best practice for pgp mail service, revoking keys
dshaw at jabberwocky.com
Thu Apr 24 05:14:24 CEST 2014
On Apr 23, 2014, at 6:13 PM, tim at piratemail.se wrote:
> This is a tiny bit philosophical. Perhaps a little off-topic. I think this is probably the best list to ask never-the-less.
> So I've been working on this pgp base web based mail service.
> Here is the problem I hope eventually to be confronted with:
> 1. User registers name "decker at piratemail.se," user auto-magically generates a pgp pub/priv key. The pub key is registered on the pgp key servers.
> 2. User goes away. Account is closed.
> 3. User still has "decker at piratemail.se" registered on the pgp key servers.
> 4. Another person wants to use "decker at piratemail.se." He would generate a brand new pgp key with a later creation date, but still that old one seems like a liability.
> What should I do?
> A few options I can see:
> 1. email addresses are used only once.
> 2. email addresses are used more than once, but with a warning, "there already exists an unrevoked pgp key for this address."
> 3. user gives me a revocation certification when he generates his pgp key, I can revoke accounts which close.
> 4. user generates pgp keys which expire after a year
> 5. ?
I haven't looked extensively at your design, so this isn't a suggestion as to what you should do, but just to mention a possibility you may have missed:
5. User appoints you (or a designated key) as their designated revoker. This allows your key to issue a revocation on their key. Pro: no need to store revocation certificates for all of your users, which could leak. Con: the revocation only works if the person checking has both your key and their key.
It's similar in many ways to 3.
More information about the Gnupg-users