually revoke the key. Imagine a situation one of the group died, or they antagonized.

A third use case would be giving a trusted friend the capability to revoke your key, similar to handing over a printed revocation certificate for storing to him.

Revocation Keys are Standardized

Is this ability to allow someone else to revoke your PGP key GnuPG-specific, or is it part of the OpenPGP standard?

Specifying revocation keys is defined by OpenPGP, RFC 4880, so it is not specific to GnuPG.

Related Solutions

Un-revoke PGP key

It turns out that it is possible (and relatively simple) to delete and re-import the key, provided that it is on a keyserver (and provided that the revocation has not been sent to the keyserver, of course).

This is what I found to work (THEKEYID is the short ID of the key):

Delete the public key as follows (the --expert option allows the public key to be deleted whilst the private key is kept) :
gpg --expert --delete-key THEKEYID
Confirm by pressing:
y
Fetch the public key again from a keyserver:
gpg --keyserver subkeys.pgp.net --recv-keys THEKEYID

Done!

Presumably this could also be done from a local (pre-revocation) backup of the public key, using gpg --import public.key instead of the third command.

Simply deleting the entire key (public and private) from the GPG Keychain Access GUI, and then restoring from a backup, did not work - I don't know why.

How to generate the revocation certificate after being made a revoker with GnuPG

Do not use --gen-revoke, but --desig-revoke instead. From man gpg:

--desig-revoke name
       Generate a designated revocation certificate for a key. This allows a
       user (with the permission of the keyholder) to revoke someone else's key.

GnuPG will ask you whether you want to create a revocation certificate for this other key, for example revoking 0xdeadbeef with a key you're using:

$ gpg --desig-revoke 0xDEADBEEF

pub  1024R/DEADBEEF 2015-02-25 Alice

To be revoked by:

sec  2048R/E6F0D5F6 2015-02-25 Bob

Create a designated revocation certificate for this key? (y/N)

[...]

--desig-revoke will output the ascii-armored revocation certificate.