Revoke an OpenPGP key

Discuss this help topic in SecureBlackbox Forum

In OpenPGP infrastructure keys are revoked by inclusion of a dedicated 'revocation signature' to the list of signatures attached to the key. Normally keys are revoked by the party that issued them (e.g. primary key owner), but generally PGP standard allows to use any secret key to revoke any public key association. This might be useful is complicated environments with advanced trust policies.

To revoke a key, you will need:

The revoking key (revokingKey object). This should be a secret key object of TElPGPSecretKey or TElPGPCustomSecretKey type with its password known to you, as it is going to be used to create a revocation signature.
The user object (TElPGPUserID ) referencing the user to whom the key being revoked belongs (optionally, only if the signature being revoked is a key-to-user binding)
The public key object being revoked (publicKey, of TElPGPPublicKey or TElPGPPublicSubkey type).

To revoke the key-to-user binding, do the following:

Create a brand new TElPGPSignature object (sig), which will receive the revocation signature.
Call revokingKey.Revoke(publicKey,user, sig, null);
Add the initialized signature to the list of signatures attached to the user.

To revoke a key, use a different revocation method:

Create a brand new TElPGPSignature object (sig), which will receive the revocation signature.
Call revokingKey.Revoke(publicKey, sig);
Add the initialized signature to the list of signatures attached to the revoked key.

To revoke the signature use one of the TElPGPCustomSecretKey methods: Revoke() or DirectRevoke(), depending on the signature type.

To revoke a direct key signature call TElPGPCustomSecretKey.DirectRevoke() method and pass the following parameters: Key (key or subkey to be revoked), Signature (the revocation signature will be put here) and RevokedSignature (the signature to be revoked).

To revoke other kinds of signatures use TElPGPCustomSecretKey.Revoke() method.

Set revocation reason and comment

If you only need to provide a comment (without the reason), just assign the comment to the TElPGPSignature's ReasonForRevocation property, and the corresponding extension subpacket will be created automatically.

If you also need to put down the reason, use the following code as an example. This is similar to the way you configured the key flags.

	int idx = sig.AddExtension(SBPGPUtils.TSBPGPSignatureExtension.seReasonForRevocation, true, false);
	TElPGPReasonForRevocationSignatureSubpacket rrpkt = (TElPGPReasonForRevocationSignatureSubpacket)sig.get_Extensions(idx);
	rrpkt.Reason = SBPGPEntities.Unit.rrKeyCompromised;
	rrpkt.Comment = "The key has been compromised";

How To articles about OpenPGP key management

Discuss this help topic in SecureBlackbox Forum