From: Derek Atkins <warlord@MIT.EDU>
Date: Sun, 17 Apr 94 09:22:02 PDT
To: hughes@ah.com (Eric Hughes)
Subject: Re: Key Eater Needed
In-Reply-To: <9404171454.AA29518@ah.com>
Message-ID: <9404171621.AA16350@hodge.MIT.EDU>
MIME-Version: 1.0
Content-Type: text/plain


> One way to expire keys is to simply declare that any old PGP key more
> than two years old is expired.

No, this is a bad idea.  Any arbitrary setting of expire time by the
keyserver is a bad idea.  It is the key owner that should set the
timeout of the PGP key (there is an expiration time in the key
certificate, but the current implementation sets it to zero and
ignores the field).  There are people that have longer or shorter
keys, and its possible that they might want longer or shorter
expiration times.

I think that there are a few things that can and should be done.
First, a revoked key should get all signatures removed from that key
(and possibly any signatures that key made should disappear as well).
Also, revoked keys should probably time out from the keyservers after
some period of time.

-derek

         Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory
       Member, MIT Student Information Processing Board (SIPB)
    Home page: http://www.mit.edu:8001/people/warlord/home_page.html
       warlord@MIT.EDU    PP-ASEL     N1NWH    PGP key available