--- Earl Hood <earl(_at_)earlhood(_dot_)com> wrote:
There should be some way to indicate that a key has been revoked.
It seems right now, revocation is indirect, by removing the appropriate
DNS entry. However, a verifier does not know if the key was revoked,
temporarily unavailable, or never existed.
Hmm. I'll have to swing back on the draft, but at one stage the plan was to use
the DK revocation method of continuing to advertise the Key RR with an empty
public key value.
Would that satisfy your concerns regarding explicit revocation?
An alternate way is to set g=; which says that it doens't match anything.