Automatically delete old keys from servers

Binarus lists at
Tue Sep 17 16:09:46 CEST 2019

On 17.09.2019 15:12, Daniel Bossert wrote:
> Hi all
> On the key servers are many old keys lying around which aren't valid
> anymore.
> Could you implement a function on the servers which delete keys after
> let's say one year automatically,reminding the user via email one month
> ahead to reupload the keys?
> Me too have some old, useless keys there and people shouldn't use an
> invalid public key anymore.
 I am far from being an expert, but I think that the usual way to deal
with this problem is to revoke the key in question and upload the
revocation to the key server.

Maybe I have missed some basics here and that I am completely wrong, but
this at least is what Enigmail proposes if you revoke a key in its key
management window: Upload the revoked key.

There is a second solution to your problem: Limit the validity of the
key when generating it. You can easily generate keys which are valid
exactly one year from the date of generation. Any reasonable MUA will
refuse to encrypt a message using an expired public key, or will at
least show a warning.

That way, you can get close to the behavior you want. Your key expires
after a year, and although it still remains on the key server after that
time, nobody will use it to encrypt a message to you.

Furthermore, if memory serves me right, your public key is needed to
check your signature; remember that signing works in the opposite
direction than encrypting (signing means: you encrypt a message hash
with your private key, the receiver decrypts the hash using your public
key and checks if the decrypted hash matches the message). So deleting
public keys from a key server might be a bad idea anyway.



More information about the Gnupg-users mailing list