Re: [openpgp] email death certificates

[David Shaw <dshaw@jabberwocky.com>]

On Aug 23, 2019, at 2:05 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> I had the unfortunate duty to remove an email address from a community
> email list because the person had passed away.  I wonder how many other
> lists this rather active person is on, and how many years it will be
> before the lists are cleaned up.
> 
> When my dad passed away in the fall of 2003, it wasn't until the end of April
> the following year that the University cleaned up his email account.  There
> was clearly a need to keep the account open for quite some time due to
> other university business that hadn't yet closed.
> 
> I was thinking this morning about an SMTP responses, a 55x-type,
> but it rather needs to be signed.  Sigh, 2019, and still not enough
> useful email security to do this.  But still.
> 
> Is there something in openpgp spec that I'm missing here?
> I don't think that revoking the key is the right thing.
> In particular, nobody may know how to find the private key to revoke it.
> What's wanted is a revocation of the PGP signature with a reason.
> 
> Has anyone given any thought to this?
> 
> I suppose it might also apply to "does not work here anymore"

There is a "Reason for Revocation" subpacket for the revocation signature.  It contains both a machine-readable byte giving various reasons for revocation (key superseded, compromised, or retired, user ID no longer valid, or a general "other"), followed by a human-readable string.

I suppose a death notification would be "key retired", with additional information (if any) given in the human-readable string.  This works with the designated revoker feature as well as the regular (self) revocation, so even if the private key is missing (or, being dead, the owner is unable to enter a passphrase) the key can still be revoked.

David