How should GnuPG's `--desig-revoke` command be used?

gnupg public-key pgp

How should the GnuPG command --desig-revoke be used, and in which cases should you use it? According to the manual:

--desig-revoke name
Generate a designated revocation certificate for a key. This allows a user (with the permission of the keyholder) to revoke someone else's key.

And there is a related action in --edit-key:

addrevoker
Add a designated revoker to the key. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default (see export-options).

Second, is this ability to allow someone else to revoke your PGP key GnuPG-specific, or is it part of the OpenPGP standard?


Delegating revocations

How should the GnuPG command --desig-revoke be used?

The command --desig-revoke adds a special kind of signature to your public key which allows another key (which you specify) to create revocation certificates for your key at a later date. Running the command does not actually create a revocation certificate, it just publicly allows others to do so. Regard it as a delegation of revocation.

Running gpg --edit-key, followed by addrevoker does the exactly same thing, but from within the key edit menu.

Use Cases

... and in which cases should you use it?

This can be especially useful for larger organizations, where central revocation of employee keys might be useful.

I can also imagine that when using shared keys, where only multiple users together can use the key (so the secret key is distributed) might want to use this option, so every user can individually revoke the key. Imagine a situation one of the group died, or they antagonized.

A third use case would be giving a trusted friend the capability to revoke your key, similar to handing over a printed revocation certificate for storing to him.

Revocation Keys are Standardized

Is this ability to allow someone else to revoke your PGP key GnuPG-specific, or is it part of the OpenPGP standard?

Specifying revocation keys is defined by OpenPGP, RFC 4880, so it is not specific to GnuPG.


In case people (like me) get confused, there was some additional clarification provided in "How to generate the revocation certificate after being made a revoker with GnuPG". The --edit-key/addrevoker is used to grant permission for someone else to generate the revocation certificate; that someone else uses --desig-revoke to actually generate the certificate.

Related

How do I replace PowerShell 5 with PowerShell 6 as my system default?
How can I indentify this invisible window on my desktop?
SSH without sourcing .bashrc
Windows: Use Intel Onboard GPU for bootup, then switch to NVidia
Reset messed up certificate data in Firefox and Thunderbird?
What are the risks of partitioning drives?
How to execute a cleanup command on tmux server/session exit?
Connect to Wireless Network without existing profile through NetSH
How do I get FluidSynth support in VLC on Mac OS X?
Anyone have any experience with bargain laptop batteries?
CPU gets stuck at 0.90 GHz and 53% usage cap
Microsoft Teams overwritten hotkeys