I just created a new PGP key because I want to start using PGP to encrypt my emails. Lo and behold, this is apparently not my first attempt to use PGP. Five years ago, I created another PGP key using an ancient encryption algorithm (DSA 1024-bit). This would be very easy to crack.
Needless to say, I don't have a revoke certificate for it. What should I do?
A DSA 1024 certificate will not be very easy to crack, not even having a high performance cluster at hand. An exception might only be if generated using weak random data, for example because of the Debian random flaw.
If you have lost control over the private key, and do not have a revocation certificate, you cannot do anything about it. Key server data cannot be deleted, and you cannot modify or revoke the key without having the private key (or as a special case, revoke it with a revocation certificate.
To designate that a key should not be used, you can issue a revocation for your old key. Client applications like GnuPG will not consider it and mark the old key as revoked, but most of them will at least issue a warning (so other users have a hint that something is fishy).
Generally, always generate a revocation certificate immediately after creating a new key, and store it in a place you will not lose it (ie. printed on a piece of paper, maybe inside an QR code).
I found myself in a similar situation. There is a similar thread here: Anything to do about old gpg keys?. I have used the answer from Markus Malkusch, which is a sort of pseudo-revoke if you don't have the revocation certificate.
Anyone searching the key server will see this along side your old key:
"WARNING: Key was revoked! (Identity for revoking) <revoke@example.org>"
This will hopefully be enought for any potential users to realise that they should use the newer key, or at least that they should contact me through other means before sending me an encrypted email.
