Create revocation certificate for all user IDs

Question

My OpenPGP key consists of three identities and two subkeys. I now would like to create a revocation certificate for the master key.

pub   4096R/2J9F2349 2016-05-10 [expires: 2016-11-06]
uid                  My Name <email_1@post.de>
uid                  My Name <email_2@post.de>
uid                  My Name <email_2@post.de>
sub   4096R/APF6B2U1 2016-05-10 [expires: 2016-11-06]
sub   4096R/HGS4421E 2016-05-10 [expires: 2016-11-06]

When using this command

gpg --output revocation_certificate_2J9F2349.gpg  --gen-revoke 2J9F2349

I am asked if I want to create a revocation certificate for

sec  4096R/2J9F2349 2016-05-10 My Name <email_1@post.de>

Why does GnuPG show me only the first email address? Does this mean that the other identities won't be affected by a revocation? I want to create a revocation certificate for the master so that if I'd ever used it, the entire key (including all subkeys) should become useless.

Answer 1

When creating a revocation certificate, GnuPG prints the key's primary/default user ID to help you identify the key. The revocation certificate is not including any user ID, but targets the primary key.

You should be able to verify that using gpg --list-packets or pgpdump, you should observe a signature type 0x20 (key revocation), not type 0x30 which is a certification revocation (user IDs are bound by your primary key through a self-signature/self-certification, which is revoked when you want to revoke a user ID).

A revocation certificate on the primary key also invalidates subkeys, user IDs and certifications issued by that key.