ietf-openpgp
[Top] [All Lists]

Re: rfc2440bis-02 comments

2000-12-17 22:40:07
From: Derek Atkins <warlord(_at_)mit(_dot_)edu>
Subject: Re: rfc2440bis-02 comments
Date: 17 Dec 2000 12:21:05 -0500

Unfortunately this particular approach will not solve what I believe
to be the bigger problem: "I reinstalled my machine and lost my secret
key; can you remove it from the keyserver, please?" or "I forgot my
passphrase, can you please delete my key from the keyservers?"  If I
had a dollar for every time I received one of these messages, I'd be a
very rich man right now ;)

is it possible to address this issue w/o the keyservers doing any sort
of authentication?  i had thought that there was a fairly strong
feeling that the keyservers should not do any sort of authentication.

has this changed?

one authentication-less way that occurred to me is to have keys have
life times on servers (default being 1 year perhaps?).  then, though
you might have to wait a while, at least your old keys could disappear
from servers after a certain period of time.  

your client software can remind you that you need to upload your key
when it gets close to the "expiration" date/time.

[ of course the "expire-from-server" date needs to be in the hashed area. ]