best practice for pgp mail service, revoking keys
tim at piratemail.se
tim at piratemail.se
Thu Apr 24 00:13:15 CEST 2014
Greetings,
This is a tiny bit philosophical. Perhaps a little off-topic. I think this is probably the best list to ask never-the-less.
So I've been working on this pgp base web based mail service.
https://github.com/timprepscius/mv
Here is the problem I hope eventually to be confronted with:
1. User registers name "decker at piratemail.se," user auto-magically generates a pgp pub/priv key. The pub key is registered on the pgp key servers.
2. User goes away. Account is closed.
3. User still has "decker at piratemail.se" registered on the pgp key servers.
4. Another person wants to use "decker at piratemail.se." He would generate a brand new pgp key with a later creation date, but still that old one seems like a liability.
What should I do?
A few options I can see:
1. email addresses are used only once.
2. email addresses are used more than once, but with a warning, "there already exists an unrevoked pgp key for this address."
3. user gives me a revocation certification when he generates his pgp key, I can revoke accounts which close.
4. user generates pgp keys which expire after a year
5. ?
I would like to do #3. But perhaps this is not the way to go. I'm not sure if #4 is possible with the javascript pgp lib I'm using atm.
Any thoughts?
Cheers,
-tim
More information about the Gnupg-users
mailing list