From: Matthew J Ghio <mg5n+@andrew.cmu.edu>
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Message Hash: 6c0947d9b1db10264fd8f1760101fe397869ab82b8087b814ed60a7a7ef79a22
Message ID: <4hgMVY600VpcBhckdD@andrew.cmu.edu>
Reply To: N/A
UTC Datetime: 1994-04-17 19:07:06 UTC
Raw Date: Sun, 17 Apr 94 12:07:06 PDT
From: Matthew J Ghio <mg5n+@andrew.cmu.edu>
Date: Sun, 17 Apr 94 12:07:06 PDT
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Subject: Re: Key Eater Needed
Message-ID: <4hgMVY600VpcBhckdD@andrew.cmu.edu>
MIME-Version: 1.0
Content-Type: text/plain
Mike Ingle <MIKEINGLE@delphi.com> wrote:
> There is no way to know now when a key was sent to a server, so it is hard
> to know when to delete it. One way would be to keep track of when new
> keys are sent or updated, and delete any key which has not been updated
> within a certain time, such as one year. All existing keys could be given
> six months to live. Those who wanted to keep their present keys could
> send them again, and others could create new ones.
>
> The web of trust model does not lend itself easily to key expirations,
> because this requires you to frequently get people to re-sign your key,
> and to re-sign the keys of others. This creates the opportunity for the
> "here's my new key, and I haven't got it resigned yet" attack. There
> would have to be a fairly long overlap period between new and old keys,
> during which time the old key signed the new key. Expirations would
> complicate the system considerably.
How about people just keep their keys, and the signatures, but they
re-sign their own keys every six months or so? In order to keep their
keys on the keyserver, they must submit a PGP signed message to prove
that they still have that key. If they don't, the key is assumed to be
lost, and it is deleted.
Return to April 1994
Return to “Matthew J Ghio <mg5n+@andrew.cmu.edu>”
1994-04-17 (Sun, 17 Apr 94 12:07:06 PDT) - Re: Key Eater Needed - Matthew J Ghio <mg5n+@andrew.cmu.edu>