One way to expire keys is to simply declare that any old PGP key more than two years old is expired.
No, this is a bad idea. Any arbitrary setting of expire time by the keyserver is a bad idea. It is the key owner that should set the timeout of the PGP key (there is an expiration time in the key certificate, but the current implementation sets it to zero and ignores the field). There are people that have longer or shorter keys, and its possible that they might want longer or shorter expiration times. I think that there are a few things that can and should be done. First, a revoked key should get all signatures removed from that key (and possibly any signatures that key made should disappear as well). Also, revoked keys should probably time out from the keyservers after some period of time. -derek Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) Home page: http://www.mit.edu:8001/people/warlord/home_page.html warlord@MIT.EDU PP-ASEL N1NWH PGP key available