Crypting mail addresses - funny design problem

In my web project, I am storing mail addresses. These addresses may be used by the system to throw mails to the recipients. It is also important to say that these mail addresses have expiration time.

But the critical point is trustness: for this very service, people must be sure that the mail addresses wil not be given to somebody else (especially to authorities, for example).

To resume:

• the system has to "know" the mail address.
• the webmaster (or somebody else) has to be unable to find the true mail addresses.

By doing this, the webmaster will not be able to give information (even by force :)).

Intermediate solution: I already know how to do this as soon as the information has expired. E.g. The mail address is encrypted with gnupg (GPG / PGP algorithms). The system (or anybody) can decrypt if he/it has the password. But as soon as the mail address ha开发者_Go百科s expired, let's revoke the secret key :arrow: one cannot decrypt the mail address anymore.

But this raises a performance problem (to create the private key)...

Any help would be most appreciated !

What you're asking for is impossible. Even supposing you could devise a system whereby the system can send emails without being able to reveal them to an administrator (and you can't), an attacker could simply start a mail run and capture the outgoing emails and extract the addresses before they're sent.

If you want to 'expire' email addresses, you should simply delete the records, then (if you're paranoid), compact the database and erase the free space on the disk.