[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Key Eater Needed



Mike Ingle <[email protected]> wrote:

> There is no way to know now when a key was sent to a server, so it is hard
> to know when to delete it. One way would be to keep track of when new
> keys are sent or updated, and delete any key which has not been updated
> within a certain time, such as one year. All existing keys could be given
> six months to live. Those who wanted to keep their present keys could
> send them again, and others could create new ones.
>
> The web of trust model does not lend itself easily to key expirations,
> because this requires you to frequently get people to re-sign your key,
> and to re-sign the keys of others. This creates the opportunity for the
> "here's my new key, and I haven't got it resigned yet" attack. There
> would have to be a fairly long overlap period between new and old keys,
> during which time the old key signed the new key. Expirations would
> complicate the system considerably.

How about people just keep their keys, and the signatures, but they
re-sign their own keys every six months or so?  In order to keep their
keys on the keyserver, they must submit a PGP signed message to prove
that they still have that key. If they don't, the key is assumed to be
lost, and it is deleted.