On Mon, 22 Aug 2011 18:44, mike_ac...@charter.net said: > result of a search... it would need to first search for the key by > whatever search text was provided, and then search for hits on the > fingerprint... if there is a revoke cert then you want to return that.
Keyservers store one copy of a key. A revocation certifciate is nothing but another copy of the key with an recocation signature. The keyserver merges both of them to one key (in OpenPGP parlance a keyblock). A basic keyblock looks like this: Primary_key User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 User-Id-2 Self-signature -- to bind Primary Key to User-Id-2 Sub-Key-1 Self-signature -- to bind Orimary key to Sub-Key-1 etc. Now a minimal revocation certificate for the entire key is Primary_key Recovation-signature -- actually a self-signature bound to Primary-Key ewith a special attribute. After import, a keyserver of gpg will merge them to this: Primary_key Recovation-signature -- actually a self-signature bound to Primary-Key ewith a special attribute. User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 User-Id-2 Self-signature -- to bind Primary Key to User-Id-2 Sub-Key-1 Self-signature -- to bind Orimary key to Sub-Key-1 Keyservers deliver that Keyblock. It doesn't matter whether you ask for the keyid or fingerprint of the primary key or of one of the Sub-Keys - you will always get the above keyblock back. GPG check all self-signatures and revocation-signatures and acts upon them. You may also revoke just one user Id using this revocation certifciate Primary_key User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 Revocation-Signature -- revoking User-Id-1 After merging this is Primary_key User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 Revocation-Signature -- revoking User-Id-1 User-Id-2 Self-signature -- to bind Primary Key to User-Id-2 Sub-Key-1 Self-signature -- to bind Orimary key to Sub-Key-1 and GPG would mark User-Id-1 as revoked but still allow the use of the key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users