Deletion of non relevant Daily Keypairs

[ralfr]

You are stating

Private keys of daily keypairs that are older than the epidemiologically relevant time span (specifically, four weeks) can be destroyed. The Luca Server removes all such encrypted private keys for all Health Departments. Furthermore, the Health Department Frontend removes all locally stored copies of such private keys.

How can Luca guarantee the removal / deletion of locally stored daily key pairs at the Health Departments? I assume that Health Departments could in theory store a copy of those keys forever or simply not log into the HD Frontend for any given time, hence preventing deletion.

It is my understanding that Health Departments and governmental organizations can create an archive of all Daily Keypairs ever used and store it outside Luca's system for eternities. Is this correct?

[reneme]

Naturally, the system cannot guarantee that health departments do not compromise the daily keypair private keys which are entrusted with the health department. For that very reason, this keypair is rotated daily.

For new Check-Ins, the smart phone apps use the newest daily keypair and refuse to use keypairs that are expired. Currently these keys must not be older than 7 days but this grace period may be reduced when more health departments are onboarded.

Check-Ins on the Luca Server are additionally encrypted by the Venue Owner. So any single such private key provides access to Check-Ins of a limited time span that were specifically shared with a Venue Owner's consent for a contact tracing.

Additionally, the Luca Server deletes Check-Ins that are older than four weeks.