From: hughes@ah.com (Eric Hughes)
Date: Sun, 17 Apr 94 08:02:57 PDT
To: MIKEINGLE@delphi.com
Subject: Key Eater Needed
In-Reply-To: <01HB9P5CBXDE9BZ8MR@delphi.com>
Message-ID: <9404171454.AA29518@ah.com>
MIME-Version: 1.0
Content-Type: text/plain


>Hal Finney suggests expiring old keys. The first thing we would need is a
>way to clear the keyservers of such dead keys. 

One way to expire keys is to simply declare that any old PGP key more
than two years old is expired.

>There is no way to know now when a key was sent to a server, so it is hard
>to know when to delete it. 

You can use the date in the PGP key structure to timeout on.

>The web of trust model does not lend itself easily to key expirations,
>because this requires you to frequently get people to re-sign your key,
>and to re-sign the keys of others. This creates the opportunity for the
>"here's my new key, and I haven't got it resigned yet" attack. 

Everyone should sign their new keys with their old ones.  

Eric