From: Derek Atkins <warlord(_at_)mit(_dot_)edu>
Subject: Re: rfc2440bis-02 comments
Date: 17 Dec 2000 12:21:05 -0500
Unfortunately this particular approach will not solve what I believe
to be the bigger problem: "I reinstalled my machine and lost my secret
key; can you remove it from the keyserver, please?" or "I forgot my
passphrase, can you please delete my key from the keyservers?" If I
had a dollar for every time I received one of these messages, I'd be a
very rich man right now ;)
is it possible to address this issue w/o the keyservers doing any sort
of authentication? i had thought that there was a fairly strong
feeling that the keyservers should not do any sort of authentication.
has this changed?
one authentication-less way that occurred to me is to have keys have
life times on servers (default being 1 year perhaps?). then, though
you might have to wait a while, at least your old keys could disappear
from servers after a certain period of time.
your client software can remind you that you need to upload your key
when it gets close to the "expiration" date/time.
[ of course the "expire-from-server" date needs to be in the hashed area. ]