best practice for pgp mail service, revoking keys

tim at tim at
Thu Apr 24 00:13:15 CEST 2014


This is a tiny bit philosophical. Perhaps a little off-topic. I think this is probably the best list to ask never-the-less.

So I've been working on this pgp base web based mail service.

Here is the problem I hope eventually to be confronted with:

1. User registers name "decker at," user auto-magically generates a pgp pub/priv key. The pub key is registered on the pgp key servers.
2. User goes away. Account is closed.
3. User still has "decker at" registered on the pgp key servers.
4. Another person wants to use "decker at"  He would generate a brand new pgp key with a later creation date, but still that old one seems like a liability.

What should I do?

A few options I can see:
1. email addresses are used only once.
2. email addresses are used more than once, but with a warning, "there already exists an unrevoked pgp key for this address."
3. user gives me a revocation certification when he generates his pgp key, I can revoke accounts which close.
4. user generates pgp keys which expire after a year
5. ?

I would like to do #3. But perhaps this is not the way to go. I'm not sure if #4 is possible with the javascript pgp lib I'm using atm.

Any thoughts?



More information about the Gnupg-users mailing list