Mailing List Archive

Automatically delete old keys from servers
Hi all

On the key servers are many old keys lying around which aren't valid anymore.

Could you implement a function on the servers which delete keys after let's say one year automatically,reminding the user via email one month ahead to reupload the keys?

Me too have some old, useless keys there and people shouldn't use an invalid public key anymore.

Regards
Daniel
--
Skickat från min Android-enhet med K-9 Mail. Ursäkta min fåordighet.
Re: Automatically delete old keys from servers [ In reply to ]
On 17.09.2019 15:12, Daniel Bossert wrote:
> Hi all
>
> On the key servers are many old keys lying around which aren't valid
> anymore.
>
> Could you implement a function on the servers which delete keys after
> let's say one year automatically,reminding the user via email one month
> ahead to reupload the keys?
>
> Me too have some old, useless keys there and people shouldn't use an
> invalid public key anymore.
I am far from being an expert, but I think that the usual way to deal
with this problem is to revoke the key in question and upload the
revocation to the key server.

Maybe I have missed some basics here and that I am completely wrong, but
this at least is what Enigmail proposes if you revoke a key in its key
management window: Upload the revoked key.

There is a second solution to your problem: Limit the validity of the
key when generating it. You can easily generate keys which are valid
exactly one year from the date of generation. Any reasonable MUA will
refuse to encrypt a message using an expired public key, or will at
least show a warning.

That way, you can get close to the behavior you want. Your key expires
after a year, and although it still remains on the key server after that
time, nobody will use it to encrypt a message to you.

Furthermore, if memory serves me right, your public key is needed to
check your signature; remember that signing works in the opposite
direction than encrypting (signing means: you encrypt a message hash
with your private key, the receiver decrypts the hash using your public
key and checks if the decrypted hash matches the message). So deleting
public keys from a key server might be a bad idea anyway.

Regards,

Binarus


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automatically delete old keys from servers [ In reply to ]
On Tue, 17 Sep 2019 15:12, daniel.bossert@dabo.ch said:

> On the key servers are many old keys lying around which aren't valid anymore.

Old keys are still useful to verify signatures. This is even true for
expired keys. The user then needs to decide what to do with the
verification result.


Shalom-Salam,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Automatically delete old keys from servers [ In reply to ]
Daniel Bossert [2019-09-17T15:12:09+02] wrote:

> On the key servers are many old keys lying around which aren't valid
> anymore.
>
> Could you implement a function on the servers which delete keys after
> let's say one year automatically,reminding the user via email one
> month ahead to reupload the keys?

That is the very purpose of invalid (revoked, expired) keys in the
server: tell people that the keys are invalid and not to be used. If the
keys were removed from servers (which won't happen) it would be more
difficult to share that important information.

A reminder email doesn't sound like a good idea: a key might be revoked
or expired because the owner's email address is no longer valid. The
server can't know if user wants to update key's expiration date or if
the key is expired or revoked for good.

keys.openpgp.org is different from usual SKS keyservers so there might
be different policies. My views in above paragraphs are about SKS
keyservers.

--
/// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
// https://keys.openpgp.org/search?q=tlikonen@iki.fi
/ https://keybase.io/tlikonen https://github.com/tlikonen
Re: Automatically delete old keys from servers [ In reply to ]
The simple truth is: For the SKS servers, it is not technically possible to
remove keys, and never will be.

People have speculated, postulated, counterargued, rambled on several mailing
lists about how great or terrible a thing that is. But no matter what anyone
tells you or how many mails are written - the simple truth is: For the SKS
servers, it is not technically possible to remove keys, and never will be.

Cheers

- V


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users