RTBF self-sovereignty via revocations

As suggested in https://www.ietf.org/archive/id/draft-dkg-openpgp-abuse-resistant-keystore-05.html#name-drop-all-other-elements-of- , a direct hard revocation SHOULD be interpreted by a keyserver as permission to discard all other packets and signatures on that key aside from the revocation itself (and possibly also sbinds). This would allow for a self-sovereign RTBF mechanism.

This proposal is efficient, but there is another use case where people may want to invoke their right to be forgotten (by deleting personal data in User ID and User Attribute packets) but without the other side-effects of hard revocation (in particular, that historical signatures are retrospectively invalidated).

A UserID revocation sig cannot be validated in the absence of the original UserID packet, so it normally cannot be used for RTBF. However, we could make an 0x20 revocation direct sig that only depends on the primary key, similar to a hard revocation sig. In such a scenario we can infer that the UserID invalidation applies to all UserIDs, and delete them safely.

Open question: Do we want to still distribute subkeys in such a scenario? It may be desirable for people to be able to look up the primary key by subkey fingerprint (although this may not be strictly necessary, I haven't fully though this through...)

See https://github.com/hockeypuck/hockeypuck/wiki/HIP-5:-Reliable-personal-data-deletion-using-self-signatures for related discussion.

(This issue was migrated from draft-openpgp-abuse-resistant-keystore#2 (closed))